[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 25 Feb 2003, David Batho wrote: > This would depend on what you allow through your firewall, > > For example: (from my snort server.) > 02/25-13:27:59.413485 ARP who-has 80.192.118.167 tell 80.192.118.129 > > 02/25-13:27:59.522917 ARP who-has 172.31.134.149 tell 172.31.134.1 > > 02/25-13:27:59.605702 ARP who-has 80.235.134.11 tell 80.235.134.1 > > ARP request should be all the time, this only verify you on the DHCP network > or ADSL is providing. Address resolution. ( 32 bits per packet if I'm right, > tell me is I'm wrong.) > Windows NT has some dire faults with it's TCPIP stack. Arp requests happen when the mac address of the machine you're trying to contact has expired from your local arp table. Unless you're using static arp of course, but that's unusual. As far as dhcp goes, I'm not sure what you're trying to say. DHCP leases are assigned to the mac address of a machine, but using that as any sort of verification is not a terribly good idea. Mac addresses are 48 bit, IPv4 addresses are 32 bit. If I'm not much mistaken, much of Windows' IP stack is BSD code. Linux is one of the few OSes that this is not true of as when the linux IP code was being developed the BSD code wasn't used becuase there were possible issues with the code licencing at that point. > 1. If netbios is enabled, with no firewall between tou and the www, this will > broadcast. ( it's advised to disable netbios and netbeui if you are not using > them.) good old NT/2000 - if so products LoPhTcrack to hack password files. Again, I'm not a windows expert but can't this be averted by unbinding that service from your public interface? > 2. POP3 will only connect on requests by example: 25 - 110 depending on your > config file to mail delivery and sending. 25 is SMTP, not pop3 - yes it's a mail protocol but it's used for the transmission of mail messages rather than just a method of donwloading them. > 3. IMCP checks - that no ones is pinging your machine. (deny ICMP packets) ICMP does not check that no-one is pinging your machine. Ping uses ICMP to determine if a host is alive. > 4. NT - disable the messenger service- easy to write a script to send > messengers to your NT box. Microsoft as many os'es say disable > services that are not required for your day to day service. I don't run any Windows in a public facing environment, that would be a silly thing. > 5. Linux - ipTables - very configurable to set a firewall up. or use > SuSE 8.1 firewall very easy. Erm... Yes? > 6. Check that you not running IIS if so check services - NNTP & HTTP and SMTP > are started by default. lovely hacking idea there. See point 4. > Alex if you are recieving and sending large amounts of traffic setup a snort > server, only problem here is that you need 2 NIC's private & public configure > snort to monitor the public card. See point 4. > Alex - try a ipconfig/all for network card info this may help you. See point 4. I'm not trying to secure a windows box, I was merely commenting that I'd be suprised if that quantity of network traffic was being generated by arp. Alex. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.