Re: Scans on port 17107
From: Grant (g_r_a_n_t__at_dodo.com.au)
Date: 11/26/05
- Next message: Myself: "Re: Scans on port 17107"
- Previous message: Moe Trin: "Re: Scans on port 17107"
- In reply to: Moe Trin: "Re: Scans on port 17107"
- Next in thread: Myself: "Re: Scans on port 17107"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 26 Nov 2005 11:50:38 +1100
On Fri, 25 Nov 2005 17:44:49 -0600, ibuprofin@painkiller.example.tld (Moe Trin) wrote:
>On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
><dm8541$mcl$1@bn2.blue.net>, Myself wrote:
>
>>Yesterday, over a course of about 3 minutes, my firewall logged 1366 hits
>>on port 17107. This occurred immediately after connecting, and from 1255
>>different sources. Some were TCP and others UDP.
>
>Hard to say - seeing both TCP and UDP to the same port number (other than
>occasionally on 53 for DNS) is unusual. 17107 is a 'user-land' port,
>meaning it's not a regular server. The "standard" answer for your
>observation is that the person who had that IP number before you was
>running a server of some kind - I'd suspect a game server of some kind,
>but that's purely a guess.
>
>I really don't think I'd worry about it. You have nothing running on
>that port, so there is nothing to exploit.
Adding to the above, the idea of sample logging what you're dropping,
this is what I have:
...
MLIMIT="--match limit --limit"
...
# data collection, sample what we're dropping?
iptables -A INPUT -p all $MLIMIT 6/min --limit-burst 6 \
-j LOG --log-level info --log-prefix "InpDrop: "
...
So that same noise burst here would result in a couple dozen events
logged, not the lot. Only noise after all ;-)
Grant.
- Next message: Myself: "Re: Scans on port 17107"
- Previous message: Moe Trin: "Re: Scans on port 17107"
- In reply to: Moe Trin: "Re: Scans on port 17107"
- Next in thread: Myself: "Re: Scans on port 17107"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
