Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Its been really bugging me that whenever I scan my connection with wireshark I see this one person sending me a SYN packet every minute on port 445. I know this is the dangerous port that the Conficker worm travels along. So far my computer seems to be immune and I know, at least on the Linux side that I can just add a rule to my ip tables to block that port indefinitely. I want to know what the next step is.
This is one of the packet captures I am getting. After sending me this and getting no reply, all of a sudden he goes up an ip. Basically this would be the pseudocode for what it looks like hes doing on my end.
while(1){
for(int i = 1; i != 255; i++){
send_connection_attempt("XX.XX.XX." + i);
}
}
To me this looks like this guy has hijacked a computer and is using it to run a script over. He is still scanning my network as I said earlier, what should I do? Should I contact my ISP? or just nail down the hatches and make sure nothing is exposed on my network?
Port 445 is used by Microsoft file sharing. This is likely a virus or worm
that the other guy isn't aware of. Best thing is to keep your firewall
running and double-check your security settings.
It's a good idea to notify your ISP, although they might not be able to
do much. Ask them if they want to know when there are problems like this.
You must be able to see where the connections are coming from, so you can block that ip in iptables, either permanently or using a blacklist. Blocking the port is a bit drastic.
Also, you can use that incoming ip to find out who is responsible for that net block and send an email to their abuse department. You don't always get a response, but at least you've tried.
ip tables is fine for linux, but its windows I am worried about. I play games on that OS and my mother also does serious things on her computer too. I really need to build a firewall server one of these days.
But I am curious about how I would go about using their ip and contacting the abuse department you mentioned?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
