On Thu, 08 Feb 2001, Achim Ehrlich wrote:
Hello list,
i'm running a little homenetwork and scan my messages only occasionally. Today i found, that my var/log/messages was flodded with the following messages from ipchains:
Jan 24 00:00:58 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 213.93.2.117:64834 213.23.38.146:6346 L=48 S=0x00 I=11174 F=0x4000 T=107 SYN(#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 168.95.0.198:38071 213.23.38.146:6346 L=44 S=0x00 I=46941 F=0x4000 T=237 SYN(#3)
Is some unsupervised kid with an 'security tool' syn-flooding him with spoofed source addresses? It seems his box is easily withstanding this, until his log fills the disk.
access my box on port 22 or 80 by one of the adresses (denied also). I also ran netstat -apln, the only entries i couldn't explain were:
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 120/ tcp 0 0 0.0.0.0:20011 0.0.0.0:* LISTEN 61/
Run lsof -i