LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Firewall Log Question

[ILUG] Firewall Log Question

Scott Wunsch ilug at tracking.wunsch.org
Thu Nov 22 21:43:40 GMT 2001 

On Thu, 22-Nov-2001 at 13:43:13 -0400, eduardo wrote:

> One of the network is my company network (192.168.X.X / 255.255.0.0. I am in
> charge of it) and the other network belongs to other company (10.10.X.X /
> 255.255.0.0). This company has a VPN. Now, they are accusing me as hacker,
...

> Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
> SYN (#70)

I'm assuming here that 216.72.44.186 is probably them, and 213.107.153.72
is probably some random address from the Internet that you have nothing to
do with.  Therefore we can disregard lines like this.

> Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.185:138 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128
> (#71)

Okay, here's a line that actually mentions your subnet.  It shows that your
network is leaky, but it's not malicious.  One of your machines
(192.168.2.185) is sending SMB broadcasts to your broadcast address,
192.168.255.255.  Because of the network configuration, they are able to
see broadcasts from your network.  That's all.

I would definitely suggest that you secure your network a bit better so
that they're not seeing your broadcasts any more.  (You should probably
have a router between you and the network that you share with them.)

But this definitely is NOT indicative of any sort of attack.  They're
suffering from a combination of paranoid, and lack of understanding when it
comes to how this mysterious internet thing works.

> They have as many as 40 pages of this type of messages , presenting this
> "deny" access as  the evidence we have tried to penetrate their network.

And it's all more of the same, in one of the two categories I described
above.  Nothing in any way indicates a penetration attempt on your part
(unless 213.107.153.72 belongs to you, of course).

-- 
Take care,
Scott \\'unsch

... There are thre erors in this tagline.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell