LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-03-2006, 10:41 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
spoof hitting port 1026


i have this anti-spoof rule in iptables :
Code:
cat /root/bogon-bn-nonagg.txt |\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
done
And i have found many of these logs:
Code:
Sep  2 13:15:07 argo BOGON_SPOOF: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=180.193.136.244 DST=192.168.0.2 LEN=519 TOS=00 PREC=0x00 TTL=54 ID=17219 PROTO=UDP SPT=31242 DPT=1026 LEN=499
As you see it's hitting port 1026 and they are all i say all hitting port 1026 what couuld it mean ?
Code:
cat /etc/services | grep 1026
doesn't give me anything should i be worried ?
Thanx!
 
Old 09-04-2006, 12:36 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Read here: http://www.grc.com/port_1026.htm

And here: http://isc.sans.org/port_details.php?port=1026
 
Old 09-04-2006, 01:49 AM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Thanks for the links but still i don't get why the ip is a IANA one
Code:
Since this is UDP, the spammers forge the source IP address to some unsuspecting party.  Do not trust the source address, the packets would have to be traced hop by hop
This might be why !
 
Old 09-04-2006, 11:43 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Often these arise from virus-infected Windows machines either on your LAN (if you have one) or from machines that belong to other suscribers of your ISP and are within the last hop. Technically these likely should be filtered but often aren't until the upstream router.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
1025-1026-1027 ... Udp gabsik Linux - Security 2 07-10-2006 08:53 PM
Windows XP Not Hitting My Network.. sxa General 17 05-31-2004 10:58 PM
Pty's -- Hitting Limit! zepplin611 AIX 2 03-09-2004 09:48 AM
Kernel 2.6 hitting the mainstream? navarre9 Linux - General 10 12-22-2003 10:43 AM
How to spoof our ip?? zLinuxz Linux - Networking 2 04-19-2002 12:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration