Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
The ip addresses have been changed for obvious reasons, but I used 188.8.131.52 and 184.108.40.206 to indicate that these were actually two different IP's and not the same. Let me know what you think, thanks.
Is it a VPN link ?
Is the 220.127.116.11 ip the same as the destination address that the 18.104.22.168 ip client tried to contact, or is it a router/firewall in the path ?
Basically TCP dump is showing you an error code 13 "not ICMP type 13" It's error code 13 ICMP type 11.
"Communication Administratively Prohibited" - generated if a router cannot forward a packet due to administrative filtering.
I assume a firewall is not responding or a protocol used in the connection is not getting through, due to non support or blocking by a filter of some sort, on that 22.214.171.124 system.
for example: ipsec uses UDP as part of its ISAKMPD key exchange and the firewall might be rejecting it with a timeout.
Anyway without more information on what's asking the request to where it's just speculation.
126.96.36.199 is completely different thant 188.8.131.52. They aren't even a part of the same block, and they don't look up as the same corp oration or anything. That is why it is strange to me, cause the request comes into my box from 184.108.40.206, and then it looks like it is trying to leave my box to 220.127.116.11, each IP is unique in this case.
It looks like a filter problem as in a firewall or other packet filtering software problem.
From the TCPdump output it's the one sending a ICMP error codes back to your 18.104.22.168 box, your box replies to these errors.
But with only one line of output from tcpdump it's not easy to tell.
If you come into a forum in the first place asking advise, you have to be prepared to give us the information we need to help you diagnose it.
It's like a mechanic trying to fix someone's car over the phone "which is already difficult", where the owner tells you it's making a funny pinging noise, but they don't tell you what's making the noise, what area of the car the noise comes from or what model car it is.
Your not going to get an answer that's going to help you very much are you.
It isn't a VPN, this is a dedicated hosted box, I manage it remotely. It runs as a web server, Apache, and that is it. The only other access to this box, is me through SSH or FTP, and some email accounts. I am just curious what causes this kind of information in my logs. I am more looking for an explination, or breakdown of this message, like the direction of the message, who it came from etc..., and why it looks like it comes from one IP, through me, to a different IP. I would like to learn more about understanding how the logs, and tcpdump output works
My hosts network has a firewall, so it is possible it isn't letting this info out, but the ip's in this message don't resolve to my hosts corp. nor do they match their general IP blocks.
Sorry if I made this more difficult than it had to be.
It's the response from the system that your sniffing with tcpdump, to the 22.214.171.124 system.
Basically the 126.96.36.199 system requested something like an Echo reply or time exceed ICMP type to the 188.8.131.52 address.
Your system is configured to reject them and responded, telling it that the request it asked for is not allowed. "that's the message your seeing"
So on your firewall make sure that all ICMP blockers Deny the packets not reject them.
Sorry don't know where you can find info on TCPdump.