Someone is beating on my firewall ... Should I be concerned
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
(Hmmm! Is there a way to post a nicely formatted table?)
Anyway, it seems obvious to me that nobody in China has any business hitting my ports 1026 & 1027 with 140 udp packets. I rather suspect that the IP's are spoofed anyway, and that simply firewalling out those specific ones will not gain me much.
I just installed PortSentry, but I'm not sure it'll do anything since the probes are (evidently) being stopped by the firewall.
What's my next step ... or should I even be concerned?
I find it interesting that they're hitting ports 1026 & 1027. PortSentry's defaults are to watch any port below 1025. Would it be a good idea to raise that portwatch number to 1028.
Don't bother; the ports don't relate to Linux services, and so aren't normally open. It's just Microsoft-targeting spam looking for an unsuspecting victim.
Interesting issues (to me) this time are people who came back to visit again ... Seems to eliminate pure randomness. I've added a few items, Visit Nbr., Geograhical source of probe, and Apps (or Trojans) known to use this port. I've also had a few probes at Ports 80 & 8080Should be no issue there as long as I'm not running a www. server, right?
Code:
Visits From IP Hits Prtcl Ports Origin Apps (Trojan Info)
1 201.6.221.8 87 tcp (6652) Brazil
2 201.6.221.8 60 tcp (6652) Brazil
1 220.72.5.105 1 tcp (1433) Korea Ms-sql-s (SQL Snake)
2 220.72.5.105 1 tcp (3306) Korea MySQL
1 222.34.5.45 1 udp (1434) China Ms-sql-s (SQL Slammer)
2 222.34.5.45 2 udp (1434) China Ms-sql-s (SQL Slammer)
1 65.244.31.30 1 udp (6346) New York (UUNet) Gnutella
2 65.244.31.30 2 udp (6346) New York (UUNet) Gnutella
1 68.34.44.68 1 tcp (1433) Pasadena, MD (Comcast) Ms-sql-s (SQL Snake)
2 68.34.44.68 2 tcp (1433) Pasadena, MD (Comcast) Ms-sql-s (SQL Snake)
Mr. Brazil has got to go. I guess the best way to do that is add his IP to /etc/hosts.deny? I didn't find anything about that port, but I suspect it's a p2p filesharing program of some kind. For whatever reason, he's locked in on me, and that makes me uncomfortable.
I assume the sql ports are people who's machines are infected with the identified worms, looking for companionship. Shouldn't be a problem I don't think, since I don't run MSSQL or MySql. I do run Postgres, tho, but it's port is not open to incoming, only outgoing. Nobody hit that one yet anyway.
Gnutella doesn't concern me as long as I don't see the same IPs too often (like Mr Brazil).
The Comcast probes bother me slightly. That's my ISP. Are they checking up on me, or what. Had a few probes from them on Port 80, as well.
Interesting issues (to me) this time are people who came back to visit again ... Seems to eliminate pure randomness.
It's unlikely it's random; more likely to be an infected set of machines. Machines frequently get multiply infected, as I can attest from cleaning 50+ nasties out of a single family member machine.
Quote:
I've added a few items, Visit Nbr., Geograhical source of probe, and Apps (or Trojans) known to use this port. I've also had a few probes at Ports 80 & 8080Should be no issue there as long as I'm not running a www. server, right?
Even if you are running a web server, if the firewall doesn't permit access to those IP addresses, it doesn't matter.
Quote:
Mr. Brazil has got to go. I guess the best way to do that is add his IP to /etc/hosts.deny? I didn't find anything about that port, but I suspect it's a p2p filesharing program of some kind. For whatever reason, he's locked in on me, and that makes me uncomfortable.
If the port is firewalled or has no listening application, no further action is necessary.
Quote:
I assume the sql ports are people who's machines are infected with the identified worms, looking for companionship. Shouldn't be a problem I don't think, since I don't run MSSQL or MySql. I do run Postgres, tho, but it's port is not open to incoming, only outgoing. Nobody hit that one yet anyway.
Gnutella doesn't concern me as long as I don't see the same IPs too often (like Mr Brazil).
The Comcast probes bother me slightly. That's my ISP. Are they checking up on me, or what. Had a few probes from them on Port 80, as well.
Any commentary appreciated. I am learning.
It's likely other Comcast users are infected. That's not to say that your ISP doesn't check on you; they simply don't need to probe your ports. Remember that your traffic runs thru their equipment, so they can know (if they are interested), every port that you have active.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
