| Author |
Message |
10drill
Joined: 01 Mar 2009
Posts: 13
|
| Posted: Mon Feb 07, 2011 10:50 pm Post subject: Is Apple port scanning me? |
|
|
I have logcheck configured to send me daily reports of system log anomalies, and expect to see endless port scans and cracking attempts from all over the world. However, for the last week or so, I've been getting entries like below, always with the same source address...which belongs to apple.com.
Code: Feb 7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=51 ID=100 PROTO=TCP SPT=48696 DPT=80 WINDOW=32767 RES=0x00 URGP=0
Feb 7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=52 ID=100 PROTO=TCP SPT=48640 DPT=80 WINDOW=32767 RES=0x00 URGP=0
Feb 7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=51 ID=100 PROTO=TCP SPT=48696 DPT=80 WINDOW=32767 RES=0x00 URGP=0
The destination port is always 80. Of course I can blacklist this IP, but I'm curious as to what is going on here. Any ideas? |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1147
Location: Montreal, QC
|
| Posted: Tue Feb 08, 2011 10:59 am Post subject: |
|
|
| If they only ever hit one port, it's by definition not a port scan... |
|
| Back to top |
|
mnordhoff
Joined: 03 May 2008
Posts: 451
|
| Posted: Tue Feb 08, 2011 11:05 am Post subject: |
|
|
| Maybe it's a really slow one! They try one port per week. |
|
| Back to top |
|
| |
