This morning I found several entries in my logs which look suspicious to me. Can
anyone enlighten me?
Background. I have three machine networked machines:
(1) The first acts as a firewall, does ip-masqing for machines (2) and (3) and port
forwarding (ports 21, 80) for machine (2).
(2) The second runs apache and wu-ftp, and handles connections made though the
firewall on ports 21 and 80.
(3) The third runs win95.
Machines (1) and (2) run RH6.2, and have all package updates installed. OpenSSH also
runs on both (1) and (2)
Here are the log entries that look funny to me:
(1) On the Firewall machine (a.b.c.d):
Oct 3 00:48:12 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:80
a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
Oct 3 00:48:13 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
203.21.16.18:2217 a.b.c.d:80 L=60 S=0x00 I=978 F=0x4000 T=45 SYN (#32)
Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=993 F=0x4000 T=45 (#32)
Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=994 F=0x4000 T=45 (#32)
Oct 3 00:48:14 a.b.c.d sshd[10731]: Connection from 203.21.16.18 port 2225
Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=1004 F=0x4000 T=45 (#32)
Oct 3 00:58:14 a.b.c.d sshd[10731]: fatal: Timeout before authentication for
203.21.16.18.
Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:1
a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:2
a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:3
a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:4
a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 SYN (#32)
Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:5
a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6 203.21.16.18:4
a.b.c.d:80 L=40 S=0x00 I=16004 F=0x0000 T=236 (#32)
(2) On the FTP/HTTP server (shoeless):
Oct 2 15:12:25 shoeless in.ftpd[9647]: connect from 203.21.16.18
Oct 2 15:25:33 shoeless ftpd[9647]: lost connection to mail.travelmate.com.au
[203.21.16.18]
Oct 2 15:25:33 shoeless ftpd[9647]: FTP session closed
Oct 2 15:25:34 shoeless inetd[420]: pid 9647: exit status 255
Note: the clock on shoeless is broken, and gives incorrect time.
The machine attempting to connect (203.21.16.18) resolves to mail.travelmate.com.au --
a mail server?? So why would a mail server be attempting to connect to my machine?
Why are the connection attempts coming from low ports (1-5)? Why attempt a ssh
connection?
I'd really appreciate your comments and suggestions.
__
Larry Grover, PhD
Assoc Prof of Physiology
Marshall Univ Sch of Med
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
