Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Sat Mar 06, 2010 8:47 pm 
Offline
Newbie

Joined: Sat Mar 06, 2010 8:38 pm
Posts: 4
Website: http://blog.biernacki.ca
Location: Ypsilanti, MI
I'm a new Linode user. And after securing my linode and adding some LOGANDDROP settings into my iptables, I began getting my logs filled up with this crud:

(my mac + IP censored)

Code:
Mar  7 00:24:06 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62184 DF PROTO=TCP SPT=59710 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar  7 00:24:30 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62185 DF PROTO=TCP SPT=59710 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar  7 00:25:30 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16496 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar  7 00:25:33 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16497 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar  7 00:25:39 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16498 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0


It keeps repeating from some russian IP: 217.66.27.184 and keeps going steady since I setup my Linode. My logs are just slowly filling up with this repeated 'ping' always on port 11370.

I did some research and found this info:
http://www.keysigning.org/sks/ -which seems to use port 11370 & 11371

Could that be the service they are scanning for (i don't run it)?

ICS shows this: http://isc.incidents.org/port.html?port=11370


Thoughts? Is anyone else getting this?


Top
   
 Post subject:
PostPosted: Sun Mar 07, 2010 1:56 am 
Offline
Senior Member

Joined: Mon Oct 12, 2009 1:20 am
Posts: 50
Just block the IP in iptables....


Top
   
 Post subject:
PostPosted: Sun Mar 07, 2010 2:38 pm 
Offline
Newbie

Joined: Sat Mar 06, 2010 8:38 pm
Posts: 4
Website: http://blog.biernacki.ca
Location: Ypsilanti, MI
arjones85 wrote:
Just block the IP in iptables....


... thanks, my question was more aim at whether others were getting this traffic to their boxes.


Top
   
 Post subject:
PostPosted: Sun Mar 07, 2010 2:55 pm 
Offline
Senior Member
User avatar

Joined: Fri Oct 24, 2003 3:51 pm
Posts: 965
Location: Netherlands
Any host with a public IP gets this kind of crap.

_________________
/ Peter


Top
   
 Post subject:
PostPosted: Sun Mar 07, 2010 3:40 pm 
Offline
Senior Member

Joined: Sat Mar 28, 2009 4:23 pm
Posts: 415
Website: http://jedsmith.org/
Location: Out of his depth and job-hopping without a clue about network security fundamentals
For the record, if you want to sanitize your hardware address in the future -- although I'm not sure why you'd want to, you are connected to the Internet after all -- you missed it. It starts with FE:FD, and also divulges your public IP address.

I'm reluctant to edit it for you, but if you're genuinely concerned about your privacy (again, not sure why), you may want to edit that portion out.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.


Top
   
 Post subject:
PostPosted: Mon Mar 08, 2010 10:16 am 
Offline
Newbie

Joined: Sat Mar 06, 2010 8:38 pm
Posts: 4
Website: http://blog.biernacki.ca
Location: Ypsilanti, MI
jed wrote:
For the record, if you want to sanitize your hardware address in the future -- although I'm not sure why you'd want to, you are connected to the Internet after all -- you missed it. It starts with FE:FD, and also divulges your public IP address.

I'm reluctant to edit it for you, but if you're genuinely concerned about your privacy (again, not sure why), you may want to edit that portion out.



Jed, I just did it as a rule of thumb, thanks for the heads up about the MAC 'fe:fd', live and learn. I don't really care about having the ip remain anonymous, but I would rather have it low on the radar if anything. I'm not paranoid, I just have a rule of thumb to not post identifying info when I don't need to.

Also to the rest, I understand I have a public facing machine, I was just curious what this specific traffic was to that one port. As I usually see port scans, but not a repeated 'tap-tap-tap' on one port looking for a service. Maybe my IP was recycled from someone running something before me?


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group