From owner-freebsd-isp Fri Mar 6 13:33:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27842 for freebsd-isp-outgoing; Fri, 6 Mar 1998 13:33:16 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from Rigel.orionsys.com (rigel.orionsys.com [205.148.224.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27831 for ; Fri, 6 Mar 1998 13:33:06 -0800 (PST) (envelope-from root@Rigel.orionsys.com) Received: from localhost (root@localhost) by Rigel.orionsys.com (8.8.8/8.8.8) with SMTP id NAA19809 for ; Fri, 6 Mar 1998 13:35:26 -0800 (PST) (envelope-from root@Rigel.orionsys.com) Date: Fri, 6 Mar 1998 13:35:26 -0800 (PST) From: David Babler To: freebsd-isp@FreeBSD.ORG Subject: Port 137 access - somebody monkeying around? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps this might belong to FreeBSD-security, but what the hey - it involves ISPs too... My ipfw rules deny and log all services that I don't support here, and I've noticed that I will often see a string of access attempts on my port 137 (NetBIOS Name Service) from foreign addresses (not once from any of my dialup customers). I was under the impression that these contacts might be Bad Guys trying to take advantage of some known exploit, thinking I was running NT or something. Is that a valid assumption, or is there some legitimate reason why foreign IPs should be trying to connect to that port? I complained once to a system one of whose dialup customers continued a port 137 probe on and off for an hour. When the user was contacted, he claimed he had NO IDEA what we were talking about, that he might have just "tried something" with a browser. Am I being too paranoid? -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message