• RSS
  • Twitter
  • FaceBook

Avoiding Paranoia

Fine. Everything is working. But every day or so the logs are showing all kinds of failed connection attempts. Are people trying to hack your system this often? Should you be writing abuse@some.system each time?

Some people overreact to what they see in their logs. The most common attempts are a combination of mistakes, legitimate attempts based on the history of the internet, misunderstandings, curiousity, and harmless, primitive hacking. They're a fact of life on the internet, kind of like door-to-door salespeople, commercial phone calls, wrong phone numbers, and junk postal mail. (Notice that I said junk postal mail, not junk email!!!)

For more serious attempts, there is no clear cut answer. It's going to depend on your own personality and comfort level, and what you personally define a serious attempt to be.

With that in mind, here's my personal advice.

Ignore individual, isolated, single connection attempts to one of telnet, ssh, ftp, finger or any other port for a typical service which you are not providing. (I've seen people get bent out of shape because someone tried to access a non-existent web server once...)

You might be wondering about the cavalier attitude towards telnet and ssh. Afterall, why would someone be trying to access those services if they don't have an account? The most likely reason is ignorance or curiousity. A second possible reason is because prior to the web, it was fairly common for sites to offer a "guest" login over telnet to give people access to local information or to locally hosted games, demos, etc., just as anonymous FTP continues to be offered today. Additionally, most home computers have a telnet program, but not necessarily a ping or finger program. Someone somewhere could simply be curious about what happens if they try to connect to your machine, or to see if your machine is online.

Repeated attempts, attempts to a subset of the previous famous ports, or to the following ports are typically the precursor to a hacking attempt, usually part of a scan for openings throughout a domain or subnet. Current hacking "packages" will typically probe a subset of these ports one after the other.

How you respond is up to you. For me, I tend to ignore one-time occurrances. Some people are more persistent, and eventually I add firewall rules to block them completely, and sometimes, their entire domain address space if their domain has a bad reputation.

For other people, they take each occurrance seriously, because even if their machine is secure, other people's might not be, and they may not even have the capability of knowing that they are being probed.

Another argument in favor of taking each occurrance seriously is that current probing methodologies are becoming more difficult to identify as a concerted probe.

  • smtp (25) - looking for a spam relay
  • domain (53) - compromising a DNS server via TCP zone transfers
  • pop (109 or 110) - probably looking for either a mail or news spam relay
  • sunrpc (111) - your portmapper/rpcbind. Probably looking for access to your NFS mounted filesystems, your NIS-managed password file, or any rpc-based service you are running.
  • nntp (119) - probably looking for either a free/public news feed or a news s pam relay
  • imap (143) - famous security hole
  • snmp (161) - the system equivalent of finger, but more importantly, used for remote network administration functions
  • BSD remote services (512-517) - intended for intranet use, and a serious security flaw if offered externally
  • uucp (540) - a "famous" service like FTP, but not typically offered to the world at large
  • mount (635) - NFS mount service
  • socks (1080) - another potential spam relay point

If you feel you must write these people, try to be polite. Give them the benefit of the doubt initially. Overreactions are misplaced more often than not. What might appear as a serious hacking attempt to you is most likely a curious student playing with a new program, and a polite word to their abuse, root or postmaster will usually take care of the problem. More people need to be educated about netiquette than need their network accounts rescinded. And, they might be innocent of anything. Source address spoofing is a reality, and it's easy to do. Or very possibly, the person's system has been compromised and they have no idea of what's going on.

If you're seeing messages from a rogue dhcp server (port 67), report it to your ISP and/or try writing to root@that.system. This isn't likely to be a hacking attempt. It's an innocent mistake on someone's part. But it will most likely screw someone up somewhere, possibly lot's of people.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowSecurity.com Monthly Newsletter, written by George Chetcuti, BSc in Computing & IS (Honors), containing news, the hottest tips, security links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Event Log Monitoring solution?