Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Someone answered a similar question on this list a year or more ago
(BTW, it's still one of only 2 references I can find about this anywhere
so far!). Anyway, I wonder if anyone can add more info. The kernel
messages are, more or less:
kernel: auditIN=eth0 OUT= MAC=00:30:<snip> SRC=202.111.187.66 DST=<my
IP> LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=33327 PROTO=TCP SPT=21 DPT=21
WINDOW=38992 <and so on>
It seems pretty clear these are portscans, maybe malicious, maybe not.
The particulars vary a bit. They are almost always aimed at DPT's 21,
22, and I think 113 (that one's somewhat rare). On my box these ports
are (supposed to be) dropped by the firewall, and aren't open anyway,
but I wonder, does the fact that the kernel messages show up at all mean
the scans are getting through to some extent, and should I be concerned
about that? Also, sometimes 2 or 3 identical scans show up from the
same address, then they end; is that any more serious? Finally, even
though I get the kernel messages, can I be sure my box hasn't broadcast
something externally in response (again, it isn't supposed to be)?
Thanks all,
Dave
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact