Hello,
i think something is strange on ASL-portscanning.
the "attacks" from dns servers are reported and blocked.
also "ftp-attacks" from a dreamweaver to my www-server (in DMZ) are detected, when it tries to transfer many files at once.
If i had to find a word for these "attacks", i would think of "port-bombing" or something.
Only solution is to exclude the clients from portscanning detection (on all ports).
But unfriendly computers, looking for port80 (or others) in my hole class-c network ar not detected.
In my opinion this is also port-scanning, and i think i've been reading about a possibility against it.
That would make sense, because detection could react on maybe the first 30 calls, so the real webserver on the 50'th IP could be protected by blocking the scanning source-IP.
Following is shortened from my filter-log:
Oct 14 04:48:16 TCP Drop: SRC=211.155.27.143 DST=134.169.18.33 SPT=4159 DPT=80
Oct 14 04:48:16 TCP Drop: SRC=211.155.27.143 DST=134.169.18.52 SPT=4178 DPT=80
Oct 14 04:48:16 TCP Drop: SRC=211.155.27.143 DST=134.169.18.63 SPT=4189 DPT=80
Oct 14 04:48:16 TCP Drop: SRC=211.155.27.143 DST=134.169.18.55 SPT=4181 DPT=80
These should be easy to find, because
- there is nothing between most of these entries
- almost all have the same timestamp
- they have the same SRC (ofcourse)
- they have the same DPT (few times they look for more ports)
This way my server is not really protected, because http on his adress is allowed (of course).
I really think that is somethink to improve!
I think I read about possibilities of the portscanning programs, but ASL doesn't seem to handle these?
Or is this my fault and a problem on configuration?
kind regards, Christian
This thread was automatically locked due to age.