[newbie] OT: Port Scan?
I've got a D-Link DI-604 router for my small home network. I have it automatically send me the log file when it reaches a certain size. In the last few days, I've been getting a copy of a the log file several times a day. And it's always the same thing: Feb/09/2004 22:06:32 Drop TCP packet from WAN src:66.65.215.6:62986 dst:162.40.161.66:8980 Rule: Default deny Feb/09/2004 22:06:32 Drop ICMP packet from WAN src:216.176.95.198:3 dst:162.40.161.66:1 Rule: Default deny Feb/09/2004 22:06:32 Drop ICMP packet from WAN src:216.176.95.198:3 dst:162.40.161.66:1 Rule: Default deny Feb/09/2004 22:06:31 Drop ICMP packet from WAN src:216.176.95.198:3 dst:162.40.161.66:1 Rule: Default deny Feb/09/2004 22:06:30 Drop TCP packet from WAN src:24.192.222.186:4697 dst:162.40.161.66:6346 Rule: Default deny Feb/09/2004 22:06:28 Of course, the log file is MUCH bigger, but the vast majority of entries are like this. Is this a port scan of somekind? I don't know how to read firewall log files like this. Can anyone shed some light on this for me? Thanks, Chris Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] OT: Port Scan?
You read it like this: for example the first line is telling you that a machine with ip address 66... is trying to connect to your machine (ip address 162) on TCP port 8980. The firewall is applying a default behavior of denying the connection. The log file shows several ICMP packets, typically used for ping. They also show TCP connection to port 6346 and 8980. From google, the first one is used by peer to peer file sharing programs (bearshare, gnutella), the other one I couldn't find. Yes, it could be a port scan, but I wouldn't worry about it as long as you have your firewall, although a better policy would be to DROP the packets instead of DENY the connection. Deny means that the firewall does not allow the other peer to connect to your machine, typically sending back a NACK packet or similar. Drop means that the firewall just ignores the packet, and does not send back any acknowledge (positive or negative). The latter is better since it does not let the other peer know that you even exist. There should also be a way to avoid logging these attempts (there _is_ in linux's firewall, iptables) if they are clogging your log file, but I cannot help with your specific router. raffaele [EMAIL PROTECTED] wrote: I've got a D-Link DI-604 router for my small home network. I have it automatically send me the log file when it reaches a certain size. In the last few days, I've been getting a copy of a the log file several times a day. And it's always the same thing: Feb/09/2004 22:06:32 Drop TCP packet from WAN src:66.65.215.6:62986 dst:162.40.161.66:8980 Rule: Default deny Feb/09/2004 22:06:32 Drop ICMP packet from WAN src:216.176.95.198:3 dst:162.40.161.66:1 Rule: Default deny Feb/09/2004 22:06:32 Drop ICMP packet from WAN src:216.176.95.198:3 dst:162.40.161.66:1 Rule: Default deny Feb/09/2004 22:06:31 Drop ICMP packet from WAN src:216.176.95.198:3 dst:162.40.161.66:1 Rule: Default deny Feb/09/2004 22:06:30 Drop TCP packet from WAN src:24.192.222.186:4697 dst:162.40.161.66:6346 Rule: Default deny Feb/09/2004 22:06:28 Of course, the log file is MUCH bigger, but the vast majority of entries are like this. Is this a port scan of somekind? I don't know how to read firewall log files like this. Can anyone shed some light on this for me? Thanks, Chris Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] OT: Port Scan?
Wow! Thanks for the quick response and great advice. I've changed my router to drop the packets instead of deny them. Hopefully that will deter future things like this from occurring. As an aside, one thing I've also noticed in the last few days with my network is that my DSL has gone from an average speed of 75k/sec to 150k/sec. That's T1 speed just about, isn't it? I haven't upgraded my subscription or anything, so I have no clue why it's happening. I really like it though! Thanks again for your help. Chris On Feb 10, 2004, at 3:01 AM, Raffaele Belardi wrote: You read it like this: for example the first line is telling you that a machine with ip address 66... is trying to connect to your machine (ip address 162) on TCP port 8980. The firewall is applying a default behavior of denying the connection. The log file shows several ICMP packets, typically used for ping. They also show TCP connection to port 6346 and 8980. From google, the first one is used by peer to peer file sharing programs (bearshare, gnutella), the other one I couldn't find. Yes, it could be a port scan, but I wouldn't worry about it as long as you have your firewall, although a better policy would be to DROP the packets instead of DENY the connection. Deny means that the firewall does not allow the other peer to connect to your machine, typically sending back a NACK packet or similar. Drop means that the firewall just ignores the packet, and does not send back any acknowledge (positive or negative). The latter is better since it does not let the other peer know that you even exist. There should also be a way to avoid logging these attempts (there _is_ in linux's firewall, iptables) if they are clogging your log file, but I cannot help with your specific router. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] OT: Port Scan?
Hmm, you should have this DROP packets. Denying allows them to see you're at least up. dropping keeps them guessing. I have this same router. You should set it up for dropping packets insted of denying. :) -- __ We Are 138 http://www.suse.com http://www.slackware.org http://www.bsd.org http://www.daemonnews.org/ http://www.cannibalholocaust.net http://www.misfits.com http://www.onethirtyeight.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] OT: Port Scan?
Damn, sorry. Didn't see someone already told you to just drop them. Oh well, it's almost 6 AM and I'v had a whole 5 ours sleep in 3 days. -- __ We Are 138 http://www.suse.com http://www.slackware.org http://www.bsd.org http://www.daemonnews.org/ http://www.cannibalholocaust.net http://www.misfits.com http://www.onethirtyeight.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] OT: Port Scan?
On Tuesday 10 February 2004 03:19 am, Chris Ruzin wrote: As an aside, one thing I've also noticed in the last few days with my network is that my DSL has gone from an average speed of 75k/sec to 150k/sec. That's T1 speed just about, isn't it? I haven't upgraded my subscription or anything, so I have no clue why it's happening. I really like it though! http://www.dslreports.com/stest 150Kbytes/s is indicative of a 1.5Mbit/s broadband connection for thoro port scans http://scan.sygate.com/ -- Tom Brinkman Corpus Christi, Texas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com