Ports 513 and 161 are used for broadcast services rwhod and snmpd. I very
much doubt you are getting port scanned. Examining your snippet of logs,
you are getting the 513 every 3 minutes which corresponds exactly with the
rwhod service. It's wrong of your ISP to have such a lax attitude toward
port scans, but this isn't what is happening to you it seems.
J.
On Fri, 5 Nov 1999, WH Bouterse wrote:
> "Port Scans are nothing to worry about"... to almost quote them
> directly.
>
> I have a static IP cable modem and the provider and ISP are one and the
> same.
>
> A couple months ago I queried this List re:Port Scanning in
> /var/log/messages
>
> Well to update. Its only getting more crowded.
>
> Any of you sys admins and ISP types please give me feedback on these
> excerpts from my logs. I am running the basic "firewall stuff" and Port
> Sentry on RH, LM 6.1
>
> Looking in /etc/services I can glean that some of the entries are not
> serious at least at the moment.
> Though the main 'udp 513' scan has been going on for MONTHS now at 24/7
> !!!
>
> Nov 3 22:18:06 home portsentry[873]: attackalert: Connect from host:
> cable-225-14-237-24.anchorageak.net/24.237.14.225 to UDP port: 513
> Nov 3 22:18:06 home portsentry[873]: attackalert: Host: 24.237.14.225
> is already blocked. Ignoring
> Nov 3 22:21:06 home portsentry[873]: attackalert: Connect from host:
> cable-225-14-237-24.anchorageak.net/24.237.14.225 to UDP port: 513
> Nov 3 22:21:06 home portsentry[873]: attackalert: Host: 24.237.14.225
> is already blocked. Ignoring
> Nov 3 22:21:34 home portsentry[873]: attackalert: Connect from host:
> cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 7
> Nov 3 22:21:34 home portsentry[873]: attackalert: External command run
> for host: 24.237.14.15 using command: "24.237.14.51"
> Nov 3 22:21:34 home portsentry[873]: attackalert: Host 24.237.14.15 has
> been blocked via wrappers with string: "ALL: 24.237.14.15"
> Nov 3 22:21:34 home portsentry[873]: attackalert: Host 24.237.14.15 has
> been blocked via dropped route using command: "/sbin/route add -host
> 24.237.14.15 gw 333.444.555.666"
> Nov 3 22:21:34 home portsentry[873]: adminalert: ERROR: could not
> accept incoming socket for UDP port: 7
>
> ov 3 22:22:13 home portsentry[873]: attackalert: Connect from host:
> cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
> Nov 3 22:22:13 home portsentry[873]: attackalert: Host: 24.237.14.15 is
> already blocked. Ignoring
> Nov 3 22:22:13 home portsentry[873]: attackalert: Connect from host:
> cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
> Nov 3 22:22:13 home portsentry[873]: attackalert: Host: 24.237.14.15 is
> already blocked. Ignoring
> Nov 3 22:24:06 home portsentry[873]: attackalert: Connect from host:
> cable-225-14-237-24.anchorageak.net/24.237.14.225 to UDP port: 513
> Nov 3 22:24:06 home portsentry[873]: attackalert: Host: 24.237.14.225
> is already blocked. Ignoring
>
>
> 2 home portsentry[873]: attackalert: Connect from host:
> cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 7
> Nov 4 02:57:42 home portsentry[873]: attackalert: Host: 24.237.14.15 is
> already blocked. Ignoring
> Nov 4 02:58:05 home portsentry[873]: attackalert: Connect from host:
> cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
> Nov 4 02:58:05 home portsentry[873]: attackalert: Host: 24.237.14.15 is
> already blocked. Ignoring
> Nov 4 02:58:06 home portsentry[873]: attackalert: Connect from host:
> cable-15-14-237-24.anchorageak.net/24.237.14.15 to UDP port: 161
> Nov 4 02:58:06 home portsentry[873]: attackalert: Host: 24.237.14.15 is
> already blocked. Ignoring
>
> The udp 161 has just cropped up the last couple of weeks on a regular
> basis.
>
> I also recently got a /var/log/secure message:
> FROM /VAR/LOG/SECURE
>
> Nov 4 03:26:09 home ipop3d[8471]: refused connect from
> cable-15-14-237-24.ancho "etc"
>
>
> Our state-wide cable provider has a reputation for shrugging its
> shoulders and saying, "enjoy the speed and don't worry about anything
> else."
>
> I need some input which might also be used to substanciate my claim when
> I meet with them next week that they are being "irresponsible" in the
> field of ISP services.
>
> Thanks for any input; this has been going on for months now. Emails both
> pleasant and irritated to individuals with the company provided by the
> local office has turned up one "auto responder" a month ago.
>
> Am I just being a "paranoid naysayer" ?! (I've been called worse!)
> Is it unreasonable to ask ones ISP to "please address continuous
> portscaning by unknown individuals?"
>
> If the reply's are too long for this List please contact me at my email
> address.
> Thanks
>
> William Bouterse
> Juneau, Alaska
>
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
