Hi,
I have noticed some possible security issues in my /var/log.messages log but i'm not sure how to read the messages. I'm getting the following lines:
Code:
Dec 13 23:14:07 AIF:PRIV TCP packet: IN=eth1 SRC=41.205.116.116 DST=xx.xx.xx.xx PROTO=TCP DPT=Telnet(23) SPT=4184 TTL=52 SYN
Dec 13 23:14:43 AIF:PRIV TCP packet: IN=eth1 SRC=46.41.76.166 DST=xx.xx.xx.xx PROTO=TCP DPT=Telnet(23) SPT=3282 TTL=52 SYN
Dec 13 23:14:55 AIF:PRIV TCP packet: IN=eth1 SRC=200.121.207.59 DST=xx.xx.xx.xx PROTO=TCP DPT=Telnet(23) SPT=4026 TTL=48 SYN
Dec 13 23:16:43 AIF:PRIV UDP packet: IN=eth1 SRC=xx.xx.xx.xx DST=xx.xx.xx.255 PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) TTL=64
Dec 13 23:27:14 AIF:ICMP-request: IN=eth1 SRC=209.170.120.50 DST=xx.xx.xx.xx PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=22 SEQ=0
Dec 13 23:27:35 AIF:ICMP-request: IN=eth1 SRC=66.114.48.31 DST=xx.xx.xx.xx PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=1 SEQ=7
Dec 13 23:27:55 AIF:ICMP-request: IN=eth1 SRC=66.114.48.31 DST=xx.xx.xx.xx PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=6 SEQ=12
Dec 13 23:28:15 AIF:ICMP-request: IN=eth1 SRC=66.114.50.67 DST=xx.xx.xx.xx PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=1 SEQ=6
Dec 13 23:28:35 AIF:ICMP-request: IN=eth1 SRC=66.114.50.67 DST=xx.xx.xx.xx PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=6 SEQ=11
Dec 13 23:49:17 AIF:UNPRIV TCP packet: IN=eth1 SRC=124.133.2.2 DST=xx.xx.xx.xx PROTO=TCP DPT=4899 SPT=6000 TTL=106 SYN
As I said I'm not to sure what I'm seeing here but I think I'm being "probed" where it says PROTO=ICMP TYPE/CODE=Echo request(8,0)? Some of the IP's I traced end up in China.
I assume the line with PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) is coming from samba and should not be an issue. However the destination IP is (slightly) different then the source IP (my server)ie SRC=xx.xx.214.167 and DST=xx.xx.215.255
What do these lines in my log mean and is there anything else I can check for security issues other then the log files in /var/log?
Thanks!
Robbert