[techtalk] Re: Odd firewall outputs (cont)

Kath ranger at optonline.net
Sat Mar 24 21:36:20 EST 2001


My Cisco teacher at school runs a firewall and he told me he gets scanned
tons of times.

I just never saw these things echoed to my display before, so it scared me.

- Kath

----- Original Message -----
From: "Angela Nash" <Chick at the-nashes.net>
To: "'psyche'" <psyche at gci.net>; "Kath" <ranger at optonline.net>
Cc: <techtalk at linuxchix.org>
Sent: Saturday, March 24, 2001 7:31 PM
Subject: RE: [techtalk] Re: Odd firewall outputs (cont)


> If your connection is on cable or DSL, expect to get port scanned every
few
> minutes.  You'll fill up your firewall logs very fast.
>
> Jason
>
> -----Original Message-----
> From: psyche [mailto:psyche at gci.net]
> Sent: Saturday, March 24, 2001 7:26 PM
> To: Kath
> Cc: techtalk at linuxchix.org
> Subject: Re: [techtalk] Re: Odd firewall outputs (cont)
>
>
>
>
> On Sat, 24 Mar 2001, Kath wrote:
>
> > Is that (the IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202!)
> > anything to worry about?
> >
> > - Kath
> >   ----- Original Message -----
> >   From: Kath
> >   To: techtalk at linuxchix.org
> >   Sent: Saturday, March 24, 2001 12:58 PM
> >   Subject: Odd firewall outputs
> >
> >
> >   I have a Debian 2.2 firewall doing ipmasquerade running the kernel
that
> >   came with it (2.2.18 IIRC).
> >
> >   This machine also serves as a web, email and DNS server.
> >
> >   I woke up this morning and saw the following on the monitor:
> >
> >   IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
> >   IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202
> >
>
> I was curious about this since I use IP masquerading, too, so I looked up
> some info on it.  From what I was able to find out, it appears someone is
> pointing a port scanner at your network--and most likely a script kiddie
> type, because a more experienced cracker would fix the checksum, so the
> error wouldn't be produced.  At least that's what one person said.
>
> If you had a friend scan your network, I'd double check and ask them about
> it, even if the IP looks weird, to make sure it wasn't them.  (P.S.--my IP
> will show up in the logs, too--since I just sent you a finger request to
> see if you were running finger).
>
> In the meantime, I would check out /var/log/messages for other evidence of
> a scan, and plug up any security holes you have.  From doing an nslookup
on
> the IP, it looks like someone possibly on a cable modem or DSL, I
> think.  It could be just some curious person being fast and loose with
> their port scanner, and just poking around, rather than a serious
> plan to attack, too.  I know I sure get paranoid every time I see
> something odd like that--and it's usually nothing to worry too bad about
> after all.
>
> psyche
>
> P.S.--a personal 'thank you' to you for posting the error--it inspired me
> to look up stuff and learn something new and useful. :)
>
>
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
>





More information about the Techtalk mailing list