| Author |
Message |
zow
Joined: 13 Sep 2003
Posts: 8
Location: CA, USA
|
| Posted: Tue Oct 14, 2003 10:29 am Post subject: Portscans & other malicious activity |
|
|
So I'm running snort on my Debian Linode (version 1.8.4-beta1 (Build 91)), and I'm seeing plenty of ICMP ping activity in the alert log, but I'm not seeing anything in the portscan log, or any other attack attempts in the syslog. This has been the case for over a week now. When I ran snort on my DSL connection, I was getting scanned or attacked every few minutes. Does anyone know if this malicious activity is being filtered somewhere upstream, or have any other data points to compare and contrast against?
-"Zow" |
|
| Back to top |
|
caker
Joined: 15 Apr 2003
Posts: 2878
Location: Galloway, NJ
|
| Posted: Thu Oct 16, 2003 5:50 pm Post subject: |
|
|
Well .. besides the port filtering that ThePlanet does, I would suspect that script kiddies know they are more likely to find vulnerable machines from cable and DSL providers, rather than locked-down boxes at datacenters. But, that's not to say that having a r00ted box on a high speed network isn't attractive...
-Chris |
|
| Back to top |
|
Ashen
Joined: 30 Aug 2003
Posts: 58
|
| Posted: Wed Nov 19, 2003 9:58 am Post subject: |
|
|
If a linode did get rooted, (theoretically, I hope this would never happen!) what would be done? Would it simply be terminated until it's owner came back, rebooted and secured it?
-Ashen |
|
| Back to top |
|
Ashen
Joined: 30 Aug 2003
Posts: 58
|
| Posted: Wed Nov 19, 2003 10:10 am Post subject: |
|
|
If a linode did get rooted, (theoretically, I hope this would never happen!) what would be done? Would it simply be terminated until it's owner came back, rebooted and secured it?
-Ashen |
|
| Back to top |
|
unixfool
Joined: 08 Apr 2004
Posts: 92
Location: VA
|
| Posted: Sun Mar 12, 2006 11:33 am Post subject: Re: Portscans & other malicious activity |
|
|
zow wrote: So I'm running snort on my Debian Linode (version 1.8.4-beta1 (Build 91)), and I'm seeing plenty of ICMP ping activity in the alert log, but I'm not seeing anything in the portscan log, or any other attack attempts in the syslog. This has been the case for over a week now. When I ran snort on my DSL connection, I was getting scanned or attacked every few minutes. Does anyone know if this malicious activity is being filtered somewhere upstream, or have any other data points to compare and contrast against?
-"Zow"
I've the feeling it's getting filtered downstream.
I'm wondering if you bought an interface for your linode that you dedicate to Snort. I'm about to give Snort a try on my linode but have been wondering about resource issues (I'm NOT going to use ACID or have it report to a MySQL DB) and the best overall deployment of Snort. |
|
| Back to top |
|
| |
