On 12/22/17, Glenn English <ghe2...@gmail.com> wrote: > Debian Squeeze (?) very old anyway, Dell server, Juniper SSG5 > firewall. 1,000 miles away. > > I've started getting email from the firewall down there saying that it > detected a port scan. Often enough of them to concern me -- several > times a day. > > -- One just came in. Another 4 hours ago. From different IPs, from > different (RIPE) countries. -- > > Is there any way to stop them? AFAIK, there isn't. I sure can't think of a > way. > > The 'JuniperUsers list' says to talk to my upstream ISP. But I don't > see how that would help if they can't do anything either (they also > use Juniper). > > The firewall blocks them after it sees 10 hits from the same IP in > 5000 microseconds. But by then Nmap (or eq) has hit 10 ports. > > Am I overly paranoid here? What if a non-script-kiddie is also doing > this, but slowly enough that the firewall doesn't detect it?
On a related note in the other direction... or possibly maybe both directions... how do stealthily planted "data" (bitcoin?) miners show up in traffic? Or do they even show up? My uneducated guess is that, once planted by a hacker, the traffic would be outgoing, but this thread makes me wonder. I started noticing traffic show up from a "slightly out of state", *RANK* location along with something else that I'm going to ask around about behind the scenes. That traffic may have always been there in my case, but something else coincided that makes me wonder if this is something new.... Especially coincidentally to Glenn noticing his.. Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
