Just to change the topic momentarily away from conference registrations etc
to more technical matters.... :-)
A while back I remember a bit of discussion about a "personal firewall"
program that automatically sent out abuse@domain emails whenever it
detected "intrusion attempts" that was really starting to get up the nose
of system admins everywhere....
Yesterday I got a strong sense of Deja Vu when I received the following
email to abuse@ (details xxx'ed to protect the innocent :)
Complaint ID: [securepipe.com
The following is a complaint against an IP or domain which appeared in our
logs, indicating possible network abuse. If you have received this report
in error, please forward it to the appropriate party or let us know.
A user, apparently from your network, probed port 139 (NETBIOS) on the IP
appearing in the log except below. The port in question is commonly used
for Windows networking, and thus the probe may represent a misconfigured
client or an active attempt to gain unauthorized access to the target.
All timestamps below are in UTC -0000 (Greenwich Mean Time)
Jul 3 03:14:56 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6
x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=64034 F=0x4000 T=103 SYN (#25)
Jul 3 03:14:59 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6
x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=547 F=0x4000 T=103 SYN (#25)
Jul 3 03:15:05 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6
x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=4643 F=0x4000 T=103 SYN (#25)
Jul 3 03:15:17 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6
x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=11811 F=0x4000 T=103 SYN (#25)
We appreciate your assistance in resolving this matter.
SecurePipe Incident Response Team
Tel: +1 608 294 6940
Fax: +1 608 294 6950 (attn: IRT)
Now I don't know about anyone else, but this email looks like an
automatically generated report if I ever saw one...although this time
comming from a linux firewall log.
The question is should I be taking this seriously, or ignoring it. The fact
that the "complaint" had an ID number suggested they may have a system like
spamcop where you can quickly log in and address the issue on their
website. Unless I'm blind, they don't have anything like that on their
site, only lots of promotional material for their companys
products/services. (Does that make this email effectively unsolicited
advertising ? :)
Then there is the question of severity - I'd be interested to know where
most sysadmins draw the line between accidental and harmless connections
and outright mallicious activity. IMHO a single connection attempt to port
139 doesn't fall into the category of mallicious, and could indeed be
totally accidental. I can think of a number of actions in windows that will
inadvertently cause it to try to make a netbios connection to a remote host
- sometimes you have to go out of your way to STOP the stupid thing from
doing that...(netbios hostname resolution anyone?)
I'm definately not trying to downplay the importance of security, but I can
see a lot of nuisance value if we get to the point where any connection to
a non-desired port is automatically considered mallicious, and every man
and his dog has their firewall automatically firing off emails every time
somebody tries to connect to them on a port they weren't expecting
Anyway, I'd be interested in hearing from anyone else who has dealt with
"securepipe.com", or just peoples opinions on the matter of automated
firewall abuse emailing in general...
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads: