Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

My Ports are being scanned

I'm running a windows 2003 server with a Zyxel firewall, the firewall logs indicate that I am regularly having my ports scanned, is there any way I can identify whose doing the scanning. What information can I get from the offending IP address? Is there some 'passive' investigation I can do?
0
mike99c
Asked:
mike99c
1 Solution
 
crawforditsCommented:
Take the IP to www.dnsstuff.com.  Get the abuse email address and try reporting to the ISP of the person performing the port scanning.
0
 
Austin TexasSystems EngineerCommented:
Mike -

Since currently this is a port scanning issue and not spam, I would instead recommend that you get the IP block ownership records from ARIN (http://www.arin.net)

This will tell you what ISP ownes the IP block.  Send your logs to their abuse department and don't get your hopes up.

Let me know what happens.

Thanks - Tex

0
 
mahe2000Commented:
you can go to www.arin.net, lacnic.net or the IP block administrator you need to find who is the owner. however it's very probable that you will find that the IP belongs to an ISP and they will never tell who is bothering you unless you go to a trial.... may be the abuse department may help but I don't really trust them.... try to be as protected as you can (patches, antivirus, personal firewall or firewall, good OS configurations) will be the best you can do for yourself.
on the other hand you will be investigating ISPs all the time because this is VERY common.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Rich RumbleSecurity SamuraiCommented:
Scan yourself to see what info might be available, your firewall should be logging the IP address's. As stated above, do and nslookup and whois on the IP's to see what domain or ISP you can report the abuse to. If you scan yourself and see that there isn't much you didn't already know, like port 80 is open, then don't bother,  otherwise you'll spend all your time reporting abuse and doing nothing else ;) You should have self or contracted audit's done on a regular basis, if your being hosted at an ISP they should take care of patching and securing the servers themselves(if they own them), but it never hurts to have an audit done to make sure they do their job's.
-rich
0
 
pgm554Commented:
Port scanning is not illegal,and if you are connected to the net,just a fact of life.

It's analogous  to somebody knocking on your door.
It only becomess illegal when they break in.
0
 
Austin TexasSystems EngineerCommented:
That's analogy is not quite equal IMHO.  A ping might be more like a knock on the door where as a port scan is more like someone knocking on your front and back door and every window of your house.  Many port scans are accompanied with vulnerability scans which would then equate to someone attempting to open all the doors and windows and testing the locks.  While none of this may be illeagal, it is at the least suspicious and worthy of monitoring and protecting against.  Most modern firewalls can detect portscans and drop them.
0
 
pgm554Commented:
I would say the percentage of people out on the net that have been port scanned at some point in time is 100%.

You're not going to stop it.

There are probably ten's of thousands of machines at any one time that are doing port scans,either knowingly or unknowingly.

Blaster and Nimda are still out there and what do they do? Port scan.
0
 
mike99cAuthor Commented:
Thanks for the useful info.
I'm keeping a note of the IP addresses from the logs, but as you say a lot of this may be automated.
I did a shields up (grc) test which gave me a pass, saying all my ports were 'stealthy', even though I have some port forwarding! Maybe my h/w firewall can detect the difference between a port scan and a specific request to a single port?
Cheers
0
 
Austin TexasSystems EngineerCommented:
More and more hardware firewalls have some form of basic algos that attempt to detect a port, vulnerability and footprint scans.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now