Leaf Leaf wrote: > No, but In a very cursory look through my recent logs > I have noticed one instance of about 100 packets from > one address denied in a 30 sec period. I'm guessing > it's a scan through my /27 block for some service on > port 27374, sample: > > Nov 28 18:19:43 firewall kernel: Packet log: forward > DENY eth2 PROTO=6 216.1.84.76:2017 216.136.89.98:27374 > L=48 S=0x00 I=41493 > F=0x4000 T=111 SYN (#25) > Nov 28 18:19:43 firewall kernel: Packet log: > forward DENY eth2 PROTO=6 216.1.84.76:2018 > 216.136.89.99:27374 L=48 S=0x00 I=42517 > F=0x4000 T=111 SYN (#25) > Nov 28 18:19:44 firewall kernel: Packet log: > forward DENY eth2 PROTO=6 216.1.84.76:2019 > 216.136.89.100:27374 L=48 S=0x00 I=43285 > F=0x4000 T=111 SYN (#25) > Nov 28 18:19:45 firewall kernel: Packet log: > forward DENY eth2 PROTO=6 216.1.84.76:2022 > 216.136.89.103:27374 L=48 S=0x00 I=45077 > F=0x4000 T=111 SYN (#25) > Nov 28 18:19:46 firewall kernel: Packet log: > forward DENY eth2 PROTO=6 216.1.84.76:2023 > 216.136.89.104:27374 L=48 S=0x00 I=45589 > F=0x4000 T=109 SYN (#25) > Nov 28 18:19:46 firewall kernel: Packet log: > forward DENY eth2 PROTO=6 216.1.84.76:2024 > 216.136.89.105:27374 L=48 S=0x00 I=46869 > F=0x4000 T=111 SYN (#25) > > Most of the time however, my logs show a stream of > denials occurring at a round-the-clock average rate of > roughly 3 per minute (occasionally a period of a few > minutes with nothing) of packets from various ip > addresses denied mostly by the 'forward' rule to > primarily ports 80 and 21, and occasionally ports 111 > 113 137 and others I'm sure, directed to various ip's > of my /27 block defined in my DMZ, but on which most > have no services running. > > Would someone care to tell me what some of these are? > And is this fairly typical of what goes on out there?
Take a look at: http://www.dshield.org/topports.html and it all makes some sense. Look at the sequence of the ports originating from the one who is probing, 2017, 2018, 2019, etc. No use in trying to locate who, what is doing this, they're usually cracked boxes, anyway.... > I know I should be concerned enough to learn how to > identify whether any of this is any form of attack, or > whether it is port scanning that may be hampering our > network useage. In the mean time, does anyone care to > look through the following and let me know if you see > anything of concern? > > My network is 216.136.89.96/27, isp router, my > networks gateway: .97, Dachstein eth0: .101, eth2 DMZ: > .102 > > Thanks. > > Samples from today: > > Dec 2 10:09:00 firewall kernel: Packet log: forward > DENY eth2 PROTO=6 216.136.86.206:1412 > 216.136.89.107:80 L=48 S=0x00 I=24134 > F=0x4000 T=116 SYN (#25) Nimda is a real pain... -- Patrick Benson Stockholm, Sweden _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
