I have ssh open to one of my servers on a non-standard port. I have never seen anything to make me believe someone has cracked or even has tried to crack into the machine in the past. However, I was troubleshooting another issues I had and notice entries like this in my tcpdump output:

13:09:22.341390 IP 192.168.1.2.51413 > 190-82-164-231.adsl.tie.cl.10399: UDP, length 67
13:09:22.341427 IP 192.168.1.2.51413 > 95.58.5.15.22439: UDP, length 67
13:09:22.341464 IP 192.168.1.2.51413 > ool-4350a8e7.dyn.optonline.net.56836: UDP, length 67
13:09:22.341499 IP 192.168.1.2.51413 > 80.237.121.2.63878: UDP, length 67
13:09:22.396750 IP ool-4350a8e7.dyn.optonline.net.56836 > 192.168.1.2.51413: UDP, length 58
13:09:22.698354 IP 95.58.5.15.22439 > 192.168.1.2.51413: UDP, length 58


Obvously some of these are IP addresses of people on ISPs. Are these people just scanning ports?

I do not see any invalid users in my secure log so I am not too concerned right now. But I am getting a ton of these (above entries) in my tcpdumps, so it is a little scary to think that there is this many people trying to scan my ports and possible attacking me.

I am just trying to learn more about security and tcp packets, if anyone can give me some information that would be helpful I would appreciate it.

On the network level, you can see what is in the packets using tcpdump:

tcpdump -nnvvXs0 -i eth0 'udp port 51413'

On the host level you can see what process is sending it using:

lsof -i | grep :51413

It doesn't look like your being attacked, it looks like your host is making outbound connections to other hosts as part of bittorrent or something similar. The best way to know for sure is to run the above commands.

That you OlRo, thats opens my eyes a little.