intruder alert in /var/log/messages
Hi,
I have noticed some possible security issues in my /var/log.messages log but i'm not sure how to read the messages. I'm getting the following lines: Code:
Dec 13 23:14:07 AIF:PRIV TCP packet: IN=eth1 SRC=41.205.116.116 DST=xx.xx.xx.xx PROTO=TCP DPT=Telnet(23) SPT=4184 TTL=52 SYN I assume the line with PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) is coming from samba and should not be an issue. However the destination IP is (slightly) different then the source IP (my server)ie SRC=xx.xx.214.167 and DST=xx.xx.215.255 What do these lines in my log mean and is there anything else I can check for security issues other then the log files in /var/log? Thanks! Robbert |
Those look like firewall log entries for filtered packets. If that's the case, it would seem that you were port scanned and pinged and your firewall did what was expected of it. This sort of thing is quite common on Internet-enabled hosts. You should check your firewall script's documentation to make sure the messages mean the packets were filtered.
Running Nmap against your host might also be a good idea, as it'll let you verify things are working properly. |
Hi Win32sux,
Thanks! I guess you are right. It is indeed log output from my firewall. I just did a ping from a different remote computer and PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=116 SEQ=1024 seems to be the response in the log file. I actually think it could have been related to some spyware because after a few good cleanups, it appears that i'm getting a lot less entries in my logfile. Thanks for the nmap hint. I will have a look at this. Robbert |
All times are GMT -5. The time now is 12:34 AM. |