Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
Before I open a terminal and start putting in commands I just wanted to talk to someone about this spoofing that I think I have going on.
Each time my firewall is attacked it's been a different port each time but always begins with the number 4 and the source is either 91. or 199. The length has been 1500.
The protocol has always been Transmission Control Protocol.
Could this TCP be my laptop trying to connect to my desktop pc down the hall?
If it indeed this is spoofing how would I verify the authenticity of the datagrams?
Last edited by Ztcoracat; 02-01-2012 at 12:25 AM.
Reason: Additional information
Install Wireshark and start capturing packets. You can see the MAC address, ports, data, protocol, and everything else about the packets hitting your computer.
Before I open a terminal and start putting in commands I just wanted to talk to someone about this spoofing that I think I have going on. ... Each time my firewall is attacked
Please elaborate. What do you mean by spoofing and how do you know it is an attack? Do you have log or other information that you could share? At LQ-Security, we deal with facts, not supposition and guesswork. Please provide data and we will gladly help you analyze it to determine what is happening and help you figure out what to do about it.
You mentioned these are firewall logs. I'm assuming you mean from your gateway firewall and not the iptables on your local machine. If that's the case I wouldn't worry about it as a gateway firewall will naturally be flooded with packets of a mysterious and potentially hostile nature as part of its job. If these are coming from the local machine you'll want to do a netstat -ap to see if there is an app on your machine with an active connection on those ports that may have started the communication. The traffic you are seeing could just be a response.
From your description, I assume the destination port was 80. Google and the other search engines operate web crawling bots that go out and find web sites to index. This is normal activity. If you do not operate a web page, you can safely ignore it. As shadowbox12 pointed out, you will also see lots of more hostile traffic appear in your logs which is the result of scanners and other programs. If you are not operating server application, including SSH, you can leave these ports closed and these scans should be inconsequential.
From your description, I assume the destination port was 80. Google and the other search engines operate web crawling bots that go out and find web sites to index. This is normal activity. If you do not operate a web page, you can safely ignore it. As shadowbox12 pointed out, you will also see lots of more hostile traffic appear in your logs which is the result of scanners and other programs. If you are not operating server application, including SSH, you can leave these ports closed and these scans should be inconsequential.
As I don't operate a web page I will as you mentioned; safely ignore the sites to index.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.