LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   So whats all this mean to me? (http://www.linuxquestions.org/questions/linux-security-4/so-whats-all-this-mean-to-me-38506/)

WeNdeL 12-16-2002 09:06 AM

So whats all this mean to me?
 
My department has recently set up a new mail server. My supervisor has the kernel logwatch being forwarded to me and I am unsure of what to make of the output. A lot of it looks like random ppl trying to poke and prod the box for certain open ports. Now what I am most curious about are entries like these:


Denied packets from vmb-ext.prodigy.net (207.115.63.87).
Port 2305 (tcp,eth0,input): 6 packet(s).
Port 2283 (tcp,eth0,input): 7 packet(s).
Port 2131 (tcp,eth0,input): 8 packet(s).
Port 2238 (tcp,eth0,input): 4 packet(s).
Port 2349 (tcp,eth0,input): 10 packet(s).
Port 2162 (tcp,eth0,input): 9 packet(s).
Port 2206 (tcp,eth0,input): 8 packet(s).
Total of 52 packet(s).

Denied packets from vmg-ext.prodigy.net (207.115.63.93).
Port 2347 (tcp,eth0,input): 10 packet(s).
Port 2160 (tcp,eth0,input): 8 packet(s).
Port 2204 (tcp,eth0,input): 4 packet(s).
Port 2303 (tcp,eth0,input): 8 packet(s).
Port 2281 (tcp,eth0,input): 9 packet(s).
Port 2240 (tcp,eth0,input): 6 packet(s).
Port 2129 (tcp,eth0,input): 8 packet(s).
Total of 53 packet(s).

Denied packets from vmd-ext.prodigy.net (207.115.63.89).
Port 2301 (tcp,eth0,input): 8 packet(s).
Port 2228 (tcp,eth0,input): 6 packet(s).
Port 2335 (tcp,eth0,input): 10 packet(s).
Port 2141 (tcp,eth0,input): 6 packet(s).
Port 2273 (tcp,eth0,input): 8 packet(s).
Port 2214 (tcp,eth0,input): 6 packet(s).
Port 2179 (tcp,eth0,input): 4 packet(s).
Total of 48 packet(s).

Denied packets from vm7-ext.prodigy.net (207.115.63.121).
Port 2338 (tcp,eth0,input): 8 packet(s).
Port 2139 (tcp,eth0,input): 6 packet(s).
Port 2272 (tcp,eth0,input): 6 packet(s).
Port 2217 (tcp,eth0,input): 9 packet(s).
Port 2178 (tcp,eth0,input): 6 packet(s).
Port 2300 (tcp,eth0,input): 9 packet(s).
Port 2227 (tcp,eth0,input): 8 packet(s).
Total of 52 packet(s).

Denied packets from vmi-ext.prodigy.net (207.115.63.96).
Port 2241 (tcp,eth0,input): 8 packet(s).
Port 2181 (tcp,eth0,input): 10 packet(s).
Port 2339 (tcp,eth0,input): 6 packet(s).
Port 2296 (tcp,eth0,input): 8 packet(s).
Port 2208 (tcp,eth0,input): 6 packet(s).
Port 2145 (tcp,eth0,input): 6 packet(s).
Port 2269 (tcp,eth0,input): 8 packet(s).
Total of 52 packet(s).

Denied packets from vmh-ext.prodigy.net (207.115.63.97).
Port 2299 (tcp,eth0,input): 8 packet(s).
Port 2275 (tcp,eth0,input): 9 packet(s).
Port 2216 (tcp,eth0,input): 6 packet(s).
Port 2177 (tcp,eth0,input): 9 packet(s).
Port 2230 (tcp,eth0,input): 6 packet(s).
Port 2337 (tcp,eth0,input): 8 packet(s).
Port 2137 (tcp,eth0,input): 9 packet(s).
Total of 55 packet(s).

And so on... my box has been hit by someone from the 207.115.63 network for the past few days. Are they slowly port scanning me? What should I make of this?

I am also seeing a lot of these as well:

Denied packets from performance-104.sef.pnap.net (63.251.161.104).
Port 0 (icmp,eth0,input): 6 packet(s).
Total of 6 packet(s).

Denied packets from performance-test-67.lax.pnap.net (216.52.254.67).
Port 0 (icmp,eth0,input): 6 packet(s).
Total of 6 packet(s).

Denied packets from performance-test-72.lax.pnap.net (216.52.254.72).
Port 0 (icmp,eth0,input): 6 packet(s).
Total of 6 packet(s).

Denied packets from performance-233.nyc.pnap.net (216.223.48.233).
Port 0 (icmp,eth0,input): 8 packet(s).
Total of 8 packet(s).

Any ideas of what this is all about. I am new to the sysadmin realm and don't know a whole lot about security.

Thanks in advance...

unSpawn 12-16-2002 10:02 AM

From the name I would venture performance-test.*lax.pnap.net are some sort of Akamai-like outfit trying to serve pages from a close by location or something like that.

The logwatches don't mean a thing to me.
If the port mentioned are ports local to the box, my portdb shows 3 hits:
]$ port 2305
2305/tcp mt-scaleserver MT ScaleServer
2305/udp mt-scaleserver MT ScaleServer
]$ port 2238
2238/tcp aviva-sna AVIVA SNA SERVER
2238/udp aviva-sna AVIVA SNA SERVER
]$ port 2349
2349/tcp redstorm_diag Diagnostics Port
2349/udp redstorm_diag Disgnostics Port
..which don't mean a thing if you ain't running those.
Btw, are these packets per second or what?
Do you have legitimate business (traffic) with .*ext.prodigy.net?
If the packets are logged, but the system ain't running anything on those ports and the packets haven't got bad flags, why ain't they silently discarded?


All times are GMT -5. The time now is 07:55 AM.