Re: Port Scan Warnings from ISA

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: CRIS HANNA \(SBS-MVP\) (crishannanospam_at_computingpossibilities.net)
Date: 07/19/04

Next message: CRIS HANNA \(SBS-MVP\): "Re: Can't access shared printers"
Previous message: Kurt Leege: "Exchange not Distributing Mail"
In reply to: John B: "Port Scan Warnings from ISA"
Next in thread: John B: "Re: Port Scan Warnings from ISA"
Reply: John B: "Re: Port Scan Warnings from ISA"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 19 Jul 2004 12:27:38 -0500

The IP address thats being identified...is that your external NIC??

-- 
Cris Hanna (SBS-MVP)
_____________________
Please only respond in the Newsgroup and not directly to me, so that
everyone can share the information
"John B" <john.baccellieri@texstyleco.com> wrote in message
news:OghZsaabEHA.796@TK2MSFTNGP09.phx.gbl...
> About 1 week ago I began receiving warning emails from ISA with the
> following text:
>
> "ISA Server name: OURSERVER
>
> ISA Server detected a well-known port scan attack from Internet Protocol
> (IP) address 192.168.1.2. A well-known port is any port in the range of
> 1-2048. For more information about this event, see ISA Server Help."
>
> CONFIGURATION
>
> The total # of warnings has been less than 15, but they group 2 or 3
within
> a couple of hours.  Our ISA set up is vanilla, right out of the smallbiz
> whitepapers (NAT router in front, 2 NICS, no custom ISA filters, rules,
> protocols, etc.).  SAV Enterprise up-to-date across network, all clients
> fully patched, server will be this wknd.
>
> QUESTION
>
> How do I go about researching these "attacks".  I looked at FWS, IPP, and
> WEB logs, but nothing sticks out.  Is there a good way to see what
activity
> is triggering ISA to alert?  Second question, is the alert telling me that
> ISA has successfully 'defended' the network from this port scan attack?
>
> Thanks, John B
>
>

Next message: CRIS HANNA \(SBS-MVP\): "Re: Can't access shared printers"
Previous message: Kurt Leege: "Exchange not Distributing Mail"
In reply to: John B: "Port Scan Warnings from ISA"
Next in thread: John B: "Re: Port Scan Warnings from ISA"
Reply: John B: "Re: Port Scan Warnings from ISA"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Trying to understand this behavior, Ports in IIS
... That tells me the ISA server was accepting the connections. ... assign port 8080. ... In the border router and in the PIX firewall (both devices are "in front of" ...
(microsoft.public.inetserver.iis.security)
Re: sys/1386/i386/mptable.c rev 1.239 breaks boot.
... >> If a valid ELCR was found, consult it for the trigger mode of ISA ... ioapic0: intpin 1 bus ISA ... xl0: using port I/O ...
(freebsd-current)
Re: open port in isa 2004 ?
... I understand that you want to know how to open port ... Open the ISA 2004 management console. ... then select the protocol (if the protocol does not exist, ... How to configure networks in ISA Server 2004 ...
(microsoft.public.windows.server.sbs)
RE: HOW DO I ACCESS ISA SERVER in SBS Premium 2003
... Without ISA, you can configure RRAS to do port forwarding. ... Publishing a SQL Server Computer with ISA Server 2004 ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Server suddenly "isolates" itself from the network
... suspicion is ISA, but I suppose it could be the 4-port NIC as well. ... ISA Server detected a port scan attack from Internet Protocol ... Server configuration are applied after ISA Server exits lockdown ...
(microsoft.public.windows.server.sbs)