Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running Etch and using Firestarter as my firewall. Recently, I
have noticed the firewall has been blocking incoming traffic every so
often. I copied an IP from my firewall log into my browser and it took
me to the National Weather Service Headquarters. I don't have any
weather programs installed. I thought it might be some misdirected
packet or something. I blacklisted the IP in the firewall. A day later,
Firestarter blocked an outgoing signal to the same IP address as the
National Weather Service.
I was bugged out by this and ended up blacklisting all the IPs that
turned up in my firewall log. Some may be legitimate, like the ones
outbound from port 80 and 995. But I'm not sure as my knowledge is
limited. Thunderbird is not connecting to the server anymore and wants
my password. From past experience with Windows I am leery to type in the
password, or unblock some IPs just yet. I realize gnu/linux cannot be
exploited like Windows, but I am not clear on whats happening.
The incoming and outgoing signals to the National Weather Service really
bother me though.
I am posting several firewall log outputs below. Please let me know it
this is normal traffic or not. I have serious doubts about the first
log. 140.90.128.70 is the IP for the National Weather Service.
Time:Jul 19 19:57:57 Direction: Inbound In:eth0 Out: Port:46803 Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00 Protocol:TCP Service:Unknown
This doesn't say much. The source ports in log #1 are ephemeral ports which basically are "free for all", can be in any range and don't point to anything. The problem is the app you've been running tries to "resolve" the destination port(s) service from /etc/services, doesn't find an entry and shows "Unknown", and that is not helpful. If you got bare iptables log entries they could be more interesting to look at and while 208.99.69.105 could be compromised, if it's linked to the National Weather Service Headquarters then I suspect you have some applet loaded in one of your applications or your DE. (To be complete: chances this is ghosting from a dynamic IP address change would be near zero since these kind of applets are pull, not push.)
As a test, exit the gui and stop any feasible services. Shutdown other computers on your lan (if applicable). Basically, kill everything other than the network and logging so you can be moderately sure that it isn't something on your computer. If the packets stop, then start things slowly until you figure out what the culprit is. If the packets don't stop, then I might think about consulting with the Weather Service's IT department.
Thank you gd2shoe, that makes sense. Again, my knowledge is limited, I'm not an IT guy, just a home user, so it may take me some time to figure it out. I have other computers I use, so its not any kind of emergency.
might i suggest that you see if the National Weather Service operate a public time server?
It's possible that your machine is syncing its time against the NWS NTP server...
you can check which servers are being used in your local config file /etc/ntp.conf or similar.
While that is generally possible, I can think of two reasons why not. First, it is on an unused port (probably an upper port) which is why it shows up as an unknown service. NTP would be known (in /etc/services). Besides, I think NTP is usually UDP, as apposed to TCP (could be wrong on that one).
Furthermore, Debian by default syncs with Debian ntp servers. It is highly doubtful that any of those are controlled by the NWS. If I had my Debian box handy I'd confirm that.
FYI, the startup/terminate scripts for services are found in /etc/init.d. Specifying any of those followed by 'stop' will stop the service if it's running. Example:
gd2shoe, for some unknown reason, the firewall after running for many months without issue seems to have become hypersensitive, I go to certain sites, and it logs that site as a hit, although its a legitimate site. Sites like Carmax.com. And for some reason, it was logging my email everytime it tried to connect to the server to check for messages. I've unblocked several that were legitimate, and those that were questionable, I blocked at the source. I don't seem to be having anymore problems. Later on I am going to poke around with the terminate scripts, and unblock the Weather Service IP and see what happens.
Thanks for the useful info, its much appreciated.
Jason72
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.