Paul L. Snyder on 11 Nov 2005 20:53:32 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Incoming connection attempts--is this normal?

Quoting Gregson Helledy <>:

> I'm trying to diagnose why my diald link (for dialup internet access) is
> staying up and looking through log files I found an amazing number of 
> attempted incoming connections.  According to a website I used to look 
> up a few of the IPs, they are coming from all around the world (China, 
> Japan and Switzerland were the first 3 I looked at).  The following are 
> the attempted connections just between 9 and 9:10 this morning.
> 1.  Do other people get this many random connection attempts?  Should I 
> be surprised that an IP used for a dialup ISP gets this?

If your computer is on the Internet it is going to be scanned.  Scanners 
or worms may try addresses randomly, or try everything in a block.
Exactly what is probing you varies with the flavor of the week.

> 2.  diald wouldn't consider these connection attempts as traffic for the
> purposes of keeping the link up, would it?

It's been too long since I've used diald to say for certain, but check
out your filter rules.  Figure out what sorts of traffic you actually 
want to bring up or keep up your link (DNS, http, games, email, IM), andthen
write rules accordingly.  For some examples, take a look at

> DF PROTO=UDP SPT=39485 DPT=1027 LEN=318
> Nov 11 09:02:01 firewall kernel: denylog:IN=ppp0 OUT= MAC=
> ID=0
> DF PROTO=UDP SPT=39485 DPT=1026 LEN=318
> Nov 11 09:02:48 firewall kernel: denylog:IN=ppp0 OUT= MAC=

These are probably automated Windows Messenger spam attempts, and are
showing up in your logs because they are being blocked by your firewall.
They probably aren't a big concern, and you could configure it to deny
without logging to make your logs a bit cleaner.  (This is a good thing,
as it makes it easier to spot anomalies.)  For more info, see

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --