[Techtalk] weird firewall log
Maria McKinley
maria at shadlen.org
Wed Apr 8 00:48:01 UTC 2009
Daniel Pittman wrote:
> Maria McKinley <maria at shadlen.org> writes:
>
>> Hello, the firewall logs on my wireless router has been filling with
>> stuff like this:
>>
>> [INFO] Tue Apr 07 16:54:31 2009 Blocked incoming TCP connection request
>> from 209.44.116.98:59163 to 10.208.108.109:22
>> [INFO] Tue Apr 07 16:54:22 2009 Above message repeated 2 times
>> [INFO] Tue Apr 07 16:53:21 2009 Blocked incoming TCP connection request
>> from 81.19.121.88:37738 to 10.208.108.109:22
>> [INFO] Tue Apr 07 16:53:12 2009 Above message repeated 2 times
>> [INFO] Tue Apr 07 16:52:27 2009 Blocked incoming TCP connection request
>> from 194.50.85.50:56133 to 10.208.108.109:22
>> [INFO] Tue Apr 07 16:52:18 2009 Above message repeated 2 times
>> [INFO] Tue Apr 07 16:52:09 2009 Blocked incoming TCP connection request
>> from 209.44.119.13:47379 to 10.208.108.109:22
>>
>> The strange thing is that the machine that has ip address
>> 10.208.108.109 (and it has been just one machine for the past few days
>> anyway) is not on the network during a lot of the times I am getting
>> these messages.
>
> You have a NAT rule configured in the router, presumably, since 10/8
> traffic can't cross the network. Look at that, and work out why it is
> trying to redirect SSH connections to that address.
>
> As to why they are trying to connect: brute force password guessing
> attacks. :)
>
> Regards,
> Daniel
It is a one to one conversion. They are actually trying to reach
128.208.108.109 (only the first number is changed). The computers really
have picked that particular ip, it's not my nat rule redirecting in
some strange way. I just don't get why I don't see anything for any
other addresses. And why people smart enough to code a brute force
password attack wouldn't have it give up if it had absolutely no
response from that ip. ;-)
thanks,
maria
More information about the Techtalk
mailing list