Linode Forum

jakub · Joined: 06 Mar 2010 Posts: 4 Location: Ypsilanti, MI

I'm a new Linode user. And after securing my linode and adding some LOGANDDROP settings into my iptables, I began getting my logs filled up with this crud:

(my mac + IP censored)

Code:
Mar 7 00:24:06 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62184 DF PROTO=TCP SPT=59710 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:24:30 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62185 DF PROTO=TCP SPT=59710 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:25:30 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16496 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:25:33 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16497 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:25:39 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16498 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0

It keeps repeating from some russian IP: 217.66.27.184 and keeps going steady since I setup my Linode. My logs are just slowly filling up with this repeated 'ping' always on port 11370.

I did some research and found this info:
http://www.keysigning.org/sks/ -which seems to use port 11370 & 11371

Could that be the service they are scanning for (i don't run it)?

ICS shows this: http://isc.incidents.org/port.html?port=11370

Thoughts? Is anyone else getting this?

arjones85 · Joined: 12 Oct 2009 Posts: 40

Just block the IP in iptables....

jakub · Joined: 06 Mar 2010 Posts: 4 Location: Ypsilanti, MI

arjones85 wrote: Just block the IP in iptables....

... thanks, my question was more aim at whether others were getting this traffic to their boxes.

pclissold · Joined: 24 Oct 2003 Posts: 877 Location: Netherlands

Any host with a public IP gets this kind of crap.

jed · Joined: 28 Mar 2009 Posts: 394 Location: New Jersey

For the record, if you want to sanitize your hardware address in the future -- although I'm not sure why you'd want to, you are connected to the Internet after all -- you missed it. It starts with FE:FD, and also divulges your public IP address.

I'm reluctant to edit it for you, but if you're genuinely concerned about your privacy (again, not sure why), you may want to edit that portion out.

jakub · Joined: 06 Mar 2010 Posts: 4 Location: Ypsilanti, MI

jed wrote: For the record, if you want to sanitize your hardware address in the future -- although I'm not sure why you'd want to, you are connected to the Internet after all -- you missed it. It starts with FE:FD, and also divulges your public IP address.

I'm reluctant to edit it for you, but if you're genuinely concerned about your privacy (again, not sure why), you may want to edit that portion out.

Jed, I just did it as a rule of thumb, thanks for the heads up about the MAC 'fe:fd', live and learn. I don't really care about having the ip remain anonymous, but I would rather have it low on the radar if anything. I'm not paranoid, I just have a rule of thumb to not post identifying info when I don't need to.

Also to the rest, I understand I have a public facing machine, I was just curious what this specific traffic was to that one port. As I usually see port scans, but not a repeated 'tap-tap-tap' on one port looking for a service. Maybe my IP was recycled from someone running something before me?

Anyone else getting this type of traffic?