It took me a while to notice there's no HTTP method involved, so these aren't valid HTTP requests (=clients?) to begin with.
Do you plan to enable iptables logging and capture packets as well?

Yes, but first I must see how to do it (the firewall logging), I have not any ideea so far, and with Wireshark, I suppose I must let the computer working for days, until I "receive" the custom salute from the outsiders. :)

Ah, ok, it's the LOG target, but where it is the info logged?

I think that without being set up (iptables log in syslogd and logrotate) it is logged by dmesg but within it's limits, I think. So, I must learn how to set up loging of iptables in syslogd and then logrotate. Maybe I am wrong but this is what I think.

BRW, is it appropriate or enough to see the current connections to my computer with "netstat -aut", or I need more options here?

'man iptables':


After thinking and before posting it would be good to consult your documentation. What you wrote about only concerns you if you don't run syslogd and don't run a logrotate cron job.


Fastest way to display nfo with (networking) tool is to avoid any resolving. Often (ls, lsof, netstat, iptables, tcpdump, etc, etc) applications have "-n" switch for that. BTW, why would we need to see 'netstat' output?

I was thinking about the possibility that someone intruded and with netstat I can see it's connection... not started by me, of course... make an ideea of what he is doing.

You're right about reading the documentation first. Sorry about that hurry.

Do you have a gut feeling, suspicion or clue your machine may be compromised?

Sincerely, I hope and I don't really believe that was compromised, but I think these were only tries to break in. This is my feeling, after a behavior analyze of the "attacks" in the server log, without knowing the server's internals.

Then lets stick with logging web server requests, firewall connections and capturing packets with ' for now?

Here is another fresh log record:

Do you know what happend? I have read that code 200 means that something was delivered, but what? I don't get it.

Your command seems a litle too complicated for me right now. Maybe later I would be able to decode it.

Update: the IP is from Rusia

unSpawn, thank you for your answer, it was really interesting, though I need more studying about the syntax call of tcpdump. Also, what means the -nn flag, I didn't find it in the man page, maybe I should try with info?

-nn Don't convert protocol and port numbers etc. to names either.
Come to think of it just
tcpdump -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80'
should do because you're logging to file.

Thank you very much OlRoy, your response opened to me a totally new and interesting perspective. Thanks!