× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. November 2003

RE: Detecting Network scans

Though it shouldn't need to be said, I'll do it anyway -- If you don't have a 
firewall and you're connected to the Internet, you _are_ being scanned. Often. 
Likely many times per day.

The link to < http://www.xs4all.nl/~hgj/ipflt/ > is a good one. This highlights 
a 'firewall Lite' facility that's been available for a few years and that's 
rarely used. There are a few things to be aware of.

First, the freeware documentation is outdated at points. The "IP Packet 
Security" tag hasn't been used for a while; you should now look for Network->IP 
Policies->Packet Rules and right-click Packet Rules to select Rules Editor. 
That should get you started.

Second, anybody who attempts to activate packet rules should know the following 
command by heart:

  ==> RMVTCPTBL TBL(*IPFTR)    [or TBL(*ALL)]

Be certain you have a way to run this command without TCP/IP before you 
activate any rule sets. It can be extremely easy to activate rules that disable 
your telnet sessions as well as any other facility that relies on TCP/IP. And 
once the rules are in place, it can be tricky getting them turned off again. A 
good ol' twinax console can be very handy. SNA passthru might also be used. 
Some have submitted the command via job scheduler or via SBMJOB with scheduled 
date/time for a few minutes in the future.

Finally, although the facility works, keep in mind that you're using your very 
expensive iSeries memory, DASD, IOPs and CPU, to do the work that a cheap Linux 
box and maybe an extra hub could do faster and better. The resulting journal 
receivers can quickly become very large under the right circumstances. You're 
generally much better off keeping unwanted packets from even reaching your 
iSeries adapter. There's seldom much point in making that equipment handle 
those packets when other work could be done.

'Firewall Lite' is pretty cool and the noted freeware is a decent introduction. 
I hope I've added useful info.

Tom Liotta

"Bob Crothers" <bob2@xxxxxxxxxxxxxx> wrote:

>Your firewall should tell you that you are being scanned.
>
>> -----Original Message-----
>> From: security400-bounces@xxxxxxxxxxxx 
>> [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Steve
>McKay
>> 
>> Is there something (exit program, setting, etc.) which 
>> would/could alert me
>> if my iSeries is being scanned from a specific subnet or IP 
>> address?  Or if
>> a connection request came from outside *my* subnet? (3rd 
>> party software is
>> probably not a viable solution but I'd be willing to consider
>it.)

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertech.com


__________________________________________________________________
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.