[techtalk] Re: Odd firewall outputs (cont)
psyche
psyche at gci.net
Sat Mar 24 16:26:04 EST 2001
On Sat, 24 Mar 2001, Kath wrote:
> Is that (the IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202!)
> anything to worry about?
>
> - Kath
> ----- Original Message -----
> From: Kath
> To: techtalk at linuxchix.org
> Sent: Saturday, March 24, 2001 12:58 PM
> Subject: Odd firewall outputs
>
>
> I have a Debian 2.2 firewall doing ipmasquerade running the kernel that
> came with it (2.2.18 IIRC).
>
> This machine also serves as a web, email and DNS server.
>
> I woke up this morning and saw the following on the monitor:
>
> IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
> IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
>
I was curious about this since I use IP masquerading, too, so I looked up
some info on it. From what I was able to find out, it appears someone is
pointing a port scanner at your network--and most likely a script kiddie
type, because a more experienced cracker would fix the checksum, so the
error wouldn't be produced. At least that's what one person said.
If you had a friend scan your network, I'd double check and ask them about
it, even if the IP looks weird, to make sure it wasn't them. (P.S.--my IP
will show up in the logs, too--since I just sent you a finger request to
see if you were running finger).
In the meantime, I would check out /var/log/messages for other evidence of
a scan, and plug up any security holes you have. From doing an nslookup on
the IP, it looks like someone possibly on a cable modem or DSL, I
think. It could be just some curious person being fast and loose with
their port scanner, and just poking around, rather than a serious
plan to attack, too. I know I sure get paranoid every time I see
something odd like that--and it's usually nothing to worry too bad about
after all.
psyche
P.S.--a personal 'thank you' to you for posting the error--it inspired me
to look up stuff and learn something new and useful. :)
More information about the Techtalk
mailing list