I realize this is a lamer/beginner question, but I've been attacked by a couple of addresses in China and I'm not sure how to close the hole.
My snort logs (yes I'm using snort! I see you are impressed) show things like this:
TCP Portscan
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
11/09-06:48:46.652278 58.218.199.227 -> 208.69.57.101
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:166 DF
And fragmentation overlap
:
[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Priority: 3]
11/09-06:25:44.678218 208.69.57.102 -> 183.177.114.1
UDP TTL:64 TOS:0x0 ID:33670 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x0000 Frag Size: 0x05C8
I don't understand what this means, but I think it means that someone is portscanning me from 58.218.199.227 (208.69.57.101 is my IP address). They are also fragmenting my overlaps, which I don't take kindly to.
This is is the alert
file generated by snort. My server provider shut down my server because he said there was something like 60 GB of data transfer last night.
So what should I do now?
- What are immediate actions? I shut down the web server, mysql server. Anything else I should do?
- How do I fix the problem? Should I just go through the log file and manually block all ip addresses that generated alerts?