NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2004-q1

[suse-security] Odd FW Log

From: Tom Knight (thomas.knightahds.ac.uk)
Date: Wed Mar 31 2004 - 07:12:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm seeing odd thiungs in my FW log.

Running SLES 8, all YOU updates applied.
Machine has v. limited services (ssh, apache, tomcat, mysql, postfix).
Ports 80 and 8080 have just been opened globally, but this happened before
then.
The only other ports available (22, 3306) are to a few systems locally.
Only one nic is configured (and plugged in), eth1.

The SuSE FW set up is as comes out of the box except as detailed above,
although I had more logging turned on initially... umm, the extra logging
is in effect for the entires below. (Log _all_ dropped packets).

Question:
Why am I seeing these connections being acceppted and dropped on port 1433??

Log (grepped):
Mar 31 05:37:02 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx
SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF
PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(0204056401010402)
Mar 31 05:37:02 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx
SRC=66.7.157.125 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59278 DF
PROTO=TCP SPT=44435 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(0204056401010402)
Mar 31 09:32:56 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT=
MAC=00:0f:1f:02:28:80:00:09:11:7a:20:00:08:00 SRC=203.194.164.154 DST=xxx
LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=40393 DF PROTO=TCP SPT=47174 DPT=1433
WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402)
Mar 31 09:32:56 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx
SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=40393 DF
PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(0204056401010402)
Mar 31 09:32:59 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=xxx
SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=41111 DF
PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(0204056401010402)
Mar 31 09:32:59 xxx kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT= MAC=xxx
SRC=203.194.164.154 DST=xxx LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=41111 DF
PROTO=TCP SPT=47174 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(0204056401010402)

No, my machine isn't called xxx.
The same goes for the IP/MAC address.

Any ideas?

TIA,

Tom.

---------------
Tom Knight
System Administration Officer
Arts & Humanities Data Service
Web: http://www.ahds.ac.uk
Email: tom.knightahds.ac.uk
Tel: (0)20 7928 7371

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]