Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Alex Atkin UK]

The OS guesses are weird, given its actually running kernel 6.0.18, so no idea how its trying to figure that out.  I guess its a good thing it can't identify it though.

[XGS_Is_On]

It's usually looking at the TCP stack, sequence numbers, etc as far as OS fingerprinting goes.

[Alex Atkin UK]

So how is it getting it wrong?

Mind you, I'm surprised it only shows "xmpp-client?" as surely an XMPP server should be pretty easy to identify?  It seems to recognise the XMPP Proxy service definitively, I guess that sticks more rigid to the standard.

[Chrysalis]

Interestingly I turned on logging for default block rule on a server to diagnose an issue, and the thing is been hit by about 30 ip's every minute just constant port scans.

[XGS_Is_On]

Place a URL going back to it on a public forum as I did to catch out a fantasist. You get lots of interesting sources for HTTP requests and some quite interesting HTTP requests like bots trying http://hostname/../../../.. /.. /etc/passwd

I think not. 

[Alex Atkin UK]

Place a URL going back to it on a public forum as I did to catch out a fantasist. You get lots of interesting sources for HTTP requests and some quite interesting HTTP requests like bots trying http://hostname/../../../.. /.. /etc/passwd

I think not. 

What sort of guano configured web server would actually respond to that?

[XGS_Is_On]

Ones that haven't been chrooted.

[Alex Atkin UK]

Ones that haven't been chrooted.

Mostly old routers?

[XGS_Is_On]

Really old stuff where the web service was installed as root, hence could reach everything, or had excessive privileges and no chroot on the user account so could go anywhere.

Really, really old stuff. Old routers aren't an issue, they don't have GUIs 

[Chrysalis]

The days before restrictive chrooted vhosts, open base dir and the like, I suspect there is a few really ancient stuff still out there.

[Alex Atkin UK]

The days before restrictive chrooted vhosts, open base dir and the like, I suspect there is a few really ancient stuff still out there.

Yeah its probably just power plants, water treatment, you know all the really unimportant stuff they can't be bothered to update because "it works".

[kitz]

people get all freaked out about the idea of someone getting their public IP

I blame Steve Gibson for adding fuel to the fire on this.  His advice stuck and why shouldn't it?  He was a supposed security expert in the field.   

Yeah he may have written a few interesting articles and given away a couple of handy tools for free, but he really went to town about IP disclosure and just downright scaring people saying "Look here, your IP address is x.x.x.x. and your rDNS is x.x.x.x.abc.com" claiming "It's really dangerous that so many websites know your IP"*  He scratched the surface on rDNS but never offered potential ways of minimising risk. 

20 years ago his site was extremely popular for doing quick port scan checks... people were getting DSL and using routers for the first time.   Shields Up was probably one of the best places to go........   

Except.. you landed on a page scaring you about potential risk because your IP and rdns available......  and then when you ran a test you failed because you had ICMP ping switched on.  Most router manufacturers set this to ON by default.  Vast numbers of problems materialised and some websites literally vanished off the face of the Internet.

[Alex Atkin UK]

Very much agree @kitz and I've seen other people say the same.

The funny thing is, few seem aware that by their nature web servers log your IP address for every lookup.  It would be an absolute nightmare to diagnose issues without such logs.

[burakkucat]

There is one particular address that is incessantly port-scanning whatever public IPv4 address I might have. Why? Your guess is as good as mine as I'm not that interesting (as shown in my Reply #9, above).

Here is the persistent pest-address: 185.191.225.130

What I find amusing is that the 185.191.224.0/22 block is owned by Probe Networks, based in Germany. What else can I type other than "dummkopf". 

[Chrysalis]

If I remember he had the shields up test to scan for open ports, ping response etc.

I think its now outdated, people able to ping you is no big deal and its an important means of diagnostics.  Plus ports that are NAT'd will be marked as open which will freak people out.