Re: Firewall Sessions

• From: Marc Lingenfelter <marclingenfelter@xxxxxxxxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 8 Aug 2002 11:28:09 -0600

This is a portion of the Firewall Sessions Log..  None of these IP are mine
or authorized access.

I have set-up a IP Packet Filter that denied all inbound TCP access on all
ports.  I then disconnected all the below IPs and within minutes they were
all reconnected.


Server  Session Type    User Name       Client Computer Client Address
Activation
LM-PROXY        Firewall Session                203.45.205.7    203.45.205.7
8/8/2002 10:55:31 AM
LM-PROXY        Firewall Session                216.19.221.60
216.19.221.60   8/8/2002 10:55:54 AM
LM-PROXY        Firewall Session                216.26.30.111
216.26.30.111   8/8/2002 10:55:43 AM
LM-PROXY        Firewall Session                216.85.53.53    216.85.53.53
8/8/2002 10:56:05 AM
LM-PROXY        Firewall Session                24.187.68.173
24.187.68.173   8/8/2002 10:56:18 AM
LM-PROXY        Firewall Session                24.187.69.179
24.187.69.179   8/8/2002 10:55:37 AM
LM-PROXY        Firewall Session                63.151.143.20
63.151.143.20   8/8/2002 10:55:29 AM
LM-PROXY        Firewall Session                64.239.13.10    64.239.13.10
8/8/2002 10:55:22 AM
LM-PROXY        Firewall Session                64.252.137.165
64.252.137.165  8/8/2002 10:54:49 AM
LM-PROXY        Firewall Session                65.116.209.153
65.116.209.153  8/8/2002 10:54:56 AM
LM-PROXY        Firewall Session                65.116.209.156
65.116.209.156  8/8/2002 10:55:40 AM
LM-PROXY        Firewall Session                65.116.209.157
65.116.209.157  8/8/2002 10:55:34 AM
LM-PROXY        Firewall Session                65.203.20.60    65.203.20.60
8/8/2002 10:55:46 AM
LM-PROXY        Firewall Session                65.244.149.130
65.244.149.130  8/8/2002 10:54:23 AM
LM-PROXY        Firewall Session                65.95.177.193
65.95.177.193   8/8/2002 10:55:07 AM
LM-PROXY        Firewall Session                66.164.16.201
66.164.16.201   8/8/2002 10:55:27 AM
LM-PROXY        Firewall Session                66.164.16.42    66.164.16.42
8/8/2002 10:55:27 AM
LM-PROXY        Firewall Session                67.250.124.194
67.250.124.194  8/8/2002 10:55:54 AM

Marc B. Lingenfelter 
Network Administrator 
 


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Thursday, August 08, 2002 10:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Firewall Sessions

http://www.ISAserver.org


Can you send a snip from your FW log showing the events that concern you?

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!

----- Original Message ----- 
From: "Marc Lingenfelter" <marclingenfelter@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 08, 2002 6:53 AM
Subject: [isalist] Re: Firewall Sessions


http://www.ISAserver.org


Have never published the server

Marc B. Lingenfelter 
Network Administrator 

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Thursday, August 08, 2002 7:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Firewall Sessions

http://www.ISAserver.org


Server publishing rules allow Firewall sessions from "unknown" IPs.
Are you publishing a mailserver?

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!

----- Original Message ----- 
From: "Marc Lingenfelter" <marclingenfelter@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 07, 2002 9:28 PM
Subject: [isalist] Firewall Sessions


http://www.ISAserver.org


While checking my firewall sessions and logs for the past few days I
discovered that a couple of unknown IPs are starting firewall sessions. 
Nothing I do seems to be able to block them from the site.  I also see
where both of them are sending excessive amounts of SMTP (Spam).  I need
to know how to block them.

Thanks

Marc Lingenfelter
Network Admin

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
marclingenfelter@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
marclingenfelter@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Firewall Sessions
• » Re: Firewall Sessions
• » Re: Firewall Sessions
• » Re: Firewall Sessions
• » Re: Firewall Sessions
• » Re: Firewall Sessions
• » Re: Firewall Sessions

1. Home
2. isalist
3. Archive
4. 08-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---