| 1 |
Hello, |
| 2 |
|
| 3 |
My iptables based firewall seem to be working, However, I keep getting |
| 4 |
triplets of this activity: |
| 5 |
|
| 6 |
Problem (2286 > netbios-ssn) |
| 7 |
source dest. proto info |
| 8 |
curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
| 9 |
www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
| 10 |
Win=0 Len=0 |
| 11 |
|
| 12 |
Any ideas on a rule to drop these requests to my web server? |
| 13 |
|
| 14 |
similarly I see the same thing except the info section is slightly |
| 15 |
different: |
| 16 |
similar problem (2469 > microsoft-ds) |
| 17 |
rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460 |
| 18 |
|
| 19 |
and the response from my firewall is simialr |
| 20 |
www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 |
| 21 |
Win=0 Len=0 |
| 22 |
|
| 23 |
Other problems are (info section is only difference) epmap > 3081 |
| 24 |
3081 > epmap |
| 25 |
|
| 26 |
Each of these appear in tripplets... and seem useless. Are they |
| 27 |
part of something stupidly done by microsoft? I think not |
| 28 |
because they occur quite frequently, almost systematcially, |
| 29 |
leading me to suspect they are part of nefarious activities? |
| 30 |
|
| 31 |
The only change is the port numbers (2286; 2469; 3081) and the |
| 32 |
source IP address change after each triplet of queries. |
| 33 |
|
| 34 |
Any ideas, information and iptables rules to silently drop these |
| 35 |
queries are most welcome. I see them all day long. |
| 36 |
|
| 37 |
|
| 38 |
James |
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-user@g.o mailing list |
Archives