altivo: 'Tivo as a plush toy (Miktar's plushie)
[personal profile] altivo
Severe thunderstorms coming in, to arrive in the next half hour according to NWS. Heavy rain, lightning, and winds gusting to 75 mph. Whee, here we go. Shutting everything down in a minute.

New server activated this morning, and working. The only problem I had was related to the previously mentioned rats' nest of cables and lack of a map. I had swapped two of them in the ad hoc map I drew up yesterday. Took a few minutes to figure it out, but got it resolved before the first laptop user arrived. They pounded on it all afternoon and no complaints were reported to me. Since the server/router is so overpowered for the job, I can run bamdwidth monitoring on it simulataneously with no trouble. Interesting to see how much garbage, probably inadvertent, these folks are generating. Tons of NETBIOS calls (broadcasts, connection requests) and even some IPX (Novell Netware stuff) were logged.Now that I know which ports are which, I can actually see and follow the laptop subnet activity on the switch's LED display, and see the packet activity that doesn't get past the router.

Elsewhere on the geek front, I'm letting the home Alpha run OpenVMS full time now. I don't need the Linux stuff on there at the moment, and I want to recover my VMS skills. One puzzle that has arisen involves dealing with a graphical display and a text-based operator console on the same monitor. Linux lets you use CTRL-ALT-Fkey combinations to switch back and forth. OpenVMS has to have a similar capability, but it appears not to be enabled by default so I have to hunt down the configuration trick. I note that when I shut down and the OPA0: screen appears, it has the text "CTRL/F2 To return to DECWindows" in the status line. However, CTRL-F2 does nothing when you are already in DECWindows. Further investigation needed, but I suspect it's some system logical that has to be set before booting the system.

Gaiman's Stardust has arrived in all three versions: the original graphic (sort of) novel, the text novel, and the audiobook. At a glance, the graphic edition (illustrations by Charles Vess) is actually just a heavily illustrated paperback version of the novel. The text seems to be identical to the 1999 hardcover.

OK, better shut everything down now.

Date: 2009-03-25 06:23 am (UTC)
From: [identity profile] duskwuff.livejournal.com
NetBIOS/IPX: I blame Windows.

Date: 2009-03-25 10:40 am (UTC)
ext_39907: The Clydesdale Librarian (Default)
From: [identity profile] altivo.livejournal.com
Well, yeah, they're all running Windows. Most of them have no idea what's going on in the machine. It was set up for them by someone else.

Date: 2009-03-25 12:24 pm (UTC)
hrrunka: Attentive icon by Narumi (sparks)
From: [personal profile] hrrunka
My router blocks more inbound port 135 junk than anything else. Port 445 gets about half as much, and 137 and 139 get a little. Other favourites are 1433 and 1434, which are something to do with ms-sql. I have noticed a significant drop in recent months, though. These days my firewall typically logs a few hundred inbound events*1 a day. A year ago it wasn't unusual to see a couple of thousand events a day.

*1 where an event may involve multiple attempts at a port from an IP.

Date: 2009-03-25 01:38 pm (UTC)
ext_39907: The Clydesdale Librarian (radio)
From: [identity profile] altivo.livejournal.com
I still see several thousand a day here. I assume you're talking about incoming TCP and UDP to those ports off the open internet. I've always figured that all of those are scans or probes seeking to break into unprotected Windoze systems with open shares or other security flaws. Sometimes the level of probes into ports 135-139 reaches almost DDOS frequencies. Certainly it exceeds the logging rate of the firewall and not all are logged. I've noticed too that when the firewall blocks an IP address for repeated attempts on closed ports, the attacks just switch to another originating IP address and continue.

Date: 2009-03-26 09:01 am (UTC)
From: [identity profile] soanos.livejournal.com
Yes, Netbios/IPX... Some use it to make windows networking easier, because TCP/IP is so hard to configure... not. :D

Is it possible to use MAC address filtering? I mean, ban the offender's MAC address for a few hours.
And even if they change the MAC address, they would be banned again for a few hours.
Of course, you would have to unblock them after some time. :)

Let's hope the storm won't be too bad. ^^

Date: 2009-03-26 10:07 am (UTC)
ext_39907: The Clydesdale Librarian (radio)
From: [identity profile] altivo.livejournal.com
MAC address would only work on a local network. You'd just end up blocking the upstream router. Since these attacks come from the open internet, the IP address and associated domain are all you have to go by.

Now if you're dealing with an inside job, such as you might expect in a dormitory LAN or something, yes, the MAC address could lead you right to the culprit... Except that most NICs today do let the software override the hardware address and supply a made up one, so a sharp hacker can even conceal that.

Date: 2009-03-26 01:21 pm (UTC)
From: [identity profile] soanos.livejournal.com
Now we are assuming someone actually is sthat clever.
It is _usually_ some script kiddies who like to play "Neo". :P

November 2024

S M T W T F S
     12
345678 9
10111213141516
17181920212223
24252627282930

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 23rd, 2026 06:44 am
Powered by Dreamwidth Studios