[sclug] Gumpf in logcheck
Tim Sutton
tim at linfiniti.com
Tue Jun 17 18:59:38 UTC 2008
Hi Luke & Andy
Thanks for the insights. I guess what I'd kinda like to know is when
say > 1000 syn packets are dropped within the hour period, otherwise
its probably noise to me... but having scanned the logcheck man pages
I dont have a clue how to do that yet...I'll go and google and see
what I can find.
Thanks
Regards
Tim
2008/6/17 Luke Hinds <lukehinds at gmail.com>:
> *eletrohosting.com.br
> <contatos at eletrohosting.com.br?subject=eletrohosting>*is sending you
> SYN requests to initiate a connection to
> 89.127.144.227 (your pubic interface?) port 32000 (which as far as I can
> tell is normally used by a java service wrapper)
>
> It looks like you have a DENY in place for 32000 so no connection could be
> established and thus no SYN-ACK is replied.
>
> Judging by the fair sized timestamp intervals it looks harmless (but don't
> quote me on that!)
>
> If the tempo of requests were higher it could be deemed a syn flood;
>
> http://en.wikipedia.org/wiki/SYN_flood
>
> Luke
>
>
> On Tue, Jun 17, 2008 at 4:21 PM, Tim Sutton <tim at linfiniti.com> wrote:
>
>> Hi all
>>
>> Every hour logcheck sends me an email report. For the most part I get
>> stuff like this:
>>
>> Jun 17 02:04:08 linfiniti kernel: IN=eth0 OUT=
>> MAC=00:13:20:17:d8:bb:00:1c:58:31:53:7f:08:00 SRC=64.246.48.73
>> DST=89.127.144.227 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=4954 DF
>> PROTO=TCP SPT=1780 DPT=32000 WINDOW=65535 RES=0x00 SYN URGP=0
>> Jun 17 02:04:11 linfiniti kernel: IN=eth0 OUT=
>> MAC=00:13:20:17:d8:bb:00:1c:58:31:53:7f:08:00 SRC=64.246.48.73
>> DST=89.127.144.226 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7454 DF
>> PROTO=TCP SPT=1779 DPT=32000 WINDOW=65535 RES=0x00 SYN URGP=0
>> Jun 17 02:42:27 linfiniti kernel: IN=eth0 OUT=
>> MAC=00:13:20:17:d8:bb:00:1c:58:31:53:7f:08:00 SRC=222.1.40.116
>> DST=89.127.144.227 LEN=404 TOS=0x00 PREC=0x00 TTL=108 ID=64061
>> PROTO=UDP SPT=1100 DPT=1434 LEN=384
>>
>> My questions are:
>>
>> 1) what do they mean (in plain english)?
>>
>> 2) if they are no cause for concern, how can I get rid of them? I
>> googled the subject and one option seems to be to use iptable_drop.
>> This seems to be a kernel module, unavailable in apt and I dont want
>> to start mucking arund with the kernel on my production debian server.
>>
>> I'm hoping to pare down the logcheck reports to include just things I
>> should actually be concerned about....or maybe thats exactly what its
>> doing ....
>>
>>
>> Thanks!
>>
>> Regards
>>
>>
>>
>> --
>> Tim Sutton
>> QGIS Project Steering Committee Member - Release Manager
>> Visit http://qgis.org for a great open source GIS
>> openModeller Desktop Developer
>> Visit http://openModeller.sf.net for a great open source ecological
>> niche modelling tool
>> Home Page: http://tim.linfiniti.com
>> Skype: timlinux
>> Irc: timlinux on #qgis at freenode.net
>>
>
--
Tim Sutton
QGIS Project Steering Committee Member - Release Manager
Visit http://qgis.org for a great open source GIS
openModeller Desktop Developer
Visit http://openModeller.sf.net for a great open source ecological
niche modelling tool
Home Page: http://tim.linfiniti.com
Skype: timlinux
Irc: timlinux on #qgis at freenode.net
More information about the Sclug
mailing list