Request for off line security help
Ben Beeson
beesond001 at hawaii.rr.com
Tue Nov 13 00:38:00 PST 2001
Aloha all,
I didn't mean to stir up quite such a hornets nest!!! Chris, I hope you
or your company are not offended by my question. I did not intend to
imply that something untoward was about, I honestly didn't know what was
up. Because I needed some help and also wished to respect the good
intentions of those involved through the "first, do no harm" principle, I
asked for an off-line look.
To expand on several of the issues on the list, I'll offer the following
with good intentions and hope that it is well received.
Yes, I get scanned all the time. Most of the scans I get usually fall
into the "ignore" box and I send them off to /dev/null. You know what I
mean, some windows user boots up and his box checks the "network" for
available file and print services. Stuff like that...
Occasionally, I get a more serious scan or series of scans against my
box. If something about it strikes me as unusual, I usually drop a note
to the owner of the IP address block and ask them to look into it.
Sometimes I get an answer back, but usually I don't. Most of the answers
I get back are very informative. Once in a while I even get an answer
that just makes me think... I always learn something from the answers I
receive though. In any case, the scanning usually stops after that
either because I fixed it, or somebody else fixed it.
I don't think all portscans are bad, but sometimes it's hard to tell the
good ones from the bad ones (especially if like me, your knowledge is
limited.) For example, I exchanged e-mail with one particular ISP
provider that made a habit of reverse scanning addresses making certain
connections to check for the presence of a particular windows hack that
was troublesome to their business. They further went on to state that
they would help customers rid their systems of the particular infection
they were concerned with if it was found. I thought that was kind of
cool and thought, "gee -- more guys should be so civic minded." I then
changed my firewall to ignore their specific scan. I learned a lot from
that, especially about firewall rules and good will.
The idea of pushing material likely to be requested to a "nearby" server
in the "network topology" makes sense. I can see where visiting a web
site may attract the interest of a business and cause them to see how to
better serve the customer. After all, business's now have the technology
to know when I am looking at their web site. (As opposed to whether or
not I used the Sunday paper to light the BBQ grill before I read their
ad.) This may cause them to "push" the cache of potential files to a
nearer server to quicken the web's response to a query.
I have to ask a question though. ((Please realize that this is an honest
question from a guy that drives jets for a living and ***plays*** with
Linux in his spare time. This question is not intended as an
insinuation, it's just an expression of what is going through my mind.))
My question is this, "Is a full portscan necessary to find out what they
need to know about where my box is and what it may be able to provide to
help their business? Would an address lookup be enough, or does this
business really need to know if I run a time server (for example)?" I
don't know the answer. I don't even know all the issues attached to these
questions... (No answer needed from the list BTW.) Anyway, it has been
quite a while since my box got scanned as much as this one from the same
IP address.
That leads me to the initial question I posted to the list. I didn't
know what the scan was, what it represented, or why it was there. I do
know that it was a pretty big scan compared with others I see, so I asked
the NOC to look into it. They did, and I thought the reply I got was
about as different from any other answer that I had ever received as it
could be. I accept the NOC given reason at face value, but I had never
seen anything quite like this, so I asked the list for someone to help me
with an off-line look to help me figure it out.
What did I learn? Three things so far:
- There can be good business reasons for scans beyond system security.
- I am reassured that there are some very generous and helpful people
on this mailing list, and I am very grateful for that -- thanks again to
all of you.
- I also learned that I need to read up on stateful firewalls before I
upgrade my box. There may be a way to "ignore" the good scans...
Respectfully,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20011113/a9632994/attachment-0001.htm>
More information about the LUAU
mailing list