I'm seeing odd thiungs in my FW log. Running SLES 8, all YOU updates applied. Machine has v. limited services (ssh, apache, tomcat, mysql, postfix). Ports 80 and 8080 have just been opened globally, but this happened before then. The only other ports available (22, 3306) are to a few systems locally. Only one nic is configured (and plugged in), eth1. The SuSE FW set up is as comes out of the box except as detailed above, although I had more logging turned on initially... umm, the extra logging is in effect for the entires below. (Log _all_ dropped packets). Question: Why am I seeing these connections being acceppted and dropped on port 1433?? Log (grepped): Mar 31 05:37:02 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 05:37:02 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 09:32:56 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=00:0f:1f:02:28:80:00:09:11:7a:20:00:08:00 SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=40393 DF PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 09:32:56 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=40393 DF PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 09:32:59 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=41111 DF PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 09:32:59 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=41111 DF PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402) No, my machine isn't called xxx. The same goes for the IP/MAC address. Any ideas? TIA, Tom. --------------- Tom Knight System Administration Officer Arts & Humanities Data Service Web: http://www.ahds.ac.uk Email: tom.knight@ahds.ac.uk Tel: (0)20 7928 7371
Hi Tom,
Question: Why am I seeing these connections being acceppted and dropped on port 1433??
Log (grepped): Mar 31 05:37:02 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402)
This is very normal scanning that is going on all the time as soon as you connect a machine to the internet. A quick search with Yahoo gave the link: http://www.seifried.org/security/ports/1000/1433.html Port 1433 is MS SQL. Someone is trying whether you are running a MS SQL-server. If one is found, an attack will be launched to find whether it is vulnerable. Nothing to worry about as long as you run your firewall and shut down all ports that you don't need. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Mar 31 05:37:02 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402)
This is very normal scanning that is going on all the time as soon as you connect a machine to the internet. A quick search with Yahoo gave the link: http://www.seifried.org/security/ports/1000/1433.html
Port 1433 is MS SQL. Someone is trying whether you are running a MS SQL-server. If one is found, an attack will be launched to find whether it is vulnerable.
I have no problem with people scanning me, it's the "SuSE-FW-ACCEPT" bit that makes me concerned... I though that that meant the packet had been accepted (and passed through) the firewall, or am I misinter- preting this? Tom.
On 03/31/2004 09:12 PM, Tom Knight wrote:
Question: Why am I seeing these connections being accepted and dropped on port 1433??
Log (grepped): Mar 31 05:37:02 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 05:37:02 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402)
I remember seeing that before when I ran 8.0. I believe you should check for a SuSEfirewall2 update. I am pretty sure it is a buglet in the script related to logging, i.e. the packets are being dropped, but I know updating it fixed that problem for me. It is a noarch rpm, you could check if a newer version's rpm would work, or rebuild the package for your box. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
-----Original Message----- From: Joe Morris (NTM) [mailto:Joe_Morris@ntm.org] Sent: 31 March 2004 15:20 To: suse-security@suse.com Subject: Re: [suse-security] Odd FW Log
On 03/31/2004 09:12 PM, Tom Knight wrote:
Question: Why am I seeing these connections being accepted and dropped on port 1433??
Log (grepped): Mar 31 05:37:02 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402) Mar 31 05:37:02 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402)
I remember seeing that before when I ran 8.0. I believe you should check for a SuSEfirewall2 update. I am pretty sure it is a buglet in the script related to logging, i.e. the packets are being dropped, but I know updating it fixed that problem for me. It is a noarch rpm, you could check if a newer version's rpm would work, or rebuild the package for your box.
Hmm, interesting. I have all the SLES 8 updates applied, but I'll grab the SUSE support people and see if they have any news on this. Ta, Tom.
participants (3)
-
Armin Schoech -
Joe Morris (NTM) -
Tom Knight