On Thu Jul 06 2000 at 07:34, Edouard Soriano wrote: > We have set up a Firewall based on Linux. Since several days there are > some IP address trying to enter > using telnet. > > One of them was found using nslookup. We sent a warning message to the > ISP manager and they stopped. > > But the other is trying like crazy requesting telnet who are rejected by > the security rules. > > This address in unknowed by nslookup. I see this sometimes several times every day. Just let those packets be REJECTED or DENIED (probably better as rejects with icmp replies, but your call). > Any idea about how to catch this #@]|]]!! unfair person ? My advice is to ignore it, it's not your problem eh? :) But you are asking about doing reverse lookups.... $ $ nslookup 213.136.129.253 Server: dns.growzone.com.au Address: 202.9.32.1 *** dns.growzone.com.au can't find 213.136.129.253: Non-existent host/domain That should look familiar :) Try a lookup on the nameserver for the in-addr.arpa reverse zone: $ nslookup -q=ns 129.136.213.in-addr.arpa Server: dns.growzone.com.au Address: 202.9.32.1 *** dns.growzone.com.au can't find 129.136.213.in-addr.arpa: Non-existent host/domain Often that works, and bingo - you know who "owns" the IP range that the packet originated from (that is, if it hasn't been spoofed). If this fails, all it means is that it hasn't been allocated in the (reverse) DNS records of the nameserver that is authorative for that particular C class network. Try looking for the nameserver further up the delegation tree... $ nslookup -q=ns 136.213.in-addr.arpa Server: dns.growzone.com.au Address: 202.9.32.1 Authoritative answers can be found from: 213.IN-ADDR.ARPA origin = ns.ripe.net mail addr = ops.ripe.net serial = 2000070603 refresh = 43200 (12H) retry = 7200 (2H) expire = 1209600 (2W) minimum ttl = 7200 (2H) My example here works at this point to give some useful information, but if even this doesn't course of last resort is to do a traceroute, at least you can get some idea where it is originated from. If you are REALLY curious, it is often possible to see what sort of box that is trying to get in. cheops is a very nice GUI-like tool, but I've found it to be unstable when used on boxes with complex local network setups (like running two networks on the same physical wire). Netcat (/usr/bin/nc) is perfect for doing some very quick port scanning.... $ nc -v 213.136.129.253 -z 1-200 (UNKNOWN) [213.136.129.253] 139 (netbios-ssn) : No route to host (UNKNOWN) [213.136.129.253] 138 (netbios-dgm) : No route to host (UNKNOWN) [213.136.129.253] 137 (netbios-ns) : No route to host (UNKNOWN) [213.136.129.253] 53 (domain) open (UNKNOWN) [213.136.129.253] 25 (smtp) open (UNKNOWN) [213.136.129.253] 22 (ssh) open Use whatever port range you are interested in... if a port is open, then you'll get a response. And as you can seee, it is very interesting what you do find (in this case it is almost certainly a unix box... :) Cheers Tony - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
