Re: [PLUG] Incoming connection attempts--is this normal?

Paul L. Snyder on 11 Nov 2005 20:53:32 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Incoming connection attempts--is this normal?

From: "Paul L. Snyder" <plsnyder@drexel.edu>

To: Gregson Helledy <gregsonh@gra-inc.com>, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] Incoming connection attempts--is this normal?

Date: Fri, 11 Nov 2005 15:52:58 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Internet Messaging Program (IMP) 3.1

Quoting Gregson Helledy <gregsonh@gra-inc.com>: > I'm trying to diagnose why my diald link (for dialup internet access) is > staying up and looking through log files I found an amazing number of > attempted incoming connections. According to a website I used to look > up a few of the IPs, they are coming from all around the world (China, > Japan and Switzerland were the first 3 I looked at). The following are > the attempted connections just between 9 and 9:10 this morning. > > 1. Do other people get this many random connection attempts? Should I > be surprised that an IP used for a dialup ISP gets this? If your computer is on the Internet it is going to be scanned. Scanners or worms may try addresses randomly, or try everything in a block. Exactly what is probing you varies with the flavor of the week. > 2. diald wouldn't consider these connection attempts as traffic for the > purposes of keeping the link up, would it? It's been too long since I've used diald to say for certain, but check out your filter rules. Figure out what sorts of traffic you actually want to bring up or keep up your link (DNS, http, games, email, IM), andthen write rules accordingly. For some examples, take a look at http://www.faqs.org/docs/Linux-HOWTO/Diald-HOWTO.html#ss6.2 > DF PROTO=UDP SPT=39485 DPT=1027 LEN=318 > Nov 11 09:02:01 firewall kernel: denylog:IN=ppp0 OUT= MAC= > SRC=221.208.208.8 DST=XXX.XXX.XXX.XXX LEN=338 TOS=0x00 PREC=0x00 TTL=45 > ID=0 > DF PROTO=UDP SPT=39485 DPT=1026 LEN=318 > Nov 11 09:02:48 firewall kernel: denylog:IN=ppp0 OUT= MAC= > SRC=218.66.104.186 DST=XXX.XXX.XXX.XXX LEN=492 TOS=0x00 PREC=0x00 TTL=46 These are probably automated Windows Messenger spam attempts, and are showing up in your logs because they are being blocked by your firewall. They probably aren't a big concern, and you could configure it to deny without logging to make your logs a bit cleaner. (This is a good thing, as it makes it easier to spot anomalies.) For more info, see http://www.mynetwatchman.com/kb/security/articles/popupspam/ HTH, pls ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] Incoming connection attempts--is this normal?
From: "Gregson Helledy" <gregsonh@gra-inc.com>

Prev by Date: [PLUG] Incoming connection attempts--is this normal?

Next by Date: [PLUG] [marsee@oreilly.com: Newsletter from O'Reilly UG Program, November 10]

Previous by thread: [PLUG] Incoming connection attempts--is this normal?

Next by thread: Re: [PLUG] Incoming connection attempts--is this normal?

Index(es):

Date

Thread