[techtalk] Re: Odd firewall outputs (cont)
Angela Nash
Chick at the-nashes.net
Sat Mar 24 20:31:04 EST 2001
If your connection is on cable or DSL, expect to get port scanned every few
minutes. You'll fill up your firewall logs very fast.
Jason
-----Original Message-----
From: psyche [mailto:psyche at gci.net]
Sent: Saturday, March 24, 2001 7:26 PM
To: Kath
Cc: techtalk at linuxchix.org
Subject: Re: [techtalk] Re: Odd firewall outputs (cont)
On Sat, 24 Mar 2001, Kath wrote:
> Is that (the IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202!)
> anything to worry about?
>
> - Kath
> ----- Original Message -----
> From: Kath
> To: techtalk at linuxchix.org
> Sent: Saturday, March 24, 2001 12:58 PM
> Subject: Odd firewall outputs
>
>
> I have a Debian 2.2 firewall doing ipmasquerade running the kernel that
> came with it (2.2.18 IIRC).
>
> This machine also serves as a web, email and DNS server.
>
> I woke up this morning and saw the following on the monitor:
>
> IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
> IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
>
I was curious about this since I use IP masquerading, too, so I looked up
some info on it. From what I was able to find out, it appears someone is
pointing a port scanner at your network--and most likely a script kiddie
type, because a more experienced cracker would fix the checksum, so the
error wouldn't be produced. At least that's what one person said.
If you had a friend scan your network, I'd double check and ask them about
it, even if the IP looks weird, to make sure it wasn't them. (P.S.--my IP
will show up in the logs, too--since I just sent you a finger request to
see if you were running finger).
In the meantime, I would check out /var/log/messages for other evidence of
a scan, and plug up any security holes you have. From doing an nslookup on
the IP, it looks like someone possibly on a cable modem or DSL, I
think. It could be just some curious person being fast and loose with
their port scanner, and just poking around, rather than a serious
plan to attack, too. I know I sure get paranoid every time I see
something odd like that--and it's usually nothing to worry too bad about
after all.
psyche
P.S.--a personal 'thank you' to you for posting the error--it inspired me
to look up stuff and learn something new and useful. :)
_______________________________________________
techtalk mailing list
techtalk at linuxchix.org
http://www.linux.org.uk/mailman/listinfo/techtalk
More information about the Techtalk
mailing list