Portscan attacks help!
 

Hi,

I am having problems with my network administrator because my powerbook is being "portscanned" all the time. He says that it is a thread for the net and asks me "to do something or be disconnected". I have no idea of what to do. I have the firewall up and running blocking everything but they still "portscan" me. Checking the times of the attacks, they could be related to iChat, but I am not sure.

Someone can help me?

Thank you very much!

Tell us more about the network configuration of your PowerBook. Presumably it is on a corporate network. Does it get its IP address from a corporate DHCP server? Is this an internal IP address (e.g. in the 192.168.x.x or 10.x.x.x range)? Isn't there a corporate router with firewall that shields you from the wider Internet?

As your network admin should already know, there is nothing you can do to stop people from doing a portscan of your computer (no matter what type it is or what software you are running on it) if it is accessible to the wider Internet. All you can do is make sure that the portscans don't discover any open ports. It sounds like you are doing that already by using the firewall and not running any services on your Mac.

Hayne is right....there is nothing you can do to stop them...and he being the admin should block access from the outside ports if he dosent' want you being scanned....either he is being a jerk, or he failed to explain the issue properly, maybe you are broadcasting something unknowingly and he wants you to stop it. At any rate, check the system log within concole, it might shed some light....if he can provide times of port scans on those days you can see what your machine is doing around those times.....

If he continues to use the terminology "stop being port scanned", and saying it is your fault.....smack him upside the head and tell him to learn his job.

On a side note, I find it rather ironic a reply from me telling someone to smack their admin made me a Triple A Player..... :p

Sounds to me like a Mac OS X service like Rendezvous might be attempting to auto-discover what's on the network, and the admin might have never heard of it, so they think your PowerBook is port-scanning everybody when it is simply operating under a published open standard. I know it was described the other way around but I suspect it is a mistranslation. If you have music sharing on in iTunes, for instance, iTunes is going to use Rendezvous to constantly say "hey, I've got music to share on this network, are there any computers sharing?" However, Mac OS X services like Rendezvous should not be that harmful to a network, after all, they're not getting banned everywhere. The admin's probably being paranoid or clueless.

The only possible way I can think of that you would set yourself up to be port-scanned is if you kept visiting some web site that returns a flood of port scans in response to you surfing them. I have seen this in my router's log. I go to slashdot.org, for instance, and sometimes I get a lot of unsolicited pings from their server. Not a lot of sites do that, so it's rare, but I've seen it. I'm not smart enough to really know what's behind that.

I vote for clueless. Some guy with a sniffer and no brains to go with it. Otherwise he'd have given you specific details on what's going on, or would simply have put an end to it. This doesn't solve your problem of course.

Anyway, Styrafome's answer gets my vote too. You might try asking your admin for more details, like where the scan is coming from. Or print out his answer and ask the admin if that might be the cause.

The only problem with showing the admin this thread directly is that a lot of admins are going to be less likely to help after they read that they're being called clueless or paranoid (true or not). You might have to paraphrase! :D

Thank you
 

Hi everyone and thank you for your quick replies.

They have been really helpful and made me laugh, which really helps when you suspect (and you guys confirm) that your admin is a ... and tells you "I don't know about Macs, so you go and solve the problem". :mad:

I am going to print this and have in my door. I really enjoy the idea of smacking him... maybe when I leave the company? :D

Sorry for the lack of information. Yes, I am in a corporate network, behind a firewall (haha!) with a fixed IP. I think the problem appears whne I run iChat (girlfriend in different country so it's a must do! ;) ). Is that Rendezvous related (I think iChat opens something like that but do not know what it does, I am almost new to Macs).

So thank you all again!!
Cheers,
Alvaro

What ever the problem is, assuming there is one, it's the admin's job to take care of it. If he really is telling you that your computer is doing the port scans and that you must fix it, then I'd report him to his boss. There are way too many people like him in IT. It's about time some of them found other careers.
:eek:

It could be that this "admin" is a Window-devotee who knows nothing of Macs and he falls into the "I don't want it on my network becuase it's insecure (But really I don't want it there because I don't know what the hell I'm doing on it)" category..

That's not an excuse, it's a reason to fire him.

It's certainly not an excuse (did I make it sound like one?), but something I read about all too often.

I guess it was more of an explanation, but they sometimes get interpretted as excuses.

