Mailinglist Archive: opensuse (4053 mails)

< Previous Next >
Various security questions
I just setup SuSE 7.2 on my home server. This server runs SuSEFirewall
described in the manual, and masquerades for my internal boxes. I'm running
www, ftp, and that's all I have opened up to the 'outside' interface. Seems
to be working really well, and blocking the thing I wanna block.

I'm getting various hits (per /var/log/messages) to my web server (outside
interface, port 80) from time to time. I only have the default web page up
there, and I haven't advertised my IP in any way, so I'm hoping it's
webcrawling bots or I have an ip that used to be on another machine. In any
case I'm not too worried about that. However, I've noticed a LOT of things
like this in the log:

Packet log: input ACCEPT eth0 PROTO=1 myip:0 L=43

(or L=81, also 'myip' is my ip address, and not a quote from the log) and
various other information from the log. My main question is what is port
'0' used for? From what I've seen of well known ports it's reserved, my
worry is that someone is trying to crack me, but I could also be paranoid
and I have no idea why anyone would come in on port '0' and just as
important, why wasn't this a DENY since I don't have that port open in the
firewall config?

Secondly, I just want to verify something. I'm running a server called
hlds_l, which uses ports in the 27000 range. This program just works
without me having to open the ports explicitly in the config, so it stand to
reason, but just to verify for this what's refered to as
'high-ports' in the config, and by having those set to the default of 'yes'
is this why hlds_l works without having to config anything, is this a
security risk?

Many thanks for any help, also I can provide more information and complete
log information if anyong indicates this is serious, but my gut tells me I'm
being paranoid and this traffic is 'normal' or 'innocuous'...

John Marquardt

< Previous Next >