[PLUG] Adaptive firewall considerations
Terry Griffin
griffint at pobox.com
Thu Mar 31 22:55:27 UTC 2005
Hi all,
I'm toying around with some adaptive firewall ideas. In looking at the
iptables logs and deciding what patterns might be worth adapting to, I've
noticed that most of the hits coming from the outside are on TCP ports
135 and 445 (Windows RPC and DS respectively). Sometimes these hits come
in big bunches, obvious attempts by a Win32-based worm to spread itself.
But most of the time it's just a slow trickle.
So here's my question, and I guess it's more of a Windows question than
a Linux question, but trust me that the firewall runs Linux.
To what degree would a normally configured or typically misconfigured but
*uninfected* Windows box try to connect to other random hosts on ports
135 or 445? Is there some level of normal Window chat, or does *any*
attempt to connect to our IP addresses from the outside on these ports
indicate malicious intent?
If there is some normal level of chatter then I assume it would be limited
to the immediate network on which the Windows box resides such that it
might be normal to see this trickle of hits from the neighbors on our
ISP's network, but hits to these ports from hosts in China would clearly
be malicious. Yes? No?
Thanks,
Terry
More information about the PLUG
mailing list