Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 24 Mar 2001 11:43:32 -0500
From:      "Andrew C. Hornback" <hornback@wireco.net>
To:        "Jim Freeze" <jim@freeze.org>
Cc:        "FreeBSD Questions" <questions@FreeBSD.ORG>
Subject:   RE: Meaging of Security Check?
Message-ID:  <003b01c0b481$8ff5b7c0$0e00000a@tomcat>
In-Reply-To: <Pine.BSF.4.32.0103240744350.32267-100000@www.stelesys.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze
> Sent: Saturday, March 24, 2001 7:50 AM
> To: questions@freebsd.org
> Subject: Meaging of Security Check?
>
>
> Hi:
>
> I received the following security check and was wondering what it means:
>
> eeyore1 security check output
>
> eeyore1 kernel log messages:
> > x3f8-0x3ff irq 4 flags 0x10 on isa
> > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0
> > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0
> > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0
> >  ...where the above is repeated for about 100 lines
>
> I looked up port 67 in /etc/services and it says:
>
> bootps           67/tcp    dhcps        #Bootstrap Protocol Server
> bootps           67/udp    dhcps        #Bootstrap Protocol Server
>
> nslookup says:
>
> % nslookup 24.2.7.70
> Server:  proxy1.lxintn1.ky.home.com
> Address:  24.5.116.15
>
> Name:    lh1.rdc1.tn.home.com
> Address:  24.2.7.70
>
> Can someone explain what is happening here?

	To my (semi)trained eye... you're subject to a new form of a DoS attack.

	Unless you have a machine that requires the use of port 67 for some reason
(i.e. booting via the network), use an ipfw rule to block that port, and
have a talk with the people at home.com about your machine being attacked.
Also, you might want to do a security audit to make sure that they weren't
successful at one point in time.

--- Andy


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003b01c0b481$8ff5b7c0$0e00000a>