Topic: Logwatch - iptables activity

[bloodshoteye]

Hi all,

A check of /etc/services shows no entry for TCP or UDP 14687
Unless I'm misunderstanding logwatch, this machine received 25997 packets addressed to port 14687?
The size of the logwatch e-mail is 720Kb, but what concerns me is these packets originate from, wait for it:
14318 different IP addresses...

---------------------- iptables Begin ------------------------

 
 Listed by source hosts:
 Logged 25997 packets on interface eth1
   From 4.253.79.181 - 1 packet to udp(14687)
   From 8.7.69.232 - 1 packet to udp(14687)
   From 8.7.69.233 - 1 packet to udp(14687)
   From 8.10.6.243 - 1 packet to udp(14687)
   From 12.20.4.100 - 1 packet to udp(14687)
   [...
   ...]  
   From 222.254.2.142 - 1 packet to udp(14687)
   From 222.254.186.229 - 1 packet to udp(14687)
   From 222.255.224.115 - 1 packet to udp(14687)
 
 ---------------------- iptables End -------------------------
 

Cause for concern, or carry drinking my coffee?

[CharlieBrady]

The size of the logwatch e-mail is 720Kb, but what concerns me is these packets originate from, wait for it:
14318 different IP addresses...

No, they have 14318 different source IP addresses, but source IP addresses can be forged.

Cause for concern, or carry drinking my coffee?

Is the only thing in life you can find to be concerned about some packets which are unwanted and have been discarded?

[bloodshoteye]

CharlieBrady,

I know you and others are very busy on this list and have a vast fund of knowledge and experience, which is what I was tapping into.
Sifting through your somewhat sarcastic answer:

Is the only thing in life you can find to be concerned about some packets which are unwanted and have been discarded?

I notice that these packets have been discarded.
Good - unwanted, and discarded packets are not the only thing in life that concerns me. My client concerns me and this is occurring with his setup.

Please remember we are not as experienced as you and your colleagues. We may not always construct our question correctly and may even show downright stupidity - perhaps in matters incidental to sme, in this case TCP/IP?
At least I waited awhile before responding to your answer, and I apologize if I appear to be oversensitive in my response. This just goes to show what we say can and will affect others.

[arne]

I think some thousands of denyed packets will be among the normal noise that will exist from time to time when connected to internet.

If one person sitting on a internet cafee in China, or somewhere else is desiding to make a portscan of your server, he could easily fill your log with some thousends of packets. When the source address changes this only shows that it is not a ordinary port scanner but some other simular tool that is used.

When connectet to inernet I guess that you will have to calculate and expect that such things will happen from time to time.

I just tried to open port 22 and ddh for external logon. It took a few hours before the first attach occoured, and then it was attack and attach, I think every day. A nuber of these attach were actually traced to China. Some of the attachs were obviously done with automated brute force tools. Some others were performed in such a way, it looked like someone was sitting and typing user account and passwords by hand.

I think thats's just how Internet is. Attacs and spoofed packets is just a part of the normal daily life. (Unless the server is located on a protected lan or dmz.)

[bloodshoteye]

Whatever their objectives may be, it's reassuring to know that SME probably won't fall over in gateway mode and can keep the creeps out.
Overall, I'm very impressed with SME and promote it and the tireless devs often.

[arne]

Here is an tool that can be used to give some info when strange things ends up in the log: http://geotool.servehttp.com/

[bloodshoteye]

Thanks for this link - the great thing with this is it's available as a Firefox add-on.