Re: Help identify this firewall message

From: Bill Mullen (moon_at_lunarhub.com)
Date: 04/10/04


Date: Sat, 10 Apr 2004 21:00:02 GMT

On Sat, 10 Apr 2004 18:54:31 +0300, Michael Badt sputtered:

> I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b
> firewall on a stand alone PC. I'm connected to the Internet via an
> ADSL connection using rp-pppoe. The ADSL modem is connected to eth1
> (eth0 is not connected and currently not used) which is configured for
> a static 192.168.1.X IP address (255.255.255.0 mask).

> MY ISP's IP addresses are: 192.114.47.4 (P) & 192.117.47.52 (S).

Those are their DNS server addresses, I presume?

moon@tvbox:~$ host 192.114.47.4
4.47.114.192.in-addr.arpa domain name pointer ns1.actcom.net.il.

Yup. ;)

> Whenever I'm connected to the Internet (ppp0 present) my log file
> files (about every second) with the following entry:

> "Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP: IN=ppp0
> OUT= MAC= SRC=192.114.47.51 DST=192.115.16.120 LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840
> RES=0x00 ACK SYN URGP=0"

> CVAn somebody help me identufying ther source of this message and/or
> the target IP (192.115.16.120)?

Sure. Heck, you can even do it yourself ...

moon@tvbox:~$ host 192.114.47.51
51.47.114.192.in-addr.arpa domain name pointer proxy2.actcom.co.il.

The source appears to be a proxy server at your ISP, running on port
8080. The packet *appears* to be a response from this proxy server to a
connection initiated from the 192.155.16.120 address.

moon@tvbox:~$ host 192.115.16.120
Host 120.16.115.192.in-addr.arpa not found: 3(NXDOMAIN)

OK, whoever this is has no resolvable hostname. That doesn't - in and of
itself - mean a whole lot, plenty of systems aren't listed in DNS for
any number of perfectly valid reasons.

So, let's try a different tack:

moon@tvbox:~$ whois 192.115.16.120
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 192.115.16.0 - 192.115.31.255
netname: ACTCOM-NET-BLOCK3
descr: Actcom - Active Communication Ltd.
country: IL
admin-c: AH1743-RIPE
tech-c: AH1743-RIPE
status: ASSIGNED PA
mnt-by: MAINT-AS4148
changed: genah@actcom.co.il 20030821
source: RIPE

route: 192.115.16.0/20
descr: ACTCOM - Active Communications Ltd.
              Haifa Tower, 63a Herzl St
              Haifa, Israel
origin: AS4148
mnt-by: MAINT-AS4148
changed: vects@actcom.net.il 20020407
source: RIPE

person: ACTCOM's Hostmaster
address: ACTCOM - Active Communication Ltd.
address: P.O.Box 5402
address: Haifa 31054
address: Israel
phone: +972 4 8300123
fax-no: +972 4 8676088
e-mail: domain@actcom.co.il
nic-hdl: AH1743-RIPE
changed: genah@actcom.net.il 20030821
source: RIPE

Hey, whaddaya know, your ISP owns that netblock also. The question is,
why are you even seeing this packet on your wire? I'm thinking some kind
of a routing problem at your ISP is to blame here. When you run (at a
prompt) the command "/sbin/ifconfig ppp0" while connected, what do you
get in response? Are either of the IP addresses there 192.115.16.120?

-- 
Bill Mullen   moon@lunarhub.com   MA, USA   RLU #270075   MDK 8.1 & 9.0
"In communities where men build ships for their own sons to fish or
fight from, quality is never a problem." -- J. A. Dever


Relevant Pages

  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.os.linux.security)
  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.security.unix)
  • Re: ICS and FS trouble
    ... >>>client for ms networks, service advertising protocol, file and printer ... >>>execept that the MS beta AntiSpyware connects to the internet and recognises ... >> Microsoft doesn't support changing the ICS host computer's LAN ... >> Internet connection has a 192.168.0.x address that can't be changed to ...
    (microsoft.public.windowsxp.network_web)
  • Re: understanding chkrootkit: sshd section
    ... Connection will not be encrypted. ... > Rhosts Authentication disabled, originating port will not be trusted. ... > Could not request local forwarding. ... Remote host failed or refused to allocate a pseudo tty. ...
    (comp.security.unix)
  • Re: understanding chkrootkit: sshd section
    ... Connection will not be encrypted. ... > Rhosts Authentication disabled, originating port will not be trusted. ... > Could not request local forwarding. ... Remote host failed or refused to allocate a pseudo tty. ...
    (comp.os.linux.security)