Hi, Security_SuSErs :) ~ On my stand-alone desk-top 'puter, I installed "Port Sentry", and use it for a month now . . . Usually, the Log File shows nothing surprising. But, the last few days, I start to obeserve entries, like these :- __________________________________________________________ Oct 29 22:09:07 AIG kernel: Packet log: input DENY ppp0 PROTO=17 194.219.151.161:53 194.219.247.130:53 L=52 S=0x00 I=21648 F=0x0000 T=122 (#32) Oct 29 22:11:07 AIG kernel: Packet log: input DENY ppp0 PROTO=17 194.219.151.161:53 194.219.247.130:53 L=52 S=0x00 I=22928 F=0x0000 T=122 (#32) ____________________________________________________________ Any ideas, please, what this signifies . . . maybe my ISP is trying to plant some Cookies ? . . . or, what ? I have done a 'ping' to 194.219.151.161 , but it does not respond. I have done a 'dig' but it only gives the number, but no details. thanks a ton :) best wishes -- ____________ sent on Linux ____________ 100% Virus Free! ______________________________________________________________________________ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
But, the last few days, I start to obeserve entries, like these :- __________________________________________________________ Oct 29 22:09:07 AIG kernel: Packet log: input DENY ppp0 PROTO=17 194.219.151.161:53 194.219.247.130:53 L=52 S=0x00 I=21648 F=0x0000 T=122 (#32)
Oct 29 22:11:07 AIG kernel: Packet log: input DENY ppp0 PROTO=17 194.219.151.161:53 194.219.247.130:53 L=52 S=0x00 I=22928 F=0x0000 T=122 (#32)
Those are UDP packets, port 53 both ways, from a nameserver (this one is
at least responsible for the zone patrascc.gr). Nothinig unusual actually,
only that the source _and_ destination port for these packets is 53.
I'd guess that you are/were ppp9.aig.forthnet.gr (194.219.247.130) and
that you have a caching dns running, configured to use port 53 as the
source port for the packets that are being sent as requests. It might be
advisable to set this (local) port in bind8's configuration to something
above port 1024 to just not cause any trouble like readability of logs. If
I remember correctly, bind must run as root because the sockets won't be
reused but recreated which requires root privs each time. But I may be
wrong...
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (2)
-
Roman Drahtmueller
-
tabanna