Dear Thomas Thank You for the information. Regards K Jagadish Pai Systems Administrator "Thomas W Shinder" <tshinder@starblaze To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> r.tzo.com> cc: Subject: [isalist] RE: Port Attack 03/26/2003 05:46 AM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org Hi Pai, Since all of these are blocked, they don't pose any security risk. However, intrusion detection is an entire field of study unto itself. Norcutt (sp?) has some good books on this subject. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- >From: jagadish.pai@xxxxxxxxxxxxxxxxxxx [mailto:jagadish.pai@xxxxxxxxxxxxxxxxxxx] Sent: Monday, March 24, 2003 9:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Port Attack http://www.ISAserver.org Dear Thomas The following is the log of packet filter can you explain what danger could the system be in and how to reslove this issue if danger is there. #Fields: date time source-ip destination-ip protocol param#1 param#2 filter-rule interface 2003-03-22 04:12:28 61.241.82.53 202.63.113.66 Tcp 80 1272 BLOCKED 202.63.113.66 2003-03-22 04:42:47 61.241.82.53 202.63.113.66 Tcp 80 12843 BLOCKED 202.63.113.66 2003-03-22 16:08:24 202.118.162.44 202.63.113.66 Tcp 21 21 IpHalfScan 202.63.113.66 Thanks In advance. Regards K Jagadish Pai Systems Administrator "Thomas W Shinder" <tshinder@starblaze To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> r.tzo.com> cc: Subject: [isalist] RE: Port Attack 03/25/2003 07:04 AM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org Hi Pai, The packet filter log doesn't need any configuration, just analysis. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- >From: jagadish.pai@xxxxxxxxxxxxxxxxxxx [mailto:jagadish.pai@xxxxxxxxxxxxxxxxxxx] Sent: Sunday, March 23, 2003 10:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Port Attack http://www.ISAserver.org Everyday i get this notification once from the same ip. Where should i enable the packet filter log ? Regards Pai "Thomas W Shinder" <tshinder@starblaze To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> r.tzo.com> cc: Subject: [isalist] RE: Port Attack 03/24/2003 10:01 AM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org Hi Pai, I'd check the packet filter log to determine the nature of the attack. Sometimes its false positive and sometimes its something worth worrying about. Determine who's doing the scanning and then assess whether they've done something similar in the past. Unless it's a repeat offender, its probably not worth worrying about. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- >From: jagadish.pai@xxxxxxxxxxxxxxxxxxx [mailto:jagadish.pai@xxxxxxxxxxxxxxxxxxx] Sent: Sunday, March 23, 2003 10:12 PM To: [ISAserver.org Discussion List] Subject: [isalist] Port Attack http://www.ISAserver.org Hi Can somebody explain will there be any problem for the following:-- How do i protect my system being attacked. ISA Server detected an Internet Protocol (IP) half-scan attack from IP address 202.118.162.44. ISA Server detected an all port scan attack from Internet Protocol (IP) address 61.241.82.53. Regards Pai ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jagadish.pai@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jagadish.pai@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jagadish.pai@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')