[techtalk] Re: Odd firewall outputs (cont)

Angela Nash Chick at the-nashes.net
Sat Mar 24 20:31:04 EST 2001


If your connection is on cable or DSL, expect to get port scanned every few
minutes.  You'll fill up your firewall logs very fast.

Jason

-----Original Message-----
From: psyche [mailto:psyche at gci.net]
Sent: Saturday, March 24, 2001 7:26 PM
To: Kath
Cc: techtalk at linuxchix.org
Subject: Re: [techtalk] Re: Odd firewall outputs (cont)




On Sat, 24 Mar 2001, Kath wrote:

> Is that (the IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202!) 
> anything to worry about?
> 
> - Kath
>   ----- Original Message ----- 
>   From: Kath 
>   To: techtalk at linuxchix.org 
>   Sent: Saturday, March 24, 2001 12:58 PM
>   Subject: Odd firewall outputs
> 
> 
>   I have a Debian 2.2 firewall doing ipmasquerade running the kernel that 
>   came with it (2.2.18 IIRC).  
> 
>   This machine also serves as a web, email and DNS server.
> 
>   I woke up this morning and saw the following on the monitor:
> 
>   IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
>   IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
> 

I was curious about this since I use IP masquerading, too, so I looked up
some info on it.  From what I was able to find out, it appears someone is
pointing a port scanner at your network--and most likely a script kiddie
type, because a more experienced cracker would fix the checksum, so the
error wouldn't be produced.  At least that's what one person said.  

If you had a friend scan your network, I'd double check and ask them about
it, even if the IP looks weird, to make sure it wasn't them.  (P.S.--my IP
will show up in the logs, too--since I just sent you a finger request to
see if you were running finger).

In the meantime, I would check out /var/log/messages for other evidence of
a scan, and plug up any security holes you have.  From doing an nslookup on 
the IP, it looks like someone possibly on a cable modem or DSL, I
think.  It could be just some curious person being fast and loose with
their port scanner, and just poking around, rather than a serious
plan to attack, too.  I know I sure get paranoid every time I see
something odd like that--and it's usually nothing to worry too bad about
after all. 

psyche

P.S.--a personal 'thank you' to you for posting the error--it inspired me
to look up stuff and learn something new and useful. :) 


_______________________________________________
techtalk mailing list
techtalk at linuxchix.org
http://www.linux.org.uk/mailman/listinfo/techtalk




More information about the Techtalk mailing list