Re: ports 135, 445, 139 and 1433

From: Phillip Helbig---remove CLOTHES to reply (helbig_at_astro.multiCLOTHESvax.de)
Date: 03/31/05 

Date: Thu, 31 Mar 2005 06:45:29 +0000 (UTC)

In article <d2fdc3$kpk$1@pcls4.std.com>, moroney@world.std.spaamtrap.com
(Michael Moroney) writes:

> >However, each incoming request seems to have a matching outgoing
> >request, as expected to a port number > 1023, and these apparently come
> >from the TCPIP cluster-alias address. Thus, it at least looks like the
> >cluster is responding to these addresses.
>
> Is the response simply nothing more than the IP response "this port isn't
> open here!" which is the standard VMS response? (at least with the
> TCPIP/UCX stacks), The other possible action is to ignore such incoming
> connections as if there was no system there, but the IP specs say do the
> former.

That might be the case. From the router itself, I can't see the
contents of the responses. Perhaps I can if I manage to get the logs
sent to a VMS machine.

> >Would it make sense to block these ports at the router, rather than
> >having them passed through to the cluster?
>
> If you're worried about your VMS systems getting infected by those
> viruses, sure. :-)

No, I was thinking about cutting down unnecessary traffic.

> I personally have a different approach - about two years ago I adapted
> a 'tarpit' program called 'LaBrea' (intended for Unix/Linux) to VMS.
> It is a deliberately "broken" TCP/IP stack which tries to tie up any
> incoming connects to it. (The idea was to taunt hackers, but mostly
> it just ties up worms/viruses)
>
> I plugged an old DE435 adapter in my system, and ran this tarpit on it,
> and set up the NAT router to forward all incoming connections other than
> the ones I actually want to the tarpit's IP address. (the other "real"
> net adapter runs the standard TCP/IP stack and has a separate IP
> address, the NAT router forwards incoming connects that I _do_ want
> (such as HTTP) to it.
>
> It's pretty primitive and really isn't that useful since most of what
> it catches are just worms and not actual hackers.

Do you have a portable (to VMS), workable tarpit program? I have a VMS
machine with (at the moment) NO incoming connections. I've often
thought about distributing several valid email addresses for it over the
internet, then run a tarpit to tie up SMTP connections, to annoy
spammers.

Relevant Pages

  • Re: OpenVMS Marketing: Variations on "stealth"
    ... no black helicopters regarding the Datamation article. ... Drew Robb in response to this article: ... Improving Disaster Recovery Without Breaking the Bank ... press where VMS is a better solution. ...
    (comp.os.vms)
  • Re: ANNOUNCEMENT - OpenVMS Technical Journal - June 2005
    ... >> And you think posting notes in response here is going to do something? ... the only people that read this are the folks already doing stuff. ... >means is to consistently point out the areas where HP is not marketing VMS, ...
    (comp.os.vms)
  • Re: Letters to the new CEO
    ... >> I wrote to Mark Hurd about VMS a few weeks ago via the HP web site ... > I did not get a personalresponse. ...
    (comp.os.vms)
  • Re: Newbie C programming question - "Press any key to continue"
    ... I appreciate your response to my questions. ... do work on Linux, Solaris v5.8, and VMS 7.3-1 which are the environments ...
    (comp.lang.c)
  • RE: Problem: Changing the SQL Server services password
    ... be guaranteed a response within two business days according to the service ... Are the passwords of SQL Server service account and Microsoft Cluster ... By default the error logs are located in the folder ...
    (microsoft.public.sqlserver.server)