Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: How can I shake off this guy ?

  1. #1
    Join Date
    Nov 2008
    Beans
    Hidden!

    How can I shake off this guy ?

    During the last few weeks someone from IP 88.191.127.22 tries to 'poke' thru my system at ports 3xxxx & 5xxxx, once or twice a day.
    Is it part of the price to pay for surfing or should I worry ?
    I even added, to no avail, this entry to /etc/hosts
    127.0.0.1 faraway.pocentek.net
    and that haven't stopped him at all.
    I have to move all my 'sensitive' offline for now. My firewall is set to Deny In, Deny Out - ports opened only for standard stuff like DNS, HTTP, SMTP, Pop ...

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How can I shake off this guy ?

    The hosts file is only local to you and does nothing for someone trying to connect remotely.

    As far as finding open ports in 3xxx and 5xxx, Remote desktop runs off port 3389 and VNC runs off 5900 and both of these are used for remote access. If you do not have either of these installed you should be fine.

    Is this a desktop or server machine?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,041
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: How can I shake off this guy ?

    If you can alter your iptables rules, just block the host with a rule near the top of the ruleset like this:

    Code:
    /sbin/iptables -A INPUT -s 88.191.127.22 -j DENY
    Then you'll never have to think about it again until someone tries a new IP address. As Charles says, as long as you don't have open ports with services listening on them, there's nothing he can do except litter your iptables logs with rejections.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #4
    Join Date
    Oct 2007
    Beans
    338

    Re: How can I shake off this guy ?

    Resolve Host: Paris, France faraway.pocentek.net (88.191.127.22)
    IP: 88.191.127.22, records: 2
    medibuntu.org WHOIS
    pocentek.net WHOIS
    88.191.127.0 - 88.191.127.255
    I also agree with the other post in addition you could block the whole range if it continues
    iptables -A INPUT -p tcp -m iprange --src-range 88.191.127.0-88.191.127.255 -j DENY

  5. #5
    Join Date
    Oct 2007
    Beans
    338

    Re: How can I shake off this guy ?

    I would also suggest looking at fail2ban which does this for you
    http://www.fail2ban.org/wiki/index.php/Main_Page
    sudo apt-get update
    sudo apt-get install fail2ban

  6. #6
    Join Date
    Nov 2008
    Beans
    Hidden!

    Re: How can I shake off this guy ?

    Quote Originally Posted by CharlesA View Post
    As far as finding open ports in 3xxx and 5xxx, Remote desktop runs off port 3389 and VNC runs off 5900 and both of these are used for remote access. If you do not have either of these installed you should be fine.

    Is this a desktop or server machine?
    This is my desktop. I don't have these 2 ports opened.
    I have seen a few, but the persistence of this guy really amazed me.
    Thanks Charles and everybody, I can sleep now.

  7. #7
    Join Date
    Mar 2011
    Beans
    671

    Re: How can I shake off this guy ?

    I second Fail2Ban.

  8. #8
    cprofitt's Avatar
    cprofitt is offline νόησις νοήσεως - nóesis noéseos
    Join Date
    Oct 2006
    Location
    平静
    Beans
    1,448
    Distro
    Ubuntu Development Release

    Re: How can I shake off this guy ?

    All the suggestions above are valid, but it might be worth investing in an inexpensive home router with a firewall on it too. Since this is a desktop there is likely no reason to expose it to the Internet directly.

  9. #9
    Join Date
    Aug 2008
    Location
    Washington DC
    Beans
    2,186
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: How can I shake off this guy ?

    Quote Originally Posted by leclerc65 View Post
    This is my desktop. I don't have these 2 ports opened.
    I have seen a few, but the persistence of this guy really amazed me.
    Thanks Charles and everybody, I can sleep now.
    shouldn't be amazed as its probably not a person poking at keyboard, but rather a vulnerability scanner that is poorly configured..

  10. #10
    Join Date
    Mar 2009
    Beans
    1,333

    Re: How can I shake off this guy ?

    OK I have a couple suggestions.

    First, fail2ban or similar. Protect your computer from the inside, always.

    Second, a cheap appliance router/firewall. Defense in depth, and as long as you're careful they have a huge benefit because they just don't have much on them to exploit, which can be used to attack your network.

    Third, something I can't really imagine why somebody else didn't say: Contact your ISP. If you're in the USA, then this sort of thing is illegal and the appropriate people will look into it if somebody complains. I've done it 3 times now over the years with scans that were especially pesky, and they all stopped shortly after they were reported. Whether it happened because my ISP put in a firewall rule of some sort, or somebody got a visit from law enforcement I don't know nor do I care.

    I know it sounds ridiculous, you can't police the whole net right? But as in real life, the cops can't come if they don't get a call.
    Help stamp out MBR partition tables. Use GPT instead!

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •