Re: block port scan attackers

• From: "shane mullins" <tsmullins@xxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 1 Sep 2002 22:24:13 -0400

Good point Blake,

    That is a very well stated point, one should always look before leaping.
My situation is one where our web server is on another machine and we should
not have heavy incoming traffic, with the exception of maybe the mail
server, who resides also on another server.

Shane



----- Original Message -----
From: "Blake Al" <al.blake@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 01, 2002 7:05 PM
Subject: [isalist] Re: block port scan attackers


> http://www.ISAserver.org
>
>
> Before you wildy block.....check what you are blocking....I have noticed
that under heavy traffic our ISA can report 'port scans' or 'intrusion' when
it receives port 80 packets from legitimate web connections that have timed
out or otherwise died. The port scan warning is not as fine tuned as it
should be IMHO.
> Just make sure you dont cut off legitimate traffic......
> Regards
>
> -----Original Message-----
> From: shane mullins [mailto:tsmullins@xxxxxxxxxxxxxx]
> Sent: Friday, 2 August 2002 12:57 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: block port scan attackers
>
>
> http://www.ISAserver.org
>
>
> I block them with an access list on the external interface of my Cisco
> router. This has been effective and stops them from even getting to your
> equipment.
>
> Shane
>
> ----- Original Message -----
> From: "Lim, Arthus T." <alim@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, August 01, 2002 9:37 AM
> Subject: [isalist] Re: block port scan attackers
>
>
> > http://www.ISAserver.org
> >
> >
> > If I found out that it was a real attack, how can I be able to block
> > them?
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > Sent: Thursday, August 01, 2002 8:59 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: block port scan attackers
> >
> > http://www.ISAserver.org
> >
> >
> > If you've received an alert, they were blocked.
> > Also, not everything ISA alerts on is malicious behavior; sometimes it's
> > just "late" packets.
> > You can scan your IP...log for the same date/time as listed in the event
> > log to see what was
> > happening that ISA interpreted as a scan and decide from there whether
> > or not you want to actively
> > block them.
> >
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/authors/harrison/
> > Read the books!
> >
> > ----- Original Message -----
> > From: "Lim, Arthus T." <alim@xxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, July 31, 2002 11:17 PM
> > Subject: [isalist] block port scan attackers
> >
> >
> > http://www.ISAserver.org
> >
> >
> >
> >
> > I'm receiving reports like this in my logs:
> >
> >
> > ISA Server name: TEQUILA
> >
> > ISA Server detected an all port scan attack from Internet Protocol (IP)
> > address 65.121.237.200.
> >
> > For more information about this event, see ISA Server Help.
> >
> > How can I block certain external IP addresses in ISA?
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > alim@xxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> tsmullins@xxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
al.blake@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.380 / Virus Database: 213 - Release Date: 24/07/2002
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.380 / Virus Database: 213 - Release Date: 24/07/2002
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tsmullins@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.380 / Virus Database: 213 - Release Date: 7/24/02

Other related posts:

• » block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers
• » Re: block port scan attackers

1. Home
2. isalist
3. Archive
4. 09-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---