Hi Guys,

Im nt really sure if this is the right place to post this query but I have been facing a incident lately where my machine is being attempted to access from the internet.

Let me first explain my setup.
I have a machine with a broadband connection on it. The ISP provides me a LOCAL IP and there are no modems or routers involved. Its just a network cable that is getting connected directly to my machines Ethernet port.
With this setup I am able to browse and access rest all services perfectly. Also i am able to SSH remote machines without any issues.
But recently when i was checking the messages of my Linux machine i saw that my machine was being tried to access from the net. the logs were as follows ..


Nov 3 19:26:40 huston sshd[8680]: Invalid user awhite from 112.x.x.2
Nov 3 19:26:37 huston sshd[8676]: Invalid user suraj from 112.x.x.2
Nov 3 19:26:36 huston sshd[8674]: Invalid user viptech from 112.x.x.2
Nov 3 14:57:39 huston sshd[7978]: Invalid user gopher from 58.x.x.142
Nov 3 14:57:38 huston sshd[7976]: Invalid user rpc from 58.x.x.142
Nov 3 14:57:32 huston sshd[7974]: Invalid user rpcuser from 58.x.x.142
Nov 3 14:57:30 huston sshd[7972]: Invalid user nfsnobody from 58.x.x.142


Its not that I want them blocked. I can manage that. I am just curious how they could reach my machine without any sorta port forwarding on my ISP's IP.

Any advice on this will be helpful.

Thanks in advance..

Just needed to add one more small detail, which i dont think would matter much.

My ISP has a Dynamic Public IP. Still I always have the same STATIC local IP that is assigned to me by my ISP on my machine.

Unless you are behind address translation or a firewall, then your IP address may be accessed from anywhere on the net. If your IP was not routable, then your web browsing would not work well since the replies from web servers would never get back to you. Not sure what you mean by a local IP address. Can you explain?

With no router in between your computer and the internet you will get people trying to access your computer. As long as you haven't turned off iptables or selinux and are using strong passwords your system should be ok. I still like running a router box between computer(s) and any internet connection whenever possible.

As to why you're always seeing the same IP address assigned by the internet hosting provider most ISPs DHCP servers will keep giving the same IP address when it's time to renew. It's always possible to get a different IP when the renewal happens but as you've seen that's not always the case.

Thanks for the replies smallpond and travisdh1.

First addressing smallpond.
By local i mean a IP of the Private IP range (172.16.x.x). So the outbound packets obviously get Source Natted and reach the internet. And the ISP's router at the ISP end should be sending it back to my machines Private IP as a response to my request. Thus I am able to browse even if I dont have a publicly routable IP.

My ISP charges quiet a lot of extra cost for a Public IP so I was assuming that he cant just leave NAT open on all the ports to all his Clients Private IP's, coz then that would be as good as having a Public IP (in a way). So considering that there is no specific NAT configured on the ISP's router by default, I dont think that the folks on the net should have any access to my machine.
Still this all is as per my understanding. Please correct me if im wrong.

------

Now addressing travisdh1.
I do not have a DHCP configuration. The ISP has permanently assigned me that IP address which i use. but as mentioned earlier its of the Private range. But that is not much of a concern to me as long as things are working just fine. And yes you are correct about the security measures. I do not have a router in between my PC and the ISP Link. Also IPtables is at its minimal. Coz i was not taking such attacks into consideration. But now since my machine seems to be exposed I will surely apply a few more layers of security.

------

Also I would like to share something with you guys that I have just discovered. I checked my current Public IP and tried to access the ports that are open on my machine from the internet, and to my surprise the requests from the internet were reaching my machine. It seems that there is a Destination Nat already applied for my machines IP and I have no clue how that happened .
Still its a good news for me.

Having said that I would like to apologize for the false alarm. but this was a good learning experience for me.

Please let me know if there are more points that could be discussed on this topic else I can mark this thread as solved.

Thanks...

1 members found this post helpful.