Re: anoat_private ftpd dip.t-dialin.net

From: TOK (skyboundat_private)
Date: Thu Nov 07 2002 - 22:40:09 PST

Next message: Waitman C. Gobble: "030.com"

Previous message: batz: "Re: Ip spoof from 0.0.0.0"
In reply to: Dave Laird: "Re: anoat_private ftpd dip.t-dialin.net"
Next in thread: David Gillett: "RE: anoat_private ftpd dip.t-dialin.net"
Next in thread: Rainer Duffner: "Re: anoat_private ftpd dip.t-dialin.net"
Reply: David Gillett: "RE: anoat_private ftpd dip.t-dialin.net"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Don, 2002-11-07 at 17:52, Dave Laird wrote:
> Good morning, everyone...
...
> Another possible alternative, at least if you are using Linux running IPTables
> is to move your FTP server *inside* the firewall, to an internal IP of your
> choosing and severely constrain access to it using a well-chosen IPTables
> script. Of course, if you are as road-weary as I am of the games that
> dip.t-dialin.net users have attempted in the past, simply firewall them
> entirely by their IP's. It's crude, it's rude, and perhaps not even good
> policy, but it certain cuts down the volume of spurious traffic of all kinds.
> [Standard Disclaimer] "Of course, I could be *WRONG* about anything I say,
> but then I learned everything I know about networking from a pragmatic
> wizard." 
> 
> Dave
> -- 
> Dave Laird (dlairdat_private)
> The Used Kharma Lot
>                   
did you know that (practically) all Telekom users don't have a static
IP? dialin and ADSL line IPs are chosen from quite large pools, during
the last week my box got IPs within 80.134/16, 217.226/16 and 217.84/16.
lines sold to companies or high end DSL may include a static IP, but
anyone doing ~funny~ stuff through one of these would be worse than a
script kid.

so by blocking single IPs, you'll block anyone (but no one specific) and
only dropping all packets from all Telekom subnets (to that service)
will have the desired effect.
if you're advising to do such, to get rid of some warez guys probing for
anon ftp, i'd like to comment, that imho you are breaking a butterfly on
a wheel. 

concerning the username (other posts), google shows:
a) ano maybe a valid email (www.ano.com exists)
b) can be found in ftpd logs all over the world
c) besides it is quicker to type than anonymous and easily recognizable
   as valid email == passwd
probably no conspiracy here ;-(
                         
best regards,
tok


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Waitman C. Gobble: "030.com"
Previous message: batz: "Re: Ip spoof from 0.0.0.0"
In reply to: Dave Laird: "Re: anoat_private ftpd dip.t-dialin.net"
Next in thread: David Gillett: "RE: anoat_private ftpd dip.t-dialin.net"
Next in thread: Rainer Duffner: "Re: anoat_private ftpd dip.t-dialin.net"
Reply: David Gillett: "RE: anoat_private ftpd dip.t-dialin.net"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 08:31:30 PST