|
osdir.com mailing list archive |
|
Subject: Re: logging with firehol - msg#00144List: debian.devel.firewall> 62.99.78.133 tries to connect on port 445 and 213.10.237 tries to > connect on port 5554 and 9898. > > These connections are blocked by the firewall and that's why they are > logged in syslog, but I don't why you got this often. Port 445: microsoft-ds - Win2k+ Server Message Block Port 5554: sgi-esphttp - SGI ESP HTTP Could be the sasser worm: (quote from http://seclists.org/lists/bugtraq/2004/May/0043.html) It has been reported thru various channel that the Sasser Worm uses the same port 5554/tcp as SGI Embedded Support Partner (ESP) web server, which is enabled by default on current SGI IRIX and SGI Altix systems [...] Port 9898: monkeycom - MonkeyCom (don't know what this could be, maybe a p2p program) Greetings, Christian Thread at a glance:
Previous Message by Date: click to view message previewRe: logging with fireholOn Friday 28 May 2004 17:59, Jonas Meurer wrote: > with a running and working firehol firewall, I still > get these messages in syslog: > > May 28 17:51:06 diana50 kernel: IN-interface1:IN=eth0 OUT= > MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=62.99.78.133 > DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=46176 DF PROTO=TCP > SPT=3372 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 May 28 17:51:07 diana50 > kernel: IN-interface1:IN=eth0 OUT= > MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=213.10.237.114 > DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=22801 DF PROTO=TCP > SPT=3934 DPT=5554 WINDOW=16384 RES=0x00 SYN URGP=0 May 28 17:51:08 diana50 > kernel: IN-interface1:IN=eth0 OUT= > MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=213.10.237.114 > DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=23315 DF PROTO=TCP > SPT=4192 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=29184 > > in my eyes this looks like some tiny people (62.99.78.133 > and 213.10.237.114) requested something on my server > diana50 (62.75.129.11) over TCP, but on which port? You can find the port number they tried for at DPT=nnnn (DPT = Destination Port). In your example it's port 445 in the first, 5554 in the second and 9898 in the last sample. Bye, Christian Next Message by Date: click to view message previewRe: Validating NT thought a natting firewallOn Wed, 2004-05-26 at 21:36, Leonardo Boselli wrote: > All service run smoothly except that if I try from one of such machines to > login as a non local user or try to add permission for an user on the > server the machines invariantly say that thy cannot access main server. this sounds to be me like the computer has problems finding the domain things like netbios names/logon server/domain etc usually a broadcast is sent to find out who the PDC (or just any logon server) for that domain, if you are doing NAT, I bet this broadcast thing breaks. Its the same situation using routers between windows networks... a solution for this is setting up a WINS server on the NT servers and enter the IP of the wins server on all windows clients, this may solve your problems.. Mirco Previous Message by Thread: click to view message previewRe: logging with fireholOn Friday 28 May 2004 18:44, strawks wrote: > 62.99.78.133 tries to connect on port 445 and 213.10.237 tries to > connect on port 5554 and 9898. > > These connections are blocked by the firewall and that's why they are > logged in syslog, but I don't why you got this often. Port 445: microsoft-ds - Win2k+ Server Message Block Port 5554: sgi-esphttp - SGI ESP HTTP Could be the sasser worm: (quote from http://seclists.org/lists/bugtraq/2004/May/0043.html) It has been reported thru various channel that the Sasser Worm uses the same port 5554/tcp as SGI Embedded Support Partner (ESP) web server, which is enabled by default on current SGI IRIX and SGI Altix systems [...] Port 9898: monkeycom - MonkeyCom (don't know what this could be, maybe a p2p program) Greetings, Christian Next Message by Thread: click to view message previewRe: logging with fireholIl ven, 2004-05-28 alle 17:59, Jonas Meurer ha scritto: [...] > in my eyes this looks like some tiny people (62.99.78.133 > and 213.10.237.114) requested something on my server > diana50 (62.75.129.11) over TCP, but on which port? SPT=$source_port DPT=$destination_port > Why is this in syslog? If it's only about a connection that went through > an open port, how can i turn this off? You have some iptables rule with target -j LOG (maybe a catch-all rules for rejected packages). However, as I don't use firehol, I can't help you any further but address you to firehol documentation. I'm sure firehol permits to turn off logging or, better idea, use the ULOG target so not to log via syslog. > if it's a request trial that was rejected, why do I get this that often? portscanning, remote exploits, misconfigured servers, worms, and so on. Don't mind to feel as you're alone in internet :) Ciao, Gian Piero. Loading Comments...
|
|
