Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There is quite a few of these and it seems as though I'm getting pinged?, probed?, try to connect to me every couple of minutes. I'm on dial-up so it must be a bit of a random attack (if thats what it is) or probes. Dunno. Can anyone shed a bit of light on this, is it usual activity or what? It looks like each machine tries a couple of times and then gives up, but there are a couple of ip's that seem to persist.
Jan 4 17:34:02 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=32890 DF PROTO=TCP SPT=4686 DPT=445 SEQ=2149212009 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
This is an attempt to access SMB service (windows file sharing/Samba). There is extremely heavy scanning of this port due to sasser as well as other recent MS vulnerabilities.
Jan 4 17:34:02 localhost xinetd[4013]: warning: /etc/hosts.allow, line 14: missing newline or line too long
Looks like some kind of syntax error in your /etc/hosts.allow file. Do cat -n /etc/hosts.allow to find line 14 with error
Jan 4 17:34:04 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=33038 DF PROTO=TCP SPT=4568 DPT=445 SEQ=2147803377 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jan 4 17:34:05 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=33091 DF PROTO=TCP SPT=4686 DPT=445 SEQ=2149212009 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Same as first entry. Timestamps indicate these to entries as well as first one occur in very close proximity, so likely all part of the same scan.
Jan 4 17:34:15 localhost kernel: ABORTED IN=ppp0 OUT= MAC= SRC=65.54.183.192 DST=203.220.189.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=49357 DF PROTO=TCP SPT=80 DPT=1488 SEQ=2127918413 ACK=4186446535 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 4 17:34:20 localhost kernel: ABORTED IN=ppp0 OUT= MAC= SRC=64.4.53.253 DST=203.220.189.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=7936 DF PROTO=TCP SPT=80 DPT=1490 SEQ=1104106496 ACK=4187549355 WINDOW=0 RES=0x00 ACK RST URGP=0
Not 100% sure about these (I don't use guarddog), but I believe guarddog logs half-open scans as "ABORTED", so basically this a attempt to stealth scan port 80 (http). Scans are a pretty common occurance on the internet nowadays, most of which are automated (like a scanning tool or worm) but can indicate someone manually attempting to profile your system for further attack. Depending on your level of paranoia, you can choose to block that IP address entirely using guarddog. But if your webserver is fully updated, then you should be alright.
There is quite a few of these and it seems as though I'm getting pinged?, probed?, try to connect to me every couple of minutes. I'm on dial-up so it must be a bit of a random attack (if thats what it is) or probes. Dunno. Can anyone shed a bit of light on this, is it usual activity or what? It looks like each machine tries a couple of times and then gives up, but there are a couple of ip's that seem to persist.
Welcome to the internet. Most people have no clue what it's really like, so it can be disconcerting to see the continous stream of probes and scans. For persistent abusers, you can block them with guarddog and send a polite email to the ISP that is responsible for that IP (you can usually find an administrative or abuse@ email address by doing a whois query on that IP).
I've got windows on this machine as well, with NIS. If I'm on the net a lot, then I might get maybe one intrusion detection a day. How come the difference? Is it the type of scan being attempted that makes the intrusion detection go off? By the way the line in /etc/hosts is uncommented? I've had that warning with fstab before and just scrolled to the end of the last line and hit enter a couple of times and then saved it and it went away. This line is'nt at the end though and is part of the original file, not what I have done? Just been looking through syslog again and the DPT (which I'm assuming is the port that is targeted) is 445 on probably 98% of the logs.
I've got windows on this machine as well, with NIS. If I'm on the net a lot, then I might get maybe one intrusion detection a day. How come the difference?
Probably just a difference in logging sensitivity. The major firewall utilities can vary in what they log as an intrusion attempt. Default logging in windows is virtually nil while linux defaults are only slightly better, guarddog/firestarter are fairly reasonable, while windows Zone Alarm is crackhead logging. For an accurate view, use packet sniffer like ethereal/tcpdump and watch raw traffic off the wire for awhile to see how many unsolicited packets and scans you'll receive.
By the way the line in /etc/hosts is uncommented? I've had that warning with fstab before and just scrolled to the end of the last line and hit enter a couple of times and then saved it and it went away. This line is'nt at the end though and is part of the original file, not what I have done?
Not sure. Edit the file again and go the end of line 14 and hit return to introduce a new line. If that doesn't help, then post the contents of the file (remove any public IPs).
Just been looking through syslog again and the DPT (which I'm assuming is the port that is targeted) is 445 on probably 98% of the logs.
According to dshield it is currently THE most heavily scanned port, so it's not that surprising. Not sure guarddog can selectively log according to destination port (DST), but you might have some luck using rate limiting so that your logs don't get flooded with garbage. Also, make sure that none of the log entries are coming from your internal windows machine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.