Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-10-2010, 12:15 PM   #1
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Rep: Reputation: 17
Help understanding tcpdump and ssh security

I have ssh open to one of my servers on a non-standard port. I have never seen anything to make me believe someone has cracked or even has tried to crack into the machine in the past. However, I was troubleshooting another issues I had and notice entries like this in my tcpdump output:

13:09:22.341390 IP > UDP, length 67
13:09:22.341427 IP > UDP, length 67
13:09:22.341464 IP > UDP, length 67
13:09:22.341499 IP > UDP, length 67
13:09:22.396750 IP > UDP, length 58
13:09:22.698354 IP > UDP, length 58

Obvously some of these are IP addresses of people on ISPs. Are these people just scanning ports?

I do not see any invalid users in my secure log so I am not too concerned right now. But I am getting a ton of these (above entries) in my tcpdumps, so it is a little scary to think that there is this many people trying to scan my ports and possible attacking me.

I am just trying to learn more about security and tcp packets, if anyone can give me some information that would be helpful I would appreciate it.
Old 07-10-2010, 12:55 PM   #2
Registered: Dec 2002
Posts: 306

Rep: Reputation: 86
On the network level, you can see what is in the packets using tcpdump:

tcpdump -nnvvXs0 -i eth0 'udp port 51413'

On the host level you can see what process is sending it using:

lsof -i | grep :51413

It doesn't look like your being attacked, it looks like your host is making outbound connections to other hosts as part of bittorrent or something similar. The best way to know for sure is to run the above commands.

Last edited by OlRoy; 07-10-2010 at 12:57 PM.
Old 07-10-2010, 01:06 PM   #3
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Original Poster
Rep: Reputation: 17
That you OlRo, thats opens my eyes a little.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Understanding Security Patching fastlane Red Hat 1 03-31-2009 08:56 AM
LXer: Tutorial: Verify Your Email Security With tcpdump LXer Syndicated Linux News 0 09-29-2008 06:20 PM
Interpreting and Understanding tcpdump file newbie_adm Linux - Networking 1 05-29-2007 03:32 AM
tcpdump loops in ssh jmARC Linux - Software 3 03-15-2005 08:47 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:46 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration