LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   portscan from my own machine (https://www.linuxquestions.org/questions/linux-security-4/portscan-from-my-own-machine-4203/)

groegert 07-12-2001 02:48 AM
portscan from my own machine
 
I have 2 linux machines in our network as servers/gateways for windows machines.
Last week I got a portscan on the linux1 from linux 2 (logentry):
Jul 4 12:51:31 inetsrv scanlogd: From linux2 to linux1 ports 21, 3382, 3385, 3388, 3391, 3394, 3397, 3400, 3403, ..., flags ??r??u, TOS 00, TTL 64, started at 12:51:21

at the same time logentry in linux2 (time was not synchronized):
Jul 4 13:11:54 Surfer kernel: IPv6 v0.8 for NET4.0
Jul 4 13:11:54 Surfer kernel: IPv6 over IPv4 tunneling driver
Jul 4 13:11:54 Surfer in.ftpd[17049]: connect from localhost (127.0.0.1)
Jul 4 13:12:14 Surfer kernel: eth0: no IPv6 routers present
Jul 4 13:12:14 Surfer kernel: eth0: no IPv6 routers present
Jul 4 13:12:38 Surfer in.ftpd[17051]: connect from localhost (127.0.0.1)

... and I was the only user who was logged in on linux2:
me ftp localhost Wed Jul 4 13:12 - 13:12 (00:00)
me ftp windows1 Wed Jul 4 12:48 - 12:58 (00:10)
me pts/0 windows1 Wed Jul 4 11:38 - 13:15 (01:36)
me ftp windows1 Wed Jul 4 11:36 - 11:46 (00:10)
me ftp windows1 Wed Jul 4 11:36 - 11:51 (00:15)

any idea why I got this portscan?

well linux2 is configured as proxy for all windows machines. Is this the solution of this riddle, or does linux a portscan itself?

And why did I get an IPV6 request?

Thanks in advance,

Thomas

raz 07-12-2001 09:29 AM
Hi Thomas,

Ok I've looked at the log file you sent.

Looks to me like this.
Someone has tried to connect to your linux1 boxes FTP port and then for some strange reason scanned in intervals of 3 from 3383 up.

The source could be spoofed but the TTL info tells us it's from the same subnet as the Linux1 system. "Could still be spoofed but harder and more unlikely"

It also looks like someone on Linux2 wants your IDS on Linux1 to pick up on the fact they are trying to connect to your ports. "Someone just needs a non-root local account on Linux2 to do this"

Linux doesn't portscan it's self, only to get info on RPC servers from portmap if needed. "port 111"

The IPv6 errors are from your SSH server on Lunix 2, it's trying to bind to your IPV6 module and failing each time you logging to Linux2 from windows system over SSH.

Should be a line if your SSH's config file that says:
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment the first line to stop this.

So Basically if you have other users who have an account on Linux2 they are playing with your ports trying to set off your IDS system on Linux1.

IPv6 is a separate problem on the Linux2 system.

/Raz


All times are GMT -5. The time now is 10:39 PM.