Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-16-2006, 12:39 PM
|
#1
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797
|
Shocking firewall results; what is it?
I'm running Ubuntu Dapper as a desltop machine. Connected to the internet this evening (pppoe) and with a 3 minutes I had over 100 hits from different ips on port 18176.
Below a part of the firestarter log
Code:
Time:Nov 16 19:01:15 Direction: Unknown In:ppp0 Out: Port:18176 Source:88.46.212.42 Destination:196.2.119.209 Length:91 TOS:0x00 Protocol:UDP Service:Unknown
Time:Nov 16 19:01:18 Direction: Unknown In:ppp0 Out: Port:18176 Source:68.58.213.4 Destination:196.2.119.209 Length:91 TOS:0x00 Protocol:UDP Service:Unknown
...
...
Time:Nov 16 19:04:39 Direction: Unknown In:ppp0 Out: Port:18176 Source:89.132.75.150 Destination:196.2.119.209 Length:48 TOS:0x00 Protocol:TCP Service:Unknown
Time:Nov 16 19:04:42 Direction: Unknown In:ppp0 Out: Port:18176 Source:76.185.195.31 Destination:196.2.119.209 Length:93 TOS:0x00 Protocol:UDP Service:Unknown
Time:Nov 16 19:04:43 Direction: Unknown In:ppp0 Out: Port:18176 Source:68.213.80.26 Destination:196.2.119.209 Length:91 TOS:0x00 Protocol:UDP Service:Unknown
Time:Nov 16 19:04:47 Direction: Unknown In:ppp0 Out: Port:18176 Source:219.74.229.222 Destination:196.2.119.209 Length:70 TOS:0x00 Protocol:UDP Service:Unknown
Disconnected and reconnected again (got new ip-address) and it was gone.
Wonder what this is/was?
Last edited by Wim Sturkenboom; 11-16-2006 at 12:47 PM.
|
|
|
11-16-2006, 01:59 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
It's an ephemeral port. Without details it could be anything, like filesharing.
|
|
|
11-16-2006, 11:03 PM
|
#3
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797
Original Poster
|
Thanks for the reply.
Sorry, but what is ephemeral?
I'm not so worried about the port number as I don't have anything running on it (to my knowlege). And maybe I should have phrased the question better:
Is this some kind of ddos or what is it?
|
|
|
11-17-2006, 07:28 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Ephemeral as in "high ports" those that are used for short-lived server-client transactions as governed by the net.ipv4.ip_local_port_range sysctl. I don't think this is DoS-related, more likely it's just "ghosting": connections between the previous owner of the IP address and other hosts on the 'net due to filesharing and the like.
Last edited by unSpawn; 11-17-2006 at 12:19 PM.
Reason: //((expl++))
|
|
|
11-17-2006, 09:22 AM
|
#5
|
Member
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 830
|
Quote:
Originally Posted by Wim Sturkenboom
Disconnected and reconnected again (got new ip-address) and it was gone.
Wonder what this is/was?
|
If you want to know what kind of traffick it is/was you could capture couple of packets with ethereal, search for something readable and do a google search. It quite often produces results.
|
|
|
11-17-2006, 01:28 PM
|
#6
|
Member
Registered: Apr 2006
Distribution: Slackware 10.2
Posts: 52
Rep:
|
Quote:
Originally Posted by Wim Sturkenboom
Thanks for the reply.
Sorry, but what is ephemeral?
I'm not so worried about the port number as I don't have anything running on it (to my knowlege). And maybe I should have phrased the question better:
Is this some kind of ddos or what is it?
|
you can run 'netstat -tunlp' command to see which ports are listening on your linux box.
|
|
|
All times are GMT -5. The time now is 08:57 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|