Results 1 to 4 of 4
Thread: Newbie - HELP
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Dec 2006
Newbie - HELP
The state of Arkansas has notified me that it will cut my Internet connection if I do not get a port scanning virus off my network immediately - but I don't know how to produce the nat logs that might tell me which of my internally addressed machines is the culprit. I am natting the private addresses through 1 external address. I have over 600 workstations and an Enterprise virus solution but the culprit must be on an unprotected machine.
If anyone can point me toward log files that I could search I would be most appreciative!!
As an initial measure, cut everyones internet access, just allow the server to talk to the internet. Once you've done that, you have isolated the problem to inside your network.
You might want to try to establish whether this is a virus or whether it's a malicious user on your lan that's doing the port scan on purpose.
Here's an approach you can use to stop this kind of thing happening:
- block everyone's internet access by using the firewall rules and IP tables; you do this on the machine that is acting as the firewall.
- allow internet access only for the server by its IP address, again do this on the firewall box.
- set up a web proxy such as squid on the server, this is not hard - give it a go.
- give everyone web access through the proxy only - you could even force them to log onto the proxy.
This way, nobody gets to connect outside on any ports - they must go through the web proxy which gives them access. You can also set up monitoring software to grab the IP address of the machine that's doing port scans.
- Join Date
- Dec 2006
Thank you for the suggestions. I can't cut everyone since I have 4 schools and administration that access student records, payroll, accounts, etc. via the state servers across the Internet. One of the programmers from the "missing" company contacted me to say the support team all left that company but he was kind enough to log into my server and shut the ports that were sending the traffic out, but he didn't tell me where the traffic was originating. I think the proxy server is already running but the authentication is turned off. When you say "monitoring" software are you speaking of something like Ethereal?
12-20-2006 #4Originally Posted by Arkansas
If the proxy server is already running, then it should be quite easy to tell people that the only access to the internet is through that as you have a virus or a script kiddie on one of the workstations causing problems.
You can use ethereal to check out network traffic, yes. You can also do it by turning up the ipchains logging in your NAT machine that fronts your LAN connection to the internet.