LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-05-2007, 08:15 PM   #1
Bryan88
LQ Newbie
 
Registered: Dec 2006
Location: NY
Distribution: Ubuntu
Posts: 21

Rep: Reputation: Disabled
Mysterious firewall port connection.


I use DHCP from my ISP. The IP address that I currently have is getting bombarded (about 1/sec.) for incoming port 60661 (UDP)from different domain addresses around the world. What gives??? Is this a true attack or people trying to connect to a sever that used to used this address???

Can someone explain what is causing me to get so many calls to the same port? What is port 60661 used for?

Thanks,
Bryan
 
Old 09-05-2007, 10:05 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
What source port do the packets have? 60661 is a ephemeral port, so it's gonna be pretty tough to determine, by destination port number alone, what service they are attempting to reach (not that a source port would magically clear things up either). Could you post a few sample lines from your firewall log, tcpdump output, etc?

With the info we have so far, this could be anything - even something as harmless as transmissions to a Limewire servent that the previous user of your IP had running. There also isn't any breakout targetting that port at the time of this post, FWIW.

Last edited by win32sux; 09-05-2007 at 10:56 PM.
 
Old 09-06-2007, 06:02 AM   #3
Bryan88
LQ Newbie
 
Registered: Dec 2006
Location: NY
Distribution: Ubuntu
Posts: 21

Original Poster
Rep: Reputation: Disabled
More info. on the packets.

The packets to incoming port 60661 (UDP) come at exactly 1 second intervals from each different IP address sending them. They all originate from port 63406 on the other machines. I am not running any services behind that port (or any but sshd for that matter), so the packets are being silently dropped (but the rate of these packets isn't slowing down even after many hours/renewals of leasing the same IP address.)

Guess it may be internet "noise".

Thank you for the breakout link suggestion.

Thanks,
Bryan
 
Old 09-06-2007, 05:15 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Well the reason I asked if you could post your tcpdump output was so that perhaps someone could tell you with certainty what kind of traffic it was. I'm not sure I'd call it noise at this point, I suspect it is more related to something the previous IP user was doing. In any case, it's good your firewall is sending the packets to DROP, perhaps you should add a DROP rule for these specific packets so that they don't clutter your log file. That is, assuming you are currently using a LOG rule at the end of the chain, before the policy.

Last edited by win32sux; 09-06-2007 at 05:17 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: connection to host port: 22: Connection timed out lost connection cucolin@ Linux - Server 4 11-22-2011 06:15 AM
port 25 filtered despite firewall having port 25 open ille.pugil42 Linux - Security 8 03-09-2007 12:51 AM
linux serial port to router console port connection? frankie_fix Linux - General 3 02-26-2007 09:32 PM
Firewall - Allow 1 IP address on port x Beuzekom Linux - Networking 4 01-26-2004 07:11 AM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 12:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration