On Sun, 6 Oct 2002 09:22:05 -0700
ronald j roy <[EMAIL PROTECTED]> wrote:
> My logs are full of attempts from this address. How can I pull an
> address to send a complaint? What are they trying to do? And is
> there any way to block this completely?
> thanks in advance
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Oct 6 09:00:08 ralone kernel: Packet log: input DENY ppp0 PROTO=6
> +202.72.168.81:2657 66.122.19.40:6667 L=48 S=0x00 I=21790 F=0x4000
> T=112 SYN
> +(#1)
> Oct 6 09:00:11 ralone kernel: Packet log: input DENY ppp0 PROTO=6
> +202.72.168.81:2657 66.122.19.40:6667 L=48 S=0x00 I=21801 F=0x4000
> T=112 SYN
> +(#1)
> Oct 6 09:00:17 ralone kernel: Packet log: input DENY ppp0 PROTO=6
> +202.72.168.81:2657 66.122.19.40:6667 L=48 S=0x00 I=21816 F=0x4000
> T=112 SYN
> +(#1)
> Oct 6 09:00:32 ralone kernel: Packet log: input DENY ppp0 PROTO=6
> +202.72.168.81:2659 66.122.19.40:6667 L=48 S=0x00 I=21858 F=0x4000
> T=112 SYN
> +(#1)
> Oct 6 09:00:35 ralone kernel: Packet log: input DENY ppp0 PROTO=6
> +202.72.168.81:2659 66.122.19.40:6667 L=48 S=0x00 I=21872 F=0x4000
> T=112 SYN
> +(#1)
> Oct 6 09:00:41 ralone kernel: Packet log: input DENY ppp0 PROTO=6
>
>
>
>
A machine at IP address 202.72.168.81 ( port 2659) has scanned the
machine at IP address 66.122.19.40 (port 6667). PROTO=6 means TCP, and
ppp0 is the interface. Ipchains rule #1 blocked the attempted
connection with DENY.
A list of port numbers shows that 2659 is SN-query, and 6667 is
IRCU. So, someone from 202.72.168.81 was scanning your machine looking
for an IRC server.
You can further deny all services from 202.72.168.81 in
/etc/host.deny, if you feel you must. See 'man hosts.deny.'
A very good introduction to interpreting firewall logs can be
found at:
http://www.robertgraham.com/pubs/firewall-seen.html
There is even a tutorial on how to find out who "owns"
202.72.168.81, and other useful links.
Regards,
Tom
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
