I've been port scanned 27 times from Ev1.net, who owns Rackshack.net. I called Ev1.net's support and they were no help. They sent me over to Rackshack support, which was closed. Can someone help me??? I'm on danger level 2 with this. Here's the last email psad sent to me:

=-=-=-=-=-=-=-=-=-=-=-=-=-= Nov 3 00:38:42 =-=-=-=-=-=-=-=-=-=-=-=-=-=
psad: portscan detected against ensim.darksidehosting.com (207.44.145.255).

Source: 207.44.144.80
Destination: 207.44.145.255
Newly scanned UDP ports: [26000-26003] (since: Nov 3 00:38:42)
Newly Blocked UDP packets: [4] (since: Nov 3 00:38:42)
Complete TCP/UDP port range: [26000-26003] (since: Nov 2 16:00:18)
Total blocked packets: 120
Start time: Nov 2 16:00:18
End time: Nov 3 00:38:42
Danger level: 2 out of 5
DNS info: 207.44.144.80 -> No reverse dns info available


---- Whois Information: ----

OrgName: Everyones Internet, Inc.
OrgID: EVRY

NetRange: 207.44.128.0 - 207.44.255.255
CIDR: 207.44.128.0/17
NetName: EVRY-BLK-11
NetHandle: NET-207-44-128-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate:
Updated: 2002-05-08

TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net

# ARIN Whois database, last updated 2002-11-02 19:05
# Enter ? for additional hints on searching ARIN's Whois database.

=-=-=-=-=-=-=-=-=-=-=-=-=-= Nov 3 00:38:42 =-=-=-=-=-=-=-=-=-=-=-=-=-=


What do I do now????????

Cajun

It looks like a broadcast from someone on the same network as you. Your IP isn't 207.44.145.255, it's 207.44.144.48. 207.44.145.255 is the broadcast address, any packets sent there will be received by all machines on that subnet. Heh, the web server at 207.44.144.80 has an interesting picture.

I would ignore it. It looks like they're broadcasting a few packets now and then. Not going to hurt you.

LOL! I visited that webserver and also saw a very..ummm...interesting picture. For those of you who are at work, I wouldn't suggest you go there.

Cajun

Two piles of bones on a sink. So what?

There's no skin showing, so it's okay. Get it? No skin showing.

ha ha doh :o

i've received 100+ psad e-mails today alerting me about portscans from 207.144.54.80.
I bet there were a few more hundreds of port scans, but the e-mail limit was reached.

Just type this at your command line:

/sbin/iptables -I INPUT 1 -p tcp -s 207.44.144.80 -j DROP

End of story!

hmmm interesting pics indeed.. somthing to look forward to when i die

"Firewalls" like psad annoy me greatly. They say you are being portscanned, while it might just be someones rwhod broadcasting, or someone doing a traceroute to your site.

Port 26000 is marked as being used by quake. Maybe the host in question is running a quake server, or for some unfathomable reason playing quake over a NAT'd VPN to his dedicated.

You're all barking up the wrong tree. Report the attacks to abuse@ev1.net including the psad output.

Can you explain to me what that command does? I'm trying to learn more Linux-ese! lol!

iptables -I INPUT 1 -p tcp -s 207.44.144.80 -j DROP

-I INPUT
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

So, a new "rule" is inserted at the head of the input "chain" (a list of rules)

-p
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one.

So, it is matching again TCP packets coming in.

-s
Source specification. Address can be either a hostname, a network name, or a plain IP address.

So, the rule also matches against that particular IP address, obviously.

-j
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension.

So, the rule then specifies the target to send the match to, which is the predefined chain DROP, which drops everything it receives with no response.

This is a crappy explanation, and just the tip of the iceberg, but there is a lot of information out there to help you when you get started when you want to learn more.

Good luck.

-N

Great explanation my friend, saved me alot of typing. Thanks mate!

Except that the packets in question are UDP packets, so you need to block UDP packets not TCP packets.

I'd say the machine is probably a quake server if quake uses those ports.

Firewalls in the hands of novices are a dangerous thing. They can lead to GWF attacks, leading to support nightmares and degraded response.

Thanks Greyboy for the help! By no means, Trif, am I a firewall newbie! I'm just an MCSE+I (Microsoft Certified Systems Engineer + Internet) and a MCT (Microsoft Certified Trainer) so my brain is stuck in GUI mode and Microsoft products!

Cajun

I've only received 3 PSAD emails since I installed it.. and al were about restarting it. So would that mean nothing happened?

I'll make allowances.

Thanks for making allowances for us MS-People who're coming in and trying to invade you Penguin people!

LOL!

Look to your left... Do I look like a penguin? LOL
Yeah, firewalls are dangerous but well worth learning.

No Penguin, you look more like a Black Bird w/out a body...and who can't dance to these funky beats of Cajun Mafia! LOL!


Cajun

LOL!
Yep, if that's dancing, then he can't dance or he's drunk off his egg. I think something is just stuck to his foot.

I'd like to see PSAD developed a bit further. It's pretty cool, but it seems they could go much farther with it. I'd rather have it than nothing though. I've had some really ANOYING days with it. Most of the time it's pretty quiet.

The iptables command is a nice solution, but very hard to understand (for newbies).

# pico /etc/psad/psad_auto_ips

add:


save the file and restart psad ( /etc/init.d/psad restart )

DONE

you will get an email that says: "IP blah blocked by tcpwrappers..."

mfg, TopSE

btw. -1 makes psad to ignore the ip

What would the command line be to go from a warning level 1 to a level 2 so I dont get all these emails each time EV1 scans me?
For bastille.
Thanks
-Dave