looking at the sure personal firewall (set as default, my server offers no service for outside) log, I found this: (isdn connection) Aug 28 23:19:54 phoenix kernel: OPEN: 192.168.0.1 -> 212.27.32.5 UDP, port: 61171 -> 53 my FAI DNS Aug 28 23:19:54 phoenix kernel: ippp0: dialing 1 0868929898... phone call Aug 28 23:19:55 phoenix kernel: isdn_net: ippp0 connected Aug 28 23:21:20 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6 213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=435 F=0x4000 T=123 SYN (#17) Aug 28 23:21:24 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6 213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=985 F=0x4000 T=123 SYN (#17) Aug 28 23:21:28 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6 213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=1892 F=0x4000 T=123 SYN (#17) what are these three rejected connections? nslookup show that 213.... machines are two of my isp's machine, so it seems legal. may I cause a problem with rejecting these things? port 80 is ftp???? such reject are found some time, just after connctions, but not always. thanks jdd -- <http://www.dodin.net> <mailto:jdanield@dodin.net> WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html
Hi jdd On 2001.08.29 20:01:22 +0100 jdd wrote:
looking at the sure personal firewall (set as default, my server offers no service for outside) log, I found this:
(isdn connection)
Aug 28 23:19:54 phoenix kernel: OPEN: 192.168.0.1 -> 212.27.32.5 UDP, port: 61171 -> 53
my FAI DNS
Aug 28 23:19:54 phoenix kernel: ippp0: dialing 1 0868929898...
phone call
Aug 28 23:19:55 phoenix kernel: isdn_net: ippp0 connected Aug 28 23:21:20 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6
213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=435 F=0x4000 T=123 SYN
(#17) Aug 28 23:21:24 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6
213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=985 F=0x4000 T=123 SYN
(#17) Aug 28 23:21:28 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6
213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=1892 F=0x4000 T=123 SYN (#17)
what are these three rejected connections? nslookup show that 213.... machines are two of my isp's machine, so it seems legal. may I cause a problem with rejecting these things? port 80 is ftp????
such reject are found some time, just after connctions, but not always.
port 80 is http / www. One of the IP addresses is you - probably the second one. If you are using dynamic IP, your ISP will assign one of these to you each time you connect, so it will change each time you call your ISP. These packets are to do with connecting to a webserver. Since you say you don't run any external services, this is someone else on your ISP looking to see if you have a webserver running. Most likely a code red attack attempt or similar. If you don't run a webserver, you shouldn't break anything by REJECTing these packets. HTH Maf.
thanks jdd
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Le Mercredi 29 Août 2001 21:20, maf king a écrit :
Hi jdd
Most likely a code red attack
attempt or similar.
many thanks for all the nice answers. I was in dubt because the origin of the calls was may FAI him self ! I send to the webmaster the result of this discussion. thanks again (and thanks for the suse firewall!) jdd -- <http://www.dodin.net> <mailto:jdanield@dodin.net> WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html
Hi all! Don't know if this (ever) been told to the list -- apologies, if everyone knows, if not it may be helpful for _all_ queries to log entries. If noticed the following link on another mailing-list (I'm subscribed to): http://www.echogent.com/cgi-bin/fwlog.pl *** ! simply put in (cut&paste) one of your log entries and get the result ! *** Didn't have (enough) time to verify if it's (really) resolving _all_ queries, but: a) all queries I've made, made sense in my cases and: b) I assume, they did a REALLY GOOD WORK (and are going on!!)!! jdd wrote:
looking at the sure personal firewall (set as default, my server offers no service for outside) log, I found this:
...<snip>
Aug 28 23:21:20 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6 213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=435 F=0x4000 T=123 SYN (#17) Aug 28 23:21:24 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6 213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=985 F=0x4000 T=123 SYN (#17) Aug 28 23:21:28 phoenix kernel: Packet log: rulchain REJECT ippp0 PROTO=6 213.228.8.211:2454 213.228.41.113:80 L=48 S=0x00 I=1892 F=0x4000 T=123 SYN (#17)
...<snip>
so it seems legal.
Really?? -->> See above! Hope that helps! -- best greetings from Solingen /GERMANY Dieter Hürten
Le Mercredi 29 Août 2001 23:14, Dieter Huerten a écrit :
Hi all!
Don't know if this (ever) been told to the list -- apologies, if everyone knows, if not it may be helpful for _all_ queries to log entries.
If noticed the following link on another mailing-list (I'm subscribed to): http://www.echogent.com/cgi-bin/fwlog.pl
thanks, this a VERY good URL jdd -- <http://www.dodin.net> <mailto:jdanield@dodin.net> WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html
participants (3)
-
Dieter Huerten -
jdd -
maf king