[Techtalk] weird firewall log
Daniel Pittman
daniel at rimspace.net
Wed Apr 8 00:38:22 UTC 2009
Maria McKinley <maria at shadlen.org> writes:
> Hello, the firewall logs on my wireless router has been filling with
> stuff like this:
>
> [INFO] Tue Apr 07 16:54:31 2009 Blocked incoming TCP connection request
> from 209.44.116.98:59163 to 10.208.108.109:22
> [INFO] Tue Apr 07 16:54:22 2009 Above message repeated 2 times
> [INFO] Tue Apr 07 16:53:21 2009 Blocked incoming TCP connection request
> from 81.19.121.88:37738 to 10.208.108.109:22
> [INFO] Tue Apr 07 16:53:12 2009 Above message repeated 2 times
> [INFO] Tue Apr 07 16:52:27 2009 Blocked incoming TCP connection request
> from 194.50.85.50:56133 to 10.208.108.109:22
> [INFO] Tue Apr 07 16:52:18 2009 Above message repeated 2 times
> [INFO] Tue Apr 07 16:52:09 2009 Blocked incoming TCP connection request
> from 209.44.119.13:47379 to 10.208.108.109:22
>
> The strange thing is that the machine that has ip address
> 10.208.108.109 (and it has been just one machine for the past few days
> anyway) is not on the network during a lot of the times I am getting
> these messages.
You have a NAT rule configured in the router, presumably, since 10/8
traffic can't cross the network. Look at that, and work out why it is
trying to redirect SSH connections to that address.
As to why they are trying to connect: brute force password guessing
attacks. :)
Regards,
Daniel
More information about the Techtalk
mailing list