How can I shake off this guy ?
During the last few weeks someone from IP 88.191.127.22 tries to 'poke' thru my system at ports 3xxxx & 5xxxx, once or twice a day.
Is it part of the price to pay for surfing or should I worry ?
I even added, to no avail, this entry to /etc/hosts
127.0.0.1 faraway.pocentek.net
and that haven't stopped him at all.
I have to move all my 'sensitive' offline for now. My firewall is set to Deny In, Deny Out - ports opened only for standard stuff like DNS, HTTP, SMTP, Pop ...
Re: How can I shake off this guy ?
The hosts file is only local to you and does nothing for someone trying to connect remotely.
As far as finding open ports in 3xxx and 5xxx, Remote desktop runs off port 3389 and VNC runs off 5900 and both of these are used for remote access. If you do not have either of these installed you should be fine.
Is this a desktop or server machine?
Re: How can I shake off this guy ?
If you can alter your iptables rules, just block the host with a rule near the top of the ruleset like this:
Code:
/sbin/iptables -A INPUT -s 88.191.127.22 -j DENY
Then you'll never have to think about it again until someone tries a new IP address. As Charles says, as long as you don't have open ports with services listening on them, there's nothing he can do except litter your iptables logs with rejections.
Re: How can I shake off this guy ?
Resolve Host: Paris, France faraway.pocentek.net (88.191.127.22)
IP: 88.191.127.22, records: 2
medibuntu.org WHOIS
pocentek.net WHOIS
88.191.127.0 - 88.191.127.255
I also agree with the other post in addition you could block the whole range if it continues
iptables -A INPUT -p tcp -m iprange --src-range 88.191.127.0-88.191.127.255 -j DENY
Re: How can I shake off this guy ?
I would also suggest looking at fail2ban which does this for you
http://www.fail2ban.org/wiki/index.php/Main_Page
Quote:
sudo apt-get update
sudo apt-get install fail2ban
Re: How can I shake off this guy ?
Quote:
Originally Posted by
CharlesA
As far as finding open ports in 3xxx and 5xxx, Remote desktop runs off port 3389 and VNC runs off 5900 and both of these are used for remote access. If you do not have either of these installed you should be fine.
Is this a desktop or server machine?
This is my desktop. I don't have these 2 ports opened.
I have seen a few, but the persistence of this guy really amazed me.
Thanks Charles and everybody, I can sleep now.
Re: How can I shake off this guy ?
Re: How can I shake off this guy ?
All the suggestions above are valid, but it might be worth investing in an inexpensive home router with a firewall on it too. Since this is a desktop there is likely no reason to expose it to the Internet directly.
Re: How can I shake off this guy ?
Quote:
Originally Posted by
leclerc65
This is my desktop. I don't have these 2 ports opened.
I have seen a few, but the persistence of this guy really amazed me.
Thanks Charles and everybody, I can sleep now.
shouldn't be amazed as its probably not a person poking at keyboard, but rather a vulnerability scanner that is poorly configured..
Re: How can I shake off this guy ?
OK I have a couple suggestions.
First, fail2ban or similar. Protect your computer from the inside, always.
Second, a cheap appliance router/firewall. Defense in depth, and as long as you're careful they have a huge benefit because they just don't have much on them to exploit, which can be used to attack your network.
Third, something I can't really imagine why somebody else didn't say: Contact your ISP. If you're in the USA, then this sort of thing is illegal and the appropriate people will look into it if somebody complains. I've done it 3 times now over the years with scans that were especially pesky, and they all stopped shortly after they were reported. Whether it happened because my ISP put in a firewall rule of some sort, or somebody got a visit from law enforcement I don't know nor do I care.
I know it sounds ridiculous, you can't police the whole net right? But as in real life, the cops can't come if they don't get a call.