Mike Smith wrote:
>
> I blocked all incoming and outgoing traffic on those two ports and that
> cleaned up my logs quite a bit. You probably don't use those ports for
> anything anyways.......
Unless you're running Samba :-)
-- Joe
> -----Original Message-----
> From: ">owner-ale@ale.org [mailto:">owner-ale@ale.org]On Behalf Of Joe
> Knapka
> Sent: Monday, March 06, 2000 4:16 PM
> To: Chris Egolf
> Cc: ">ale@ale.org
> Subject: Re: [ale] Interpreting IPChains logging
>
> Chris Egolf wrote:
> >
> > After following the ipchains discussion last week, I decided to kill my
> > NT sygate machine and start using IPMASQ for my NAT over a cable modem.
> > Everything's working great, but last night I decided to try the
> > 'semi-strong' ipchians ruleset found in the IPChains HOW TO.
> >
> > WOW! I was logging all sorts of stuff. So much, that my
> > /var/log/messages was increasing about 10K/minute. I noticed that most
> > of the rejected packets were the default input rule, so I turned logging
> > off, but left it ON for things like spoofing. Now, it seems like I'm
> > seeing lots of spoofing attacks, or maybe I'm just reading the logs
> > wrong. Here's a sample from the logs:
> >
> > Mar 2 13:25:44 kenny kernel: Packet log: input REJECT eth1 PROTO=17
> > 192.168.0.5:137 192.168.0.255:137 L=78 S=0x00 I=53465 F=0x0000 T=128
> > (#2)
> > Mar 2 13:25:46 kenny kernel: Packet log: input REJECT eth1 PROTO=17
> > 192.168.0.111:138 192.168.0.255:138 L=239 S=0x00 I=56325 F=0x0000 T=128
> > (#2)
> > Mar 2 13:26:10 kenny kernel: Packet log: input REJECT eth1 PROTO=17
> > 192.168.0.112:137 192.168.0.255:137 L=78 S=0x00 I=24902 F=0x0000 T=32
> > (#2)
> > Mar 2 13:27:21 kenny kernel: Packet log: input REJECT eth1 PROTO=17
> > 192.168.0.104:137 192.168.0.255:137 L=78 S=0x00 I=13873 F=0x0000 T=128
> > (#2)
> > Mar 2 13:27:41 kenny kernel: Packet log: input REJECT eth1 PROTO=17
> > 192.168.0.151:137 192.168.0.255:137 L=78 S=0x00 I=17423 F=0x0000 T=128
> > (#2)
> >
> > The #2 rule referred to above is:
> > ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
>
> The source and destination ports are NetBIOS nameservice
> (137) and datagram (138), and the NS query is a broadcast.
> So this could indicate someone is trying a general
> attack on Windows browsers. Or it could just be
> someone with a misconfigured system spewing local
> NetBIOS traffic out of the wrong interface.
>
> HTH,
>
> -- Joe
>
> > Anyone have know where I can find a good source for interpreting these
> > logs? Should I be concerned, or am I being overly paranoid?
> >
> > Thanks.
> > --
> >
> ============================================================================
> > Chris Egolf
> > http://www.ugholf.net ">cegolf@ugholf.net
> >
> ============================================================================
> > --
> > To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
> body.
>
> -- Joe Knapka
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
> body.
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.