Stoping my ISP from sniffing into my box

[kyiu]

> I don't why my ISP has problem with me running web server in my box. they've threatened to cut off the service. How do they know what I'm doing? They must be using some automated sniffing program on all the subscribers. Is there any way of blocking them? Here is what they sent me:


Response from IP aaa.aaa.aaa.aaa: 220 linuxbox.mydomain.ca FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready

IP found behind modem Serial#: xxxxxxxxxxxx
Found on: 02/17/2002

[nfallon]

They're probably monitoring the amount of traffic.

Neil

[Spot]

Many ISPs will do active scans of their users looking for those running servers which is uaually against their TOS (Terms Of Service). @Home was infamous for it.
Check your ISP's TOS and Acceptable Use Policies closely.
Worst case...shut down the servers. At minimum - cut your ISP's range off at your firewall.

[JimH]

Ken if you are running your services on the standard ports they will be sure to find out. Try running them on non-standard ports. I used to get probes from AT&T all the time, but only on standard ports. I have Sprint/Earthlink now, they don't seem to be anywhere near as active as AT&T was in looking for servers.

Jim H

[Semp]

I would take a look at your ISP's TOS. I think the only way you will be able to legally host your daemons is if you purchase a business line from them (business cable, business dsl, etc.).

[kyiu]

:-\ Okay, I’m operating it at the fringe of the TOS. Lighten-up :! I’m not running a commercial site. I’m just running a personal server, primarily for testing and learning the technology. Having said that, my ISP scans my box on all ports, right? Can I log the IP address on when the box being scan on some non-standard port or ports. So I can you the information to set up a block of that IP address. Can that work?

Ken

[Semp]

I'm not saying you shouldn't be able to run your own daemons, but I was simply saying your ISP can tell you their TOS. Hell, I run daemons on my LAN and my ISP's TOS specifically states "don't run any services". Why not Just firewall all incoming TCP/UDP ports instead of trying to firewall specific IP addresses of your ISP? You could always setup your firewall to log all requests to TCP/80, reverse lookup it, and firewall that IP address. What ISP do you use? I know @Home has VERY specific hostnames they scan with (E.G.authorized.scan.home.com). Also, what kind of firewall do you use (E.G., IP Chains, IP Tables, Etc.)?

[kyiu]

??? I don't know what you meant. I am running services in my box. If I stop TCP/UDP from coming in, my personal web server well be inaccessible. I also running my email server in the box. I don't think I can stop all incoming UDP and TCP if I want to keep the services up. I'll keep my ISP nameless, (they might be reading this you know) I just want to know how to set up the log. I'm using IPchain for firewall.

Ken

[jmbrinks]

Ken,

Whatever happened with that server and the issues with Redhat and Win2K?

[Semp]

I don't know how tight you want your firewall to be, but I would recommend filtering all incoming/outgoing TCP/UDP ports. Also, I would limit outgoing DNS requests, outgoing POP3 requests, outgoing SMTP requests, and things of that nature. When I get my machines sent back to me I will write an article about IPChain firewalling for GetLinuxOnline. Maybe they will accept it If you want to log HTTP requests you should probably use Apache, but if you want to use IPChains too then add the -l switch to your HTTP rule. If you don't have one then use the following in your IPChains script.

/sbin/ipchains -A input -p tcp -s 0.0.0.0 -d 24.26.71.51 80 -j ACCEPT -l

Replace the -d 24.26.71.51 with your IP Address. I just used mine for an example.