Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The ip addresses have been changed for obvious reasons, but I used 111.111.111.111 and 222.222.222.222 to indicate that these were actually two different IP's and not the same. Let me know what you think, thanks.
Is it a VPN link ?
Is the 222.222.222.222 ip the same as the destination address that the 111.111.111.111 ip client tried to contact, or is it a router/firewall in the path ?
Basically TCP dump is showing you an error code 13 "not ICMP type 13" It's error code 13 ICMP type 11.
"Communication Administratively Prohibited" - generated if a router cannot forward a packet due to administrative filtering.
I assume a firewall is not responding or a protocol used in the connection is not getting through, due to non support or blocking by a filter of some sort, on that 222.222.222.222 system.
for example: ipsec uses UDP as part of its ISAKMPD key exchange and the firewall might be rejecting it with a timeout.
Anyway without more information on what's asking the request to where it's just speculation.
222.222.222.222 is completely different thant 111.111.111.111. They aren't even a part of the same block, and they don't look up as the same corp oration or anything. That is why it is strange to me, cause the request comes into my box from 222.222.222.222, and then it looks like it is trying to leave my box to 111.111.111.111, each IP is unique in this case.
It looks like a filter problem as in a firewall or other packet filtering software problem.
From the TCPdump output it's the one sending a ICMP error codes back to your 111.111.111.111 box, your box replies to these errors.
But with only one line of output from tcpdump it's not easy to tell.
If you come into a forum in the first place asking advise, you have to be prepared to give us the information we need to help you diagnose it.
It's like a mechanic trying to fix someone's car over the phone "which is already difficult", where the owner tells you it's making a funny pinging noise, but they don't tell you what's making the noise, what area of the car the noise comes from or what model car it is.
Your not going to get an answer that's going to help you very much are you.
/Raz
It isn't a VPN, this is a dedicated hosted box, I manage it remotely. It runs as a web server, Apache, and that is it. The only other access to this box, is me through SSH or FTP, and some email accounts. I am just curious what causes this kind of information in my logs. I am more looking for an explination, or breakdown of this message, like the direction of the message, who it came from etc..., and why it looks like it comes from one IP, through me, to a different IP. I would like to learn more about understanding how the logs, and tcpdump output works
My hosts network has a firewall, so it is possible it isn't letting this info out, but the ip's in this message don't resolve to my hosts corp. nor do they match their general IP blocks.
Sorry if I made this more difficult than it had to be.
It's the response from the system that your sniffing with tcpdump, to the 222.222.222.222 system.
Basically the 222.222.222.222 system requested something like an Echo reply or time exceed ICMP type to the 111.111.111.111 address.
Your system is configured to reject them and responded, telling it that the request it asked for is not allowed. "that's the message your seeing"
So on your firewall make sure that all ICMP blockers Deny the packets not reject them.
Sorry don't know where you can find info on TCPdump.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.