1 |
Hello, |
2 |
|
3 |
My iptables based firewall seem to be working, However, I keep getting |
4 |
triplets of this activity: |
5 |
|
6 |
Problem (2286 > netbios-ssn) |
7 |
source dest. proto info |
8 |
curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
9 |
www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
10 |
Win=0 Len=0 |
11 |
|
12 |
Any ideas on a rule to drop these requests to my web server? |
13 |
|
14 |
similarly I see the same thing except the info section is slightly |
15 |
different: |
16 |
similar problem (2469 > microsoft-ds) |
17 |
rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460 |
18 |
|
19 |
and the response from my firewall is simialr |
20 |
www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 |
21 |
Win=0 Len=0 |
22 |
|
23 |
Other problems are (info section is only difference) epmap > 3081 |
24 |
3081 > epmap |
25 |
|
26 |
Each of these appear in tripplets... and seem useless. Are they |
27 |
part of something stupidly done by microsoft? I think not |
28 |
because they occur quite frequently, almost systematcially, |
29 |
leading me to suspect they are part of nefarious activities? |
30 |
|
31 |
The only change is the port numbers (2286; 2469; 3081) and the |
32 |
source IP address change after each triplet of queries. |
33 |
|
34 |
Any ideas, information and iptables rules to silently drop these |
35 |
queries are most welcome. I see them all day long. |
36 |
|
37 |
|
38 |
James |
39 |
|
40 |
|
41 |
|
42 |
|
43 |
-- |
44 |
gentoo-user@g.o mailing list |