Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Is the firewall a different computer?
If not, then the kernel /is/ the firewall so it would make sense your
getting messages about being scanned from the kernel.
Ian Monroe
http://www.monroe.nu
On 4 Jun 2002, Dave McBride wrote:
> Someone answered a similar question on this list a year or more ago
> (BTW, it's still one of only 2 references I can find about this anywhere
> so far!). Anyway, I wonder if anyone can add more info. The kernel
> messages are, more or less:
>
> kernel: auditIN=eth0 OUT= MAC=00:30:<snip> SRC=202.111.187.66 DST=<my
> IP> LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=33327 PROTO=TCP SPT=21 DPT=21
> WINDOW=38992 <and so on>
>
> It seems pretty clear these are portscans, maybe malicious, maybe not.
> The particulars vary a bit. They are almost always aimed at DPT's 21,
> 22, and I think 113 (that one's somewhat rare). On my box these ports
> are (supposed to be) dropped by the firewall, and aren't open anyway,
> but I wonder, does the fact that the kernel messages show up at all mean
> the scans are getting through to some extent, and should I be concerned
> about that? Also, sometimes 2 or 3 identical scans show up from the
> same address, then they end; is that any more serious? Finally, even
> though I get the kernel messages, can I be sure my box hasn't broadcast
> something externally in response (again, it isn't supposed to be)?
>
> Thanks all,
> Dave
>
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact