DescentBB

I was just monitering the packets being sent to and from my server machine (he who controls the packets controls the world!!), and I noticed an IP address connecting on incrementing ports, and another connection to a similar port. I shut down the server's network access and did a WhoIs on the later IP with my main machine:

OrgName: 2wire
OrgID: 2WIR
Address: 1704 Automation Parkway
City: San Jose
StateProv: CA
PostalCode: 95131
Country: US

NetRange: 216.52.29.0 - 216.52.29.255
CIDR: 216.52.29.0/24
NetName: PNAP-SFJ-2WIRE-DC-01
NetHandle: NET-216-52-29-0-1
Parent: NET-216-52-0-0-1
NetType: Reallocated
Comment:
RegDate: 2002-03-19
Updated: 2002-03-19

TechHandle: INO3-ARIN
TechName: InterNap Network Operations Center
TechPhone: +1-877-843-4662
TechEmail: noc@internap.com

Seems rather odd. The other IP is coming from "NL". Can anyone shed light on any of this?

I only just finished reading an article on CNET about Firewalls. Maybe this would be a good time for me to deal with it.

Get a router, assuming you don't DMZ your server it will ignore all inbound packets on non forwarded ports.

We actually have a 2Wire DSL router.

I just hooked the server back up, and several IPs showed up, all on ports 1280-129*.

somebody is port scanning you.

Big deal, just make sure that ports you don't need are closed.

If I kept the logs of the portscans on my webservers in my hosting business, I'd run out of diskspace after a week

Tricord wrote:Big deal, just make sure that ports you don't need are closed.

If I kept the logs of the portscans on my webservers in my hosting business, I'd run out of diskspace after a week

Yeah same here, I think that is just a given for any computer that has an always on connection. Hardly a day goes by that something tries to connect to my FTP server at least once, I've also seen times when someone has tried a good 50 login and password combinations (all of them failed of course).

Thanks a lot for the input, guys!

I opted to install the free ZoneAlarm Basic. Nothing gets in or out without my permission. Someday I'll go right to the core of the matter and manually forward ports on the router, but right now it's just using a "web server" setting for this machine.

As soon as I figure out how to get file-sharing past ZoneAlarm, I should be all set. Is the entire 192.168.*.* range reserved for local use?

Edit: Got my answer from Google...

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Sergeant Thorne wrote:Someday I'll go right to the core of the matter and manually forward ports on the router, but right now it's just using a "web server" setting for this machine.

What type of web server are you running? And what type of router are you using? Make that "someday" become "today" because it is so much easier to do it now rather then after something has already been compromised.

We have a 2Wire router, and I'm running the Apache HTTP server.

I actually found that ZoneAlarm restricted access to my web sites to within our network (maybe because I set 192.168.*.* to "Trusted"), so I'm going to have to either learn how to make ZoneAlarm work, or find another way. The only thing that has kept me from forwarding ports manually, is not knowing all of the ports that Apache and MySQL use.

I agree with you about doing it right away, but I was actually talking about putting off doing it at the router level, and just letting ZoneAlarm do the work for now.

Your running a web server, thats port 80, if MySQL is only running for use on that same server computer there is no need to forward it, otherwise its default is port 3306.

That's all? I thought I had observed Apache using more ports than that.

Thanks a lot, Krom.

Apache will only use whatever ports you specify in the Listen directive of httpd.conf. For example, Listen *:80 will only listen on port 80, but Listen *:* will listen on ALL PORTS.

Ah, ok. Thanks, DCrazy.

There may well have been a time when I used a *:*, but I do have them all set to *:80 right now.