cancel
Showing results for 
Search instead for 
Did you mean: 

Being Port Scaned, advice requested.

N/A

Being Port Scaned, advice requested.

Hi,

We have been subjected to a port scan attack (consecutive port numbers not just a few) which I have stopped by blocking the offending IP address (sygate firewall). However before doing this I performed a back trace and have the name of the individual within Liverpool John Moores University.

Question is should I report this to the university as it is looks like this invidiual is up to no good.

Thanks in advance for any advice.

Gavin
14 REPLIES
Cloudmaster
Grafter
Posts: 257
Registered: 01-08-2007

Being Port Scaned, advice requested.

It's up to you, but I get subjected to portscans every day, & if I acted on every single one of them I wouldn't have time for anything else.

If your firewall stopped it I'd just get on with your life & forget it, it's just another part of the internet unfortunately.
N/A

Being Port Scaned, advice requested.

I see your point.

What started this was that large amounts of data had been incomming and outgoing most of the afternoon from the same IP address.

As it happens I did not have the firewall configured correctly and it was allowing port scans.

All I can say is that I'm glad our account doesn't have a bandwidth limit otherwise a sizable chunk would have been used up.

Thanks for the advice.

Gavin.
Cloudmaster
Grafter
Posts: 257
Registered: 01-08-2007

Being Port Scaned, advice requested.

As far as I'm aware, portscans don't involve 'large amounts of data had been incomming and outgoing'.

A portscan will (as far as I know) just check to see if a particular port is open, this (again, as far as I know), doesn't involve large amountsof data.
N/A

Being Port Scaned, advice requested.

Port Scans are pretty much par for the course when using the internet, and it's often caused by machines which are infected.

I wouldn't worry unless your getting 100s of hits within the space of a minute or two.

Note, if you use any P2P software, you will get lots of hits against your firewall.
N/A

Being Port Scaned, advice requested.

The port scanning is generating incomming data of about 50KB/Sec.

That seems a lot to me and it's still the same person.

Gavin
N/A

Being Port Scaned, advice requested.

50KB or 50Kbits?

If 50KB, that is a hell of a lot. What speed line are you on?
N/A

Being Port Scaned, advice requested.

I have a 512K ASDL connection.

56KBytes is correct although per second is wrong as I can't determine a time frame from the Sygate firewall graph. That said the link light on the ASDL modem is flashing rapidly and I have received 500Megabytes in 9 hours today. Okay some of it is normal traffic but not that much!

Just for information I have the following setup:

Internet -> ASDL Modem -> Windows 2003 Server -> Router -> Client PC's

I am trying out sygate firewall pro hence my previous comments on firewall configuration in this thread. I installed an update this morning and lost the offending IP block entry - hence the traffic today.

Gavin
N/A

Being Port Scaned, advice requested.

Heck,

Just found the reason for the massive rate and upload amount.

The idiot has been uploading rar files (topgun.part###.rar ) to our Anonymous account FTP server.

Strange.

Gavin
N/A

Being Port Scaned, advice requested.

Erm... just one question??

Which sort of server admin leaves an anonymous ftp account open??

I certainly dont know any, including myself who does!

Jake
N/A

Being Port Scaned, advice requested.

Why? - for a number of reasons:

1) Its a farily new server installation which I still haven't configured completely.

2) I am not an IT administrator! I run a business and have little time to spend getting things perfect before using them. I learn and improve things as I go.

3) In windows server 2003 you get a warning when disabling Anonymous access in the form that authenticated user passwords are no longer encrypted when connecting to the FTP server - try it yourself.

Gavin
N/A

Being Port Scaned, advice requested.

Very odd. Anonymous mode or not, FTP password are sent in cleartext. Quite why it warns you of that fact, when it has been that way all along, I don't know.

Quote
I am not an IT administrator! I run a business and have little time to spend getting things perfect before using them. I learn and improve things as I go


Improvment on the go is one thing, but beware. A policy like that will bite you in the rear.... hard.

If you don't have time to fulfill your long term goals, with immediate effect, then that is dandy. Never ever apply this to enforcing security though.

IE. If security is one of the things you plan to improve as you go, then either don't use the thing at all, or complete it before making it live.

You will often find, implimenting security can be done with minimal ease. Cleaning up after a security breach, can often result in major loss.
N/A

Reporting port scanning does work!!

Hi Gavin,

Yep! port scanning I agree is just one of those facts of life of being connected to the internet. However I was port scanned alot on several occations and like you I got fed up of it and also ran back traces to an individual based in an American University. I reported this attack and individual to the university's network administrator who shut him down completely, I believe he had caused a good deal of trouble on the campus system from all accounts & mine was the final straw, in the end he was kicked off the university computer network & I guess that was the end of his course as a result.

**So moral of the story is that reporting port scanning in the real world CAN and DOES work it just depends if you can be bothered to make the effort to go the distance with it? In my case it was definately worth it & I wouldnt hesitate to do the same again if provoked in the same way.

Ivan
N/A

Being Port Scaned, advice requested.

Hi Ivan,

Thank you for your input - it answers my original question and as a result I will contact the university.

acarr, I do appreciate what you are saying and you are right! However to draw a parallel your policy on security is a bit like saying that when you move into a new house you cannot go outside until you've specified, purchased, fitted and configured a burgular alarm. How do you live in the mean time?

Okay I am stretching the point here but I'm sure you understand what I mean. I am compromising between having the functionality now, and improving the security later - yes there is some risk attached, and yes it could be costly, but I also have other work to do and a business to run.

In reality I use NAT, firewalls, anti-virus, anti-spyware, strong passwords, stealthed ports, tight email relaying controls, etc, etc - all of which I have learn't, experimented with and configured as I've gone along. It all adds up to one heck of a "mind-field". :-)

Coming back to the warning - it is in fact to do with basic authentication and appears when unchecking the "allow anonyous connections" option.

Gavin
N/A

Being Port Scaned, advice requested.

The individual at the university was probably infected and didn't know it, his machine was probably used to scan thousands of hosts. As for the anonymous FTP, you're lucky that you didn't have any more warez on it Cheesy