Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
The ip addresses have been changed for obvious reasons, but I used 184.108.40.206 and 220.127.116.11 to indicate that these were actually two different IP's and not the same. Let me know what you think, thanks.
Is it a VPN link ?
Is the 18.104.22.168 ip the same as the destination address that the 22.214.171.124 ip client tried to contact, or is it a router/firewall in the path ?
Basically TCP dump is showing you an error code 13 "not ICMP type 13" It's error code 13 ICMP type 11.
"Communication Administratively Prohibited" - generated if a router cannot forward a packet due to administrative filtering.
I assume a firewall is not responding or a protocol used in the connection is not getting through, due to non support or blocking by a filter of some sort, on that 126.96.36.199 system.
for example: ipsec uses UDP as part of its ISAKMPD key exchange and the firewall might be rejecting it with a timeout.
Anyway without more information on what's asking the request to where it's just speculation.
188.8.131.52 is completely different thant 184.108.40.206. They aren't even a part of the same block, and they don't look up as the same corp oration or anything. That is why it is strange to me, cause the request comes into my box from 220.127.116.11, and then it looks like it is trying to leave my box to 18.104.22.168, each IP is unique in this case.
It looks like a filter problem as in a firewall or other packet filtering software problem.
From the TCPdump output it's the one sending a ICMP error codes back to your 22.214.171.124 box, your box replies to these errors.
But with only one line of output from tcpdump it's not easy to tell.
If you come into a forum in the first place asking advise, you have to be prepared to give us the information we need to help you diagnose it.
It's like a mechanic trying to fix someone's car over the phone "which is already difficult", where the owner tells you it's making a funny pinging noise, but they don't tell you what's making the noise, what area of the car the noise comes from or what model car it is.
Your not going to get an answer that's going to help you very much are you.
It isn't a VPN, this is a dedicated hosted box, I manage it remotely. It runs as a web server, Apache, and that is it. The only other access to this box, is me through SSH or FTP, and some email accounts. I am just curious what causes this kind of information in my logs. I am more looking for an explination, or breakdown of this message, like the direction of the message, who it came from etc..., and why it looks like it comes from one IP, through me, to a different IP. I would like to learn more about understanding how the logs, and tcpdump output works
My hosts network has a firewall, so it is possible it isn't letting this info out, but the ip's in this message don't resolve to my hosts corp. nor do they match their general IP blocks.
Sorry if I made this more difficult than it had to be.
It's the response from the system that your sniffing with tcpdump, to the 126.96.36.199 system.
Basically the 188.8.131.52 system requested something like an Echo reply or time exceed ICMP type to the 184.108.40.206 address.
Your system is configured to reject them and responded, telling it that the request it asked for is not allowed. "that's the message your seeing"
So on your firewall make sure that all ICMP blockers Deny the packets not reject them.
Sorry don't know where you can find info on TCPdump.