Hello,
Recently, I have upgraded my SuSE firewall and have been noticing these messages (below) in my xconsole. I am on a 56k dial-up offering no services and all ports are closed (except for one which is open to localhost), so I feel pretty secure and all 'on-line applications' I use seem to be working fine, so I am curious as to what this means.
I use a 2.4.2 kernel and iptables firewall.
Any ideas? The src IP changes sometimes, but often is the same or similar.
Jul 3 00:27:04 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=66.9.192.39 DST=211.2.96.188 LEN=60 TO Jul 3 00:27:07 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=66.9.192.39 DST=211.2.96.188 LEN=60 TO Jul 3 00:30:41 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=203.239.87.52 DST=211.2.96.188 LEN=60 Jul 3 00:38:07 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=6 Jul 3 00:38:11 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=6 Jul 3 00:38:17 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=6
(the messages extended wider than this but my screen space limited the amount I could copy and paste)
thanks for any advice, Joss
p.s. anyone need a tenant in Norwich starting sometime in September? :-)
On Tue, 3 Jul 2001, Joss Winn wrote:
Jul 3 00:38:17 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=6
What this means is a packet came in ppp0 (your modem) destined for 211.2.96.188 (your ip address) from 211.104.247.142 (or where ever)
This may have been a legitimate packet arriving out of sequence, or may have been somebody doing a malicious probe of your machine. What I would really need to tell you more what was going on would be the source port and destination port addresses, they would look something like SPT=80 DPT=50347 for example in my firewall.
The main thing about these messages is that they are a good thing in that at least your firewall appears to be doing something (whether the right thing or not I can't tell you). If you can give me some more output (maybe the output of dmesg) would help me tell you a little more.
While I am here does anybody know how to get iptables to increase the time it holds onto an out of sequence packet? I am getting loads of dropped packets when web browsing and wanted to have a look at this... although I must admit I havn't RTFM yet.
Adam
On Mon, Jul 02, 2001 at 05:05:28PM +0100, Adam Bower wrote:
On Tue, 3 Jul 2001, Joss Winn wrote:
Jul 3 00:38:17 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=6
What this means is a packet came in ppp0 (your modem) destined for 211.2.96.188 (your ip address) from 211.104.247.142 (or where ever)
This may have been a legitimate packet arriving out of sequence, or may have been somebody doing a malicious probe of your machine. What I would really need to tell you more what was going on would be the source port and destination port addresses, they would look something like SPT=80 DPT=50347 for example in my firewall.
The main thing about these messages is that they are a good thing in that at least your firewall appears to be doing something (whether the right thing or not I can't tell you). If you can give me some more output (maybe the output of dmesg) would help me tell you a little more.
Thanks Adam,
My dmesg is attached. I just rebooted and went online before running dmesg.
thanks for your time :-)
What I noticed about these messages is that they occur a few times each time I am online. Not constantly but very occasionaly. Sometimes it is the same src IP address.
Joss
On Tue, 3 Jul 2001, Joss Winn wrote:
On Mon, Jul 02, 2001 at 05:05:28PM +0100, Adam Bower wrote:
On Tue, 3 Jul 2001, Joss Winn wrote:
Jul 3 00:38:17 linux kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=6
What this means is a packet came in ppp0 (your modem) destined for 211.2.96.188 (your ip address) from 211.104.247.142 (or where ever)
My dmesg is attached. I just rebooted and went online before running dmesg.
I just took a look at the output of your dmesg, it appears that you are being portscanned from various hosts. The one looking for DPT=111 are looking for open RPC servers which have lots of vulnerabilities, DPT=53 is DNS (there are plenty of attacks against Bind), DPT=21 is ftp (again there are loads of attacks against ftp servers). The scan for port 211 I don't really know what that is /etc/services says part of X-windows probably some obscure attack.
The fact that all of these logged entrys have the SYN flag set suggest that they are just port scanning for you and there is not to much to worry about.
What I would do to test the security of your firewall is to try a few of the online port scanners and see what they say, doing this should also provide lots of entrys from dmesg.
HTH Adam
Joss Winn wrote:
Joss,
Here's the important bit snipped from your dmesg:
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=66.9.192.39 DST=211.2.96.188 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=25574 DF PROTO=TCP SPT=2869 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A052D45600000000001030300) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=66.9.192.39 DST=211.2.96.188 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=26704 DF PROTO=TCP SPT=2869 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A052D468C0000000001030300) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=203.239.87.52 DST=211.2.96.188 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=52626 DF PROTO=TCP SPT=2831 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A03D5A0850000000001030300) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=9147 PROTO=TCP SPT=4502 DPT=21 WINDOW=34930 RES=0x00 SYN URGP=0 OPT (0204052A010303030101080A000000000000000001010000) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=9552 PROTO=TCP SPT=4502 DPT=21 WINDOW=34930 RES=0x00 SYN URGP=0 OPT (0204052A010303030101080A000000000000000001010000) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188 LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=10341 PROTO=TCP SPT=4502 DPT=21 WINDOW=34930 RES=0x00 SYN URGP=0 OPT (0204052A010303030101080A000000000000000001010000) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=64.221.103.230 DST=211.2.96.188 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=7825 DF PROTO=TCP SPT=1150 DPT=211 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A0009DFB00000000001030300) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=200.197.200.131 DST=211.2.96.188 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=32871 DF PROTO=TCP SPT=4284 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A0DF27DB40000000001030300) SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=200.197.200.131 DST=211.2.96.188 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=34684 DF PROTO=TCP
Look for DPT= to see what they were after. Y0u have:
111 (Sun RPC) 53 (DNS) 21 (FTP) 211 (Texas Instruments 914C/G Terminal) [whatever that is]
Depending on the source IP (SRC=xx.xx.xx.xx) they may or may not be malicious. I suspect the latter, myself.
Cheers, Laurie.
On Tue, 3 Jul 2001, Laurie Brown wrote:
Look for DPT= to see what they were after. Y0u have:
111 (Sun RPC) 53 (DNS) 21 (FTP) 211 (Texas Instruments 914C/G Terminal) [whatever that is]
Depending on the source IP (SRC=xx.xx.xx.xx) they may or may not be malicious. I suspect the latter, myself.
You snipped the flags section Laurie! as the only flags set are SYN they are trying to get you to do a SYN,ACK and then they know the port is open. If you see the RST (reset) flag then it is usually the connection has gone a bit pear shaped and is being renegotiated.
What I should of made very clear in my earlier message is that these 'error messages' are a good thing they show that your firewall is working and telling you of who has tried to connect to your machine on firewalled ports.
Adam
well, thanks everyone for the very very rapid replies :-)
i have scanned my ports with nmap and only canna (Japanese server is open to localhost).
Looney Genius, Steve Gibson's www.grc.com says I am running in full stealth mode on everything but
113 IDENT Closed Your computer has responded that this port exists but is currently closed to connections.
I guess what interests me is that the previous SUSE firewall I was using did not report any of my recent notices, but since upgrading, everytime I go online, I get a few firewall messages.
joss
-
Adam Bower -
Joss Winn -
Laurie Brown