Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
My department has recently set up a new mail server. My supervisor has the kernel logwatch being forwarded to me and I am unsure of what to make of the output. A lot of it looks like random ppl trying to poke and prod the box for certain open ports. Now what I am most curious about are entries like these:
Denied packets from vmb-ext.prodigy.net (207.115.63.87).
Port 2305 (tcp,eth0,input): 6 packet(s).
Port 2283 (tcp,eth0,input): 7 packet(s).
Port 2131 (tcp,eth0,input): 8 packet(s).
Port 2238 (tcp,eth0,input): 4 packet(s).
Port 2349 (tcp,eth0,input): 10 packet(s).
Port 2162 (tcp,eth0,input): 9 packet(s).
Port 2206 (tcp,eth0,input): 8 packet(s).
Total of 52 packet(s).
Denied packets from vmg-ext.prodigy.net (207.115.63.93).
Port 2347 (tcp,eth0,input): 10 packet(s).
Port 2160 (tcp,eth0,input): 8 packet(s).
Port 2204 (tcp,eth0,input): 4 packet(s).
Port 2303 (tcp,eth0,input): 8 packet(s).
Port 2281 (tcp,eth0,input): 9 packet(s).
Port 2240 (tcp,eth0,input): 6 packet(s).
Port 2129 (tcp,eth0,input): 8 packet(s).
Total of 53 packet(s).
Denied packets from vmd-ext.prodigy.net (207.115.63.89).
Port 2301 (tcp,eth0,input): 8 packet(s).
Port 2228 (tcp,eth0,input): 6 packet(s).
Port 2335 (tcp,eth0,input): 10 packet(s).
Port 2141 (tcp,eth0,input): 6 packet(s).
Port 2273 (tcp,eth0,input): 8 packet(s).
Port 2214 (tcp,eth0,input): 6 packet(s).
Port 2179 (tcp,eth0,input): 4 packet(s).
Total of 48 packet(s).
Denied packets from vm7-ext.prodigy.net (207.115.63.121).
Port 2338 (tcp,eth0,input): 8 packet(s).
Port 2139 (tcp,eth0,input): 6 packet(s).
Port 2272 (tcp,eth0,input): 6 packet(s).
Port 2217 (tcp,eth0,input): 9 packet(s).
Port 2178 (tcp,eth0,input): 6 packet(s).
Port 2300 (tcp,eth0,input): 9 packet(s).
Port 2227 (tcp,eth0,input): 8 packet(s).
Total of 52 packet(s).
Denied packets from vmi-ext.prodigy.net (207.115.63.96).
Port 2241 (tcp,eth0,input): 8 packet(s).
Port 2181 (tcp,eth0,input): 10 packet(s).
Port 2339 (tcp,eth0,input): 6 packet(s).
Port 2296 (tcp,eth0,input): 8 packet(s).
Port 2208 (tcp,eth0,input): 6 packet(s).
Port 2145 (tcp,eth0,input): 6 packet(s).
Port 2269 (tcp,eth0,input): 8 packet(s).
Total of 52 packet(s).
Denied packets from vmh-ext.prodigy.net (207.115.63.97).
Port 2299 (tcp,eth0,input): 8 packet(s).
Port 2275 (tcp,eth0,input): 9 packet(s).
Port 2216 (tcp,eth0,input): 6 packet(s).
Port 2177 (tcp,eth0,input): 9 packet(s).
Port 2230 (tcp,eth0,input): 6 packet(s).
Port 2337 (tcp,eth0,input): 8 packet(s).
Port 2137 (tcp,eth0,input): 9 packet(s).
Total of 55 packet(s).
And so on... my box has been hit by someone from the 207.115.63 network for the past few days. Are they slowly port scanning me? What should I make of this?
I am also seeing a lot of these as well:
Denied packets from performance-104.sef.pnap.net (63.251.161.104).
Port 0 (icmp,eth0,input): 6 packet(s).
Total of 6 packet(s).
Denied packets from performance-test-67.lax.pnap.net (216.52.254.67).
Port 0 (icmp,eth0,input): 6 packet(s).
Total of 6 packet(s).
Denied packets from performance-test-72.lax.pnap.net (216.52.254.72).
Port 0 (icmp,eth0,input): 6 packet(s).
Total of 6 packet(s).
Denied packets from performance-233.nyc.pnap.net (216.223.48.233).
Port 0 (icmp,eth0,input): 8 packet(s).
Total of 8 packet(s).
Any ideas of what this is all about. I am new to the sysadmin realm and don't know a whole lot about security.
From the name I would venture performance-test.*lax.pnap.net are some sort of Akamai-like outfit trying to serve pages from a close by location or something like that.
The logwatches don't mean a thing to me.
If the port mentioned are ports local to the box, my portdb shows 3 hits:
]$ port 2305
2305/tcp mt-scaleserver MT ScaleServer
2305/udp mt-scaleserver MT ScaleServer
]$ port 2238
2238/tcp aviva-sna AVIVA SNA SERVER
2238/udp aviva-sna AVIVA SNA SERVER
]$ port 2349
2349/tcp redstorm_diag Diagnostics Port
2349/udp redstorm_diag Disgnostics Port
..which don't mean a thing if you ain't running those.
Btw, are these packets per second or what?
Do you have legitimate business (traffic) with .*ext.prodigy.net?
If the packets are logged, but the system ain't running anything on those ports and the packets haven't got bad flags, why ain't they silently discarded?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.