Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-25-2004, 11:59 AM   #1
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Rep: Reputation: 16
Inbound traffic logs, normal behavior of the internet ?

My firewall script runs as follows:

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 6881:6999 -j ACCEPT #for bittorrent
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

My "/var/log/syslog" is steadily filling up with the log from the inbound traffic. I typed "whois those_ipaddresses" and some are in China, in the Czesh Republic, in Spain... but most of the ip addresses are from my isp. I phoned my isp and they told me the ip addresses belong to other users. Now, is it normal behavior of the internet to have inbound traffic coming from all over the place ?

Thanks in advance for any help,
Old 02-25-2004, 04:57 PM   #2
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,662

Rep: Reputation: 210Reputation: 210Reputation: 210
It's normal. Most of what you get are probably worms scanning IPs to find a machine they can use. You can probably also find scan attempts. If you don't have experience reading the logs, there's software that can produce stats for you. Don't remember names at the moment, sorry.
Old 02-26-2004, 01:57 AM   #3
Registered: Feb 2004
Distribution: Slackware
Posts: 54

Original Poster
Rep: Reputation: 16

Actually by looking a little more closely, I found that mostly they were sending to port 137 and port 445. Googling told me those ports are netbios ports from windows machines and that a recent worm used them.

Besides the firewall, I removed all services in inetd by editing "/etc/inetd.conf" and "kill -HUP id_of_the_inetd_process". By default, it was running a ftp, time, finger, and in.identd.

"nmap -vv localhost" now gives all ports closed.

I have 32k upload and my machine is online 24/7, so I didn't want to leave it unprotected.

Thanks to everyone who helped



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
inbound traffic routing beowulfde Linux - Networking 2 02-20-2005 04:47 PM
Linux and inbound UDP traffic Dwarflord Linux - Networking 4 04-16-2004 01:35 AM
iptables : how do I block inbound traffic from one ip address only? Apollo77 Linux - Security 7 03-22-2004 10:22 AM
Inbound traffic for port 80 Gerardoj Linux - Networking 10 05-29-2003 04:27 PM
where are the logs for my internet traffic tonyh Linux - General 2 05-26-2002 05:12 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:07 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration