Jan 18 17:12:22 altea1 kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:05:5d:47:bc:33:00:60:68:81:10:c7:08:00 SRC=211.46.223.114 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=21212 DF PROTO=TCP SPT=3049 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) What happens with port 1433? Can someone interpret this for us? Thanks, Steve.
* fsanta;
Jan 18 17:12:22 altea1 kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:05:5d:47:bc:33:00:60:68:81:10:c7:08:00 SRC=211.46.223.114 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=21212 DF PROTO=TCP SPT=3049 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What happens with port 1433? Can someone interpret this for us?
toganm@earth:~> grep 1433 /etc/services ms-sql-s 1433/tcp # Microsoft-SQL-Server ms-sql-s 1433/udp # Microsoft-SQL-Server Are you running one ? if not no worry. On the other hand many of the services ( ports) are explained as which service runs on them in /etc/services. Checking it first can give you and idea before getting in to the panic state. Using http://isc.incidents.org/ can give you a basic idea what is going on worlwide in terms of the attacked ports. Furthermore if you use http://www.dshield.org and one the clients for log upload then based on the behavior of the attacking IP you can have Dshield send abuse reports to respective ISP's Another option is using http://analyzer.securityfocus.com/ and using Extractor uploading the logs where you can analyze in detail. But most importantly if you are running a firewall you need to understand what they mean http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html So there are lot's of good stuff in these links, you should be able to solve the future logs -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Sunday 19 January 2003 4:19 pm, fsanta wrote:
Jan 18 17:12:22 altea1 kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:05:5d:47:bc:33:00:60:68:81:10:c7:08:00 SRC=211.46.223.114 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=21212 DF PROTO=TCP SPT=3049 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What happens with port 1433? Can someone interpret this for us?
Thanks, Steve.
Steve, a whois 211.46.233.114 gets you this: IP Address : 211.46.216.0-211.46.223.255 Network Name : ULSANEDU Connect ISP Name : PUBNET Connect Date : 20000111 Registration Date : 20000131 [ Organization Information ] Orgnization ID : ORG91609 Org Name : ULSAN METROPOLITAN OFFICE OF EDUCATION State : ULSAN Address : 193-1Shinjung3-dongNam-gu Zip Code : 680-013 [ Admin Contact Information] Name : Sunii Lee Org Name : ULSAN METROPOLITAN OFFICE OF EDUCATION State : ULSAN Address : 193-1Shinjung3-dongNam-gu Zip Code : 680-013 Phone : +82-52-270-3804 Fax : +82-52-270-3514 E-Mail : casper@mail.use.go.kr [ Technical Contact Information ] Name : Sunii Lee Org Name : ULSAN METROPOLITAN OFFICE OF EDUCATION State : ULSAN Address : 193-1Shinjung3-dongNam-gu Zip Code : 680-013 Phone : +82-52-270-3804 Fax : +82-52-270-3514 E-Mail : casper@mail.use.go.kr -------------------------------------------------------------------------------- If the above contacts are not rechable, please see the following ISP contacts for relevant information or network abuse complaints. [ ISP IP Admin Contact Information ] Name : YOUNGHWAN KIM Phone : +82-2-710-1416 Fax : +82-2-702-4233 E-Mail : abuse@pubnet.ne.kr [ ISP IP Tech Contact Information ] Name : JAESIK KIM Phone : +82-2-710-1416 Fax : +82-2-702-4233 E-Mail : ip@pubnet.ne.kr [ ISP Network Abuse Contact Information ] Name : . Phone : +82-2-710-1416 Fax : . E-Mail : abuse@pubnet.ne.kr A quick translation of your output is that Someone in Korea, most likely a porno place of some sort, has hit your subnet host of 192.168.1.2 via port 1433. The protocol is TCP/ip and their source port was 3049. Looks like you need to work on your firewall to stop such things if they are uninvited guests. Forinstance, my Shorewall Firewall blocks all attempts to contact any of my subnet from the Internet with a DROP. If you need more info on the firewall go look at shorewall.net and read the Quickstart Users Guide. ra
* Richard;
Looks like you need to work on your firewall to stop such things if they are uninvited guests. Forinstance, my Shorewall Firewall blocks all attempts to contact any of my subnet from the Internet with a DROP. If you need more info on the firewall go look at shorewall.net and read the Quickstart Users Guide.
from http://www.shorewall.net 1/6/2003 - BURNOUT Until further notice, I will not be involved in either Shorewall Development or Shorewall Support -Tom Eastep Hence another reason to stick with SuSEfirewall2 as it is not a one man show -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Monday 20 January 2003 4:47 am, Togan Muftuoglu wrote:
1/6/2003 - BURNOUT
Until further notice, I will not be involved in either Shorewall Development or Shorewall Support
-Tom Eastep
Hence another reason to stick with SuSEfirewall2 as it is not a one man show
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer
Shorewall is certainly not a one man show! WhileTom has provided exemplary support for his product, he has , for whatever reason, decided to take some time away from the project, however if you look at the mailing list, he has not disappeared and the support continues as it does in so many Linux projects. There are a lot people to pick up the slack. Bottom line, he has documented the product so well that most, especially newbies, can get a firewall up and running with a minimum of fuss and frustrations. If help is needed it is there. I certainly wouldn't go to SuSEfirewall simply because the author of shorewall has taken a hiatus. SuSEFirewall is still gobbleygook to the neophyte and barely understandable to the non-expert. With Shorewall you dont have to know a whole lot about iptables structure. It's kind of like driving a car without having to know how it is built. That's not to say there is anything wrong with understanding the inner workings of something, just that it isnt for everyone and each user should have an option. If we stopped using any app simply because the author moved on, we would stop using an awful lot of good software for an awfully dumb reason and we wouldnt need dedicated people like you to keep track of FAQ's. Again, just my opinion. Richard Richard
participants (3)
-
fsanta
-
Richard
-
Togan Muftuoglu