kernel: Packet log: eth1-i DENY eth1 PROTO=6 200.0.0.1:1043 201.0.0.1:113 L=60 S=0x00 I=152 F=0x4000 T=64 SYN (#5) and kernel: Packet log: eth1-o DENY eth1 PROTO=6 201.0.0.1:113 200.0.0.1:1044 L=40 S=0x00 I=888 F=0x0000 T=255 (#2) These are TCP requests on port 113, which is the ident/auth port. It tells the requester which UID/user runs a certain service.
Does anybody know what causes this traffic? This could be daemons which have requested the ident in their respective config or your iplogger, which does this, whenever a TCP/UDP connection comes in. You should check ftpd, httpd and iplogger configuration files first.
The tcp_wrapper does that, too, in both the libwrap implementation as well as the tcpd-implementation. Cleartext: A opens connection to B, and B uses the ident service of A (opens up an ident tcp connection to A) to ask _who_ on host A opened the first connection. A fairly useless protocol as seen from the security standpoint, since a trusts b's super user.
MfG/Regards, Alexander
Thanks,
Roman.
--
- -
| Roman Drahtmüller