Hello. Since some time I see my syslogs polluted with messages like the following (more or less - I hide my IP by x's and MAC address by y's): Jul 25 18:18:58 xxxxx kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=yyyy SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=63989 DF PROTO=TCP SPT=3245 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) What does it mean ? Is my ethernet card malfunctioning ? Robert
On Sunday 25 July 2004 11:24 am, Bob wrote:
Hello.
Since some time I see my syslogs polluted with messages like the following (more or less - I hide my IP by x's and MAC address by y's): Jul 25 18:18:58 xxxxx kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=yyyy SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=63989 DF PROTO=TCP SPT=3245 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What does it mean ? Is my ethernet card malfunctioning ?
Robert
Robert, This is the SUSE Firewall2 making log of it doing it's job. The SFW2 is the tipoff. PeterB -- -- Proud to use SuSE Linux, since 5.2 Loving using SuSE Linux 8.2 MyBlog http://vancampen.org/blog/ Currently listening to Joseph Campbell http://www.jcf.org/ Free D/Ls after free registration --
On Sunday 25 July 2004 17:24, Bob wrote:
Hello.
Since some time I see my syslogs polluted with messages like the following (more or less - I hide my IP by x's and MAC address by y's): Jul 25 18:18:58 xxxxx kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=yyyy SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=63989 DF PROTO=TCP SPT=3245 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What does it mean ? Is my ethernet card malfunctioning ?
No, it's your firewall warning that somebody tried to access your system, but that it was caught and dropped. They tried to access port 135 (DPT=135) which is listed as: epmap 135/tcp # DCE endpoint resolution in /etc/services. SRC=x.x.x.x is theoretically where it came from, which you could check with: host x.x.x.x I wouldn't worry too much. Probably just some script kiddie port scanning, or Yet Another Windows Virus TM that's doing the same. It's the attacks that aren't logged that'll bite you. -- Steve Boddy
Stephen Boddy a écrit :
On Sunday 25 July 2004 17:24, Bob wrote:
Hello.
Since some time I see my syslogs polluted with messages like the following (more or less - I hide my IP by x's and MAC address by y's): Jul 25 18:18:58 xxxxx kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=yyyy SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=63989 DF PROTO=TCP SPT=3245 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What does it mean ? Is my ethernet card malfunctioning ?
No, it's your firewall warning that somebody tried to access your system, but that it was caught and dropped. They tried to access port 135 (DPT=135) which is listed as: epmap 135/tcp # DCE endpoint resolution in /etc/services. SRC=x.x.x.x is theoretically where it came from, which you could check with: host x.x.x.x I wouldn't worry too much. Probably just some script kiddie port scanning, or Yet Another Windows Virus TM that's doing the same. It's the attacks that aren't logged that'll bite you. Thank you. This list is a goodie, really ! But how could I tell to the firewall to speak a bit less ? Robert
Stephen Boddy a écrit :
On Sunday 25 July 2004 17:24, Bob wrote:
Hello.
Since some time I see my syslogs polluted with messages like the following (more or less - I hide my IP by x's and MAC address by y's): Jul 25 18:18:58 xxxxx kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=yyyy SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=63989 DF PROTO=TCP SPT=3245 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What does it mean ? Is my ethernet card malfunctioning ?
No, it's your firewall warning that somebody tried to access your system, but that it was caught and dropped. They tried to access port 135 (DPT=135) which is listed as: epmap 135/tcp # DCE endpoint resolution in /etc/services. SRC=x.x.x.x is theoretically where it came from, which you could check with: host x.x.x.x I wouldn't worry too much. Probably just some script kiddie port scanning, or Yet Another Windows Virus TM that's doing the same. It's the attacks that aren't logged that'll bite you.
Thank you. This list is a goodie, really ! But how could I tell to the firewall to speak a bit less ? Robert The amount of logging can be configured in /etc/sysconfig/SuSEfirwall2 (the config file). -- ...CH "The more they over-think the plumbing,
On Sunday 25 July 2004 11:46, Bob wrote: the easier it is to stop up the drain." Scotty
On Sunday 25 July 2004 11:24 am, Bob wrote:
Since some time I see my syslogs polluted with messages like the following (more or less - I hide my IP by x's and MAC address by y's): Jul 25 18:18:58 xxxxx kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=yyyy SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=63989 DF PROTO=TCP SPT=3245 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
What does it mean ? Is my ethernet card malfunctioning ?
It means SuSEFirewall (SFW2) is working and has dropped someone trying to go into your port 135 using TCP protocol. Do a whois, from root, on the SRC ip to see where the stuff came from. If you want to know all the good and gory details, look into shorewall.net and read Tom Eastep's documentation. His stuff is pretty easy to understand and has some pretty pictures. ra
participants (5)
-
Bob -
C Hamel -
Peter B Van Campen -
Richard Atcheson -
Stephen Boddy