Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But now it has come back to haunt me. I now have cable, RH 7.1, and using iptables instead of ipchains. Somebody really really dumb (or extremely smart) on my subnet is trying to connect to a single port on my broadcast ip. It may be a port scan or just someone not know how to run a server properly. As expected, they are being denied by my firewall. So I am not worried about being hacked (just yet). But the DENY messages will not stop coming up on my console. The problem is that this person is continuously trying to connect to this port. Somehow they are rotating throught about 3000 udp ports trying to connect to this one port. So, for every port they try to connect from, I get a deny message. 1 every 3 seconds....... but for the past month!!!! Yes, my logs are HUGE. This is obviously cluttering up my console and I cannot use it because I can never see what I am typing and what directory I am in. So.......
I have removed every reference to /dev/console in my syslog.conf. The only thing in there that I can see that might cause this is "*.emerg *" but I do not think DENY messages are emergency messages from the kernel. Anyone know why these messages would still be popping up on my screen? (The only way I can get them to stop is to turn off loggin in gShield, which I do not want to do.)
Maybe the solution is to get the actual problem solved. Most (all?) ISPs actively pursue members that run portscans against other members (as well as anybody on the internet). It's boilerplate text on most AUP (Accetible Use Policy) agreements on your (and the bad guy's)
Copy the logs, trim them for brevity, and mail them to whoever is responsible (abuse@your.isp).
Make sure the date and times are accurate so that they can find who had the IP address lease.
I've sent two out so far this year and although I never got anything more than an autoresponse mail message, the problems went away quickly.
DavidPhillips, no I do not have those daemons running. Sorry for being ignorant, but whay do you ask? I'm not sure what mon does and I was a little weary about setting up portsentry to make a default route to no where blocking the host because a person can spoof and popular website or DNS server or anything and I would be out of luck...
mcleodnine, I have already done that but was not to pleased by what I found. Yes, my cable company does not allow port scans and the do have a nice system for reporting, but I fear I may be overlooked due to the large customer base. Let me put it this way. Their system sends an auto messages back to you with a ticket number saying they got your request. My first attempt just asked what to do. I got a ticket number and the auto message mentioned to include the logs if I didn't. So, I sent the email again with the logs about an hours later. My trouble ticket was 9000 numbers higher than my first one. BTW, I have Adelphia Powerlink. My guess is that if they DID get to it, it would be a month or so down the line...
You mentioned you got an auto response message too. Mind if I ask what ISP you are using?
I must have spoke too soon. Right after I posted the last messages, I decide to check my logs. There has not been one instance of that message during the entire night. And that is even with logging all messages at debug level. I guess Adelphia s ALOT quicker that I thought. But now something else has come up, thankfully not so annoying.
On the screen again, as well as in my logs the following comes up every minute or so:
From what I think I know, this messages is being generated by my machine trying to connect to a bootp (port 67 is a bootps and port 68 is a bootpc port) server on Adelphia's network. The only thing that bothers me is that the MAC address matches NEITHER of my ethernet cards... This is why I think something else may go on.
Does anyone know how to properly read IPTables logs or a good source where I can learn more about the logs?
The logs are only in the log files, I am not getting any emails in my root account. I'll mess around with it some more and let you guys know what I find. If I find anything....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.