I'm just trying to point out that the admin's job is to support the company's computer systems, and the Mac in question appears to be one of them. If he can't or won't support it, then he needs to find another job.

I completely agree.. sort of.

I have worked for a large health system (teaching) enterprise for 10 years. For most of that it was in a little 'fiefdom' department that did it's own IT support. Well, recently we were absorbed by the IT support structure of the enterprise, which has 0 Mac experience or support structure, yet there are plenty of Macs around. In the past, this group pretty much refused to do any Mac support. Now that I'm here, they are more and more willing to create an actual support group for Macs. Which is good for me. And now to the "sort of". I pretty much refuse to support Windows. There are 13 others in my group, and that is their job. Let them do it. Does this make me a bad admin? Sort of. But sort of not. But at least I'm not refusing to support Windows out of ignorace, just arrogance (and lack of experience) so I have that going for me..

Wow.. rambling.

A very good suggestion... Or you do like I did previously... Ended up doing the few support help calls for Mac users where so taht all of them work real nice (first smack on the admin since he said they would just cause problems, second smack when when all his PC users got things like Beagle, Sober and no Mac got it). Then got a huge smack when I went to the boss to tell him all our wireless transmissions were sent in clear text :D It was so much fun...
Basically, so many admins got hired with minimal experience and competence when IT boomed that a good buch were realy not that good... and were stuck with them (they got to be senior admins here, so its a constant battle !) I do share your frustration !

As long as you're saying let the Windows admins support Windows because they're better at it, and let the Mac people support Macs because they're better at it, then that's fine, that's honest, and everybody wins.

The problem is when a Windows person or Mac person is so insecure about their job that they feel the need to hide their honest lack of expertise in an area by saying "I won't support that because it sucks." That's not a good or rational reason and it may prevent an organization for using the best tool in appropriate places.

I completely agree with what your saying... I ended learning Windows OS and networking so I could explain to the "Mac is crap" admins in their own terms what the issue was and to help them figure out how to fix their side of it... Though my heart is with Macs, its very rare that you can operate in a Mac only IT environment, os having both skills can make you an even more valuable player , cause tour flexible... and knowing both shows you are willing to learn more than the average IT guy.

Well, Windows does suck. But I certainly don't shy away from trying to help or asking for help from someone who knows better when needed. I don't make any excuses about it though. My colleagues and boss are well aware that I don't support Windows (unless pressed) because I don't have the experience (Hell, Johnny Highschool knows more about the Windows OS then I), nor do I have any interest in getting the experience. Shooting myself in the foot? Possibly. But I've made a good living up until now being a Mac elitist, why change? I kind of LIKE being the "black sheep" in my group. The only one that knows Macs or UNIX or anything not directly related to Windows. :)


Well, I've succeeded in dragging this thread WAY, WAY, off topic, so let's try and get it on topic again...

Hopefully the OP will get back to us soon with an update! I'm VERY curious what the 'portscan' business is all about. Hopefully his/her admin will provide some proof/data on what is 'port scanning'. IMO the possibility that it's Rendezvous is a good call.

In a corporate environment it's important that the IT department not interfere with the choices made by other departments. It's not that every IT guy needs to support every platform, but there needs to be support within IT for the platform. Any IT guy telling a user he or she has to fix a problem on their own is not doing their job. In this case, the only appropriate response would have been, "This isn't my area of expertise, I'll get somebody here to help you."

Summary
 

:)

Well. Just for you guys to enjoy:
I did some research around and it seemed that my firewall was not working fine and brickhouse seems to block (so far!) the problem.
Half of the people working here owns a mac and connects it to the net. That is +30 macs connected to the rest of the computers here. There are 3 admins, and all of them admit that they have absolutely no experience or knowledge about macs (safe, huh?) so the solutions are always "each user admins its own mac". I must say I have learned lots about security.. but I hope my boss understands when I explain him all the time I have "wasted".

Oh, and I know you guys will like this one:
I told them your suggestions (I had to trim a lot!:) ) and got answers like "do you believe everything from Internet?" "the rendezvous option is nonesense, they call themselves administrators?". By the way, it was related to the rendezvous and my computer looking for "friends" (he feels lonely) in the net.

Thank you all guys and sorry for the late return!
Alvaro

So they admit they don't know Macs and then claim that they do know that Rendezvous is nonsense? I feel very sorry for you.

Pot...kettle...