[ale] iptables log entries
James P. Kinney III
jkinney at localnetsolutions.com
Mon Jan 21 08:00:38 EST 2002
>From the ports, it looks like it's trying to babble to a httpd. I'm
guesing DST=216.77.224.94 is your linux box that is recieving these. If
so, check your apache logs for requests for *.exe etc.
It's also time to add a rule to log all activity from 207.25.71.223
Being deeply suspicious of "weird" packets, this does look like a bug of
some type.
On Mon, 2002-01-21 at 07:46, Mike Millson wrote:
> The following rule is generating a lot of entries in my messages log file:
> $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
> "New not syn:"
> $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
>
> What I think this rule is doing is "Drop any packet that is a new connection
> that does not have the SYN flag set."
>
> Here as an example of an entry I find in my log file from INCOMING
> traffic(with info Xed out to protect the innocent):
>
> Jan 21 06:18:50 XXXXXX kernel: New not syn:IN=eth0 OUT=
> MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
> DST=216.77.224.94 LEN=41 TOS=0x00 PREC=0x00 TTL=110 ID=20979 PROTO=TCP
> SPT=80 DPT=1386 WINDOW=16364 RES=0x00 ACK URGP=0
> Jan 21 06:18:51 XXXXXX kernel: New not syn:IN=eth0 OUT=
> MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
> DST=216.77.224.94 LEN=41 TOS=0x00 PREC=0x00 TTL=110 ID=10510 PROTO=TCP
> SPT=80 DPT=1393 WINDOW=11984 RES=0x00 ACK URGP=0
> Jan 21 06:19:39 XXXXXX kernel: New not syn:IN=eth0 OUT=
> MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
> DST=216.77.224.94 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=53366 PROTO=TCP
> SPT=80 DPT=1379 WINDOW=0 RES=0x00 ACK RST URGP=0
> Jan 21 06:19:53 XXXXXX kernel: New not syn:IN=eth0 OUT=
> MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
> DST=216.77.224.94 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=55006 PROTO=TCP
> SPT=80 DPT=1384 WINDOW=0 RES=0x00 ACK RST URGP=0
>
> The 207.25.71.223 IP address is owned by Turner Broadcasting. It looks like
> someone is scanning my ports. Why is the scanning taking place with a bogus
> packet, one where the SYN flag isn't set on a new connection? Is this just
> the standard port scanning technique? If so, w/o the SYN flag, how do they
> know the port is open if they don't get an ACK?
>
>
> Here as an example of an entry I find in my log file from OUGOING
> traffic(with info Xed out to protect the innocent):
>
> Jan 21 06:14:08 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
> DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=36396 DF PROTO=TCP
> SPT=1551 DPT=80 WINDOW=7438 RES=0x00 ACK FIN URGP=0
> Jan 21 06:14:10 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
> DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=55596 DF PROTO=TCP
> SPT=1553 DPT=80 WINDOW=7537 RES=0x00 ACK FIN URGP=0
> Jan 21 06:14:11 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
> DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=55852 DF PROTO=TCP
> SPT=1551 DPT=80 WINDOW=7438 RES=0x00 ACK FIN URGP=0
> Jan 21 06:14:15 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
> DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4141 DF PROTO=TCP
> SPT=1553 DPT=80 WINDOW=7537 RES=0x00 ACK FIN URGP=0
>
> It looks like the W98 machine I have hooked up to my network is sending out
> the same sort of packets. Is this a worm on my W98 machine? What sort of
> program would be sending out these kinds of packets? I looked up
> 64.12.180.21 but couldn't find who owns it. Is this one of those reserved
> internal routing addresses like 192.168.x.x? If so, what possible use could
> a program have for trying to port scan internal machines?
>
> Thank you,
> Mike Millson
> ----------------------------------------
> AableTech Solutions, Inc.
> 770.414.8834
> 770.414.8206 fax
> http://www.atsga.com
> ----------------------------------------
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
>
--
James P. Kinney III \Changing the mobile computing world/
President and COO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This is a digitally signed message part
More information about the Ale
mailing list