getting paranoid [Archive] - JustLinux Forums

Click to See Complete Forum and Search --> : getting paranoid

Fandelem

12-13-2000, 07:00 AM

Dec 12 22:06:58 TCP: port 28929 connection attempt from jhu2109.res.jhu.edu (128.220.196.43):4199
Dec 12 22:06:59 TCP: port 28929 connection attempt from 036resup156.chartermi.net (24.247.36.156):13
92
Dec 12 22:06:59 TCP: port 28929 connection attempt from jhu2109.res.jhu.edu (128.220.196.43):4199
Dec 12 22:07:01 last message repeated 1 times
Dec 12 22:07:01 TCP: port 28929 connection attempt from jhu2109.res.jhu.edu (128.220.196.43):4200
Dec 12 22:07:02 last message repeated 1 times
Dec 12 22:07:02 TCP: port 28929 connection attempt from 036resup156.chartermi.net (24.247.36.156):13
92
Dec 12 22:07:02 TCP: port 28929 connection attempt from jhu2109.res.jhu.edu (128.220.196.43):4200
Dec 12 22:07:08 TCP: port 28929 connection attempt from 036resup156.chartermi.net (24.247.36.156):13
92
Dec 12 22:07:46 last message repeated 1 times
Dec 12 22:07:46 TCP: port 28929 connection attempt from 036resup156.chartermi.net (24.247.36.156):13
93
Dec 12 23:11:24 last message repeated 3 times
Dec 12 23:11:24 TCP: port 28929 connection attempt from 036resup156.chartermi.net (24.247.36.156):14
38
Dec 12 23:24:48 last message repeated 3 times
Dec 12 23:24:48 UDP: dgram to port 1223 from i.root-servers.net (192.36.148.17):53 (446 data bytes)
Dec 12 23:24:52 UDP: dgram to port 1223 from l.root-servers.net (198.32.64.12):53 (446 data bytes)
Dec 12 23:25:00 UDP: dgram to port 1223 from f.root-servers.net (192.5.5.241):53 (443 data bytes)
Dec 12 23:25:04 UDP: dgram to port 1223 from m.root-servers.net (202.12.27.33):53 (446 data bytes)
Dec 12 23:25:15 UDP: dgram to port 1223 from E.ROOT-SERVERS.NET (192.203.230.10):53 (443 data bytes)
Dec 12 23:25:16 UDP: dgram to port 1223 from k.root-servers.net (193.0.14.129):53 (446 data bytes)
Dec 12 23:25:17 UDP: dgram to port 1223 from h.root-servers.net (128.63.2.53):53 (446 data bytes)
Dec 12 23:25:21 UDP: dgram to port 1223 from b.root-servers.net (128.9.0.107):53 (446 data bytes)
Dec 12 23:25:24 UDP: dgram to port 1223 from d.root-servers.net (128.8.10.90):53 (446 data bytes)
Dec 12 23:25:28 UDP: dgram to port 1223 from j.root-servers.net (198.41.0.10):53 (446 data bytes)
Dec 12 23:25:32 UDP: dgram to port 1223 from a.root-servers.net (198.41.0.4):53 (129 data bytes)

this goes on for pages and pages..

should I be worried that these servers are sending stuff to port 1223? it's originating from port 53 which is DNS - which is why I don't get it - I have a name caching DNS server [it shouldn't broadcast, should it??] - if anyone is a DNS guru, maybe I could post my named.conf and see if I am?

jemfinch

12-13-2000, 06:09 PM

It looks like you're blocking all udp packets including those coming from the root nameservers. Stop blocking udp packets, and you'll be fine.

Jeremy

Sweede

12-13-2000, 07:27 PM

running a nameserver, even a caching nameserver, but blocking port 53 is like adding 1 to negative one to get 2.

it doesnt work.

you MUST allow for port 53 to be open to run a nameserver.

Waffle_King

12-13-2000, 07:49 PM

his port 53 is not the issue, the packets are originating from port 53 and going to his port 1223

Fandelem

12-13-2000, 07:56 PM

exactly waffle_king.. why would they be sending it to port 1223 - usually the SOURCE is created dynamically, but the DESTINATION is static (ie. 53).. but not in this case.. hmmm? :}

but you guys answered another question of mine - running a name caching dns server i still have to open port 53 to the public?

right now in my firewall scripts, I have it accepting on port 53 for 2 IP addresses (my two ISP's dns servers) then denying anything else coming in on port 53 - wouldn't this work? if not, please explain a little better?

thanks,

~kyle

Fandelem

12-14-2000, 06:42 AM

now i have another problem..
(i blocked them finally)

Dec 14 05:54:02 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1577
Dec 14 05:58:01 last message repeated 1 times
Dec 14 05:58:01 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1600
Dec 14 06:00:08 last message repeated 2 times
Dec 14 06:00:08 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1601
Dec 14 06:01:17 last message repeated 2 times
Dec 14 06:01:17 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1602
Dec 14 06:05:04 last message repeated 1 times
Dec 14 06:05:04 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1611
Dec 14 06:07:42 last message repeated 1 times
Dec 14 06:07:42 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1612
Dec 14 06:09:04 last message repeated 2 times
Dec 14 06:09:04 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1613
Dec 14 06:15:22 last message repeated 1 times
Dec 14 06:15:22 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1632
Dec 14 06:17:42 last message repeated 3 times
Dec 14 06:17:42 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1633
Dec 14 06:20:01 last message repeated 1 times
Dec 14 06:20:01 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1634
Dec 14 06:21:00 last message repeated 3 times
Dec 14 06:21:00 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1635
Dec 14 06:23:43 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1636
Dec 14 06:24:57 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1637
Dec 14 06:26:13 last message repeated 1 times
Dec 14 06:26:13 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1638
Dec 14 06:30:00 last message repeated 3 times
Dec 14 06:30:00 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1639
Dec 14 06:33:03 last message repeated 2 times
Dec 14 06:33:03 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1640
Dec 14 06:34:46 last message repeated 1 times
Dec 14 06:34:46 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1641
Dec 14 06:35:31 last message repeated 2 times
Dec 14 06:35:31 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1642
Dec 14 06:36:00 last message repeated 1 times
Dec 14 06:36:00 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1643
Dec 14 06:38:23 last message repeated 3 times
Dec 14 06:38:23 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1644
Dec 14 06:39:14 last message repeated 2 times
Dec 14 06:39:14 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1645
Dec 14 06:44:05 last message repeated 1 times
Dec 14 06:44:05 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1646
[root@Server public]# Dec 14 06:45:56 last message repeated 1 times
Dec 14 06:45:56 TCP: port 7680 connection attempt from dhcp223.noc.verio.net (129.250.32.223):1647

this goes on for MEGS and MEGS - what the hell are they trying to do? how can i get them to stop?