Monday, February 15

Fun with Firewall Logs

So, after my post about ask.com's network...  Here's another quiz for you.

Feb 15 09:16:39 localhost kernel: IN=eth0 OUT= MAC=00:03:47:f1:52:0d:00:18:01:b6:c1:4d:08:00 SRC=121.242.15.135 DST=192.168.x.x LEN=72 TOS=0x00 PR

EC=0x00 TTL=45 ID=32394 DF PROTO=TCP SPT=52764 DPT=22 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0

What kind of fun is that!

20 comments:

Jeremy Johnson said...

Ok...it's been a while, but it looks like a Linux box in India is trying to hit your box using SSH...am I close?

Joel said...

Correct, that's part of it. But not the most interesting part.

Scott said...

Lol. I like the flag combo. ack psh fin urg. It's got a nice rhythm to it. Could almost be a Salt n Peppa song.

Joel said...

No urg flag. But otherwise correct.

Jeremy Johnson said...

Ok...it's been a while, but it looks like a Linux box in India is trying to hit your box using SSH...am I close?

Joel said...

Correct, that's part of it. But not the most interesting part.

Scott said...

Lol. I like the flag combo. ack psh fin urg. It's got a nice rhythm to it. Could almost be a Salt n Peppa song.

Joel said...

No urg flag. But otherwise correct.

Basil said...

Your SSH service (running in a box with an Intel card) received a TCP session-close packet (FIN) from the client, through your Actiontec DSL modem that, I guess, can serve as a gateway for certain services.

I'm right? ;-)

Joel said...

Close. You were right on the actiontec part.

Basil said...

Your SSH service (running in a box with an Intel card) received a TCP session-close packet (FIN) from the client, through your Actiontec DSL modem that, I guess, can serve as a gateway for certain services.

I'm right? ;-)

Joel said...

Close. You were right on the actiontec part.

Joel said...

Close. You were right on the actiontec part.

james said...

Why is the dst a private IP and how did that packet get routed to you?

Joel said...

Because the DST is a private IP behind my firewall.

james said...

Why is the dst a private IP and how did that packet get routed to you?

Joel said...

Because the DST is a private IP behind my firewall.

Joel said...

Because the DST is a private IP behind my firewall.

Leon said...

I would think a couple of things could be happening here.

1) State table confusion in relation to actual connections
2) Port scan in progress using an uncommon flag config.

Oh thank the world for *STATEFUL* firewalls. :-)

Without supporting information I'm left with assumption and guesswork, take a look at snort.org :)

Leon said...

I would think a couple of things could be happening here.

1) State table confusion in relation to actual connections
2) Port scan in progress using an uncommon flag config.

Oh thank the world for *STATEFUL* firewalls. :-)

Without supporting information I'm left with assumption and guesswork, take a look at snort.org :)