Mailinglist Archive: opensuse (4053 mails)

< Previous Next >
Re: [SLE] Various security questions
  • From: Jeffrey Taylor <jeff.taylor@xxxxxxxx>
  • Date: Wed, 8 Aug 2001 22:11:44 -0500
  • Message-id: <20010808221144.H6821@xxxxxxxxxxxxxxxxxxxxx>
Some of the hits you are seeing is Code Red II. Before 1 Auguest, my
firewall logs ran 18-20KB per day. Last night's log was over a meg.

Jeffrey

Quoting John Marquardt <marquardt@xxxxxxxxxxxxxx>:
> I just setup SuSE 7.2 on my home server. This server runs SuSEFirewall
> described in the manual, and masquerades for my internal boxes. I'm running
> www, ftp, and that's all I have opened up to the 'outside' interface. Seems
> to be working really well, and blocking the thing I wanna block.
>
> I'm getting various hits (per /var/log/messages) to my web server (outside
> interface, port 80) from time to time. I only have the default web page up
> there, and I haven't advertised my IP in any way, so I'm hoping it's
> webcrawling bots or I have an ip that used to be on another machine. In any
> case I'm not too worried about that. However, I've noticed a LOT of things
> like this in the log:
>
> Packet log: input ACCEPT eth0 PROTO=1 24.17.168.32:8 myip:0 L=43
>
> (or L=81, also 'myip' is my ip address, and not a quote from the log) and
> various other information from the log. My main question is what is port
> '0' used for? From what I've seen of well known ports it's reserved, my
> worry is that someone is trying to crack me, but I could also be paranoid
> and I have no idea why anyone would come in on port '0' and just as
> important, why wasn't this a DENY since I don't have that port open in the
> firewall config?
>
> Secondly, I just want to verify something. I'm running a server called
> hlds_l, which uses ports in the 27000 range. This program just works
> without me having to open the ports explicitly in the config, so it stand to
> reason, but just to verify for sure...is this what's refered to as
> 'high-ports' in the config, and by having those set to the default of 'yes'
> is this why hlds_l works without having to config anything, is this a
> security risk?
>
> Many thanks for any help, also I can provide more information and complete
> log information if anyong indicates this is serious, but my gut tells me I'm
> being paranoid and this traffic is 'normal' or 'innocuous'...
>
> John Marquardt
> marquardt@xxxxxxxxxxxxxx
>
>

--
I don't do Windows and I don't come to work before nine.
-- Johnny Paycheck

< Previous Next >
References