Re: Strange network probes on UDP port: 161
On Wed, Jan 04, 2006 at 09:08:11PM -0500, Stephen Woodbridge wrote:
> Ever since I have brought my new system on line I have been getting the
> following reports from other server:
>
> Jan 4 20:47:49 maps portsentry[1117]: attackalert: Connect from host:
> 192.168.1.113/192.168.1.113 to UDP port: 161
> Jan 4 20:47:49 maps portsentry[1117]: attackalert: Host: 192.168.1.113
> is already blocked. Ignoring
>
> Since all these systems are behind a firewall device and my local
> network is all configured on the 10.1.1.x network this is a little
> strange. I'm pretty sure it is coming from the new hardware, but I'm not
> sure how to confirm it other than to turn off the new server and see if
> the messages stop.
Well, you can use tcpdump to comfirm this.
tcpdump -en host 192.168.1.113
for example. That will give you at least the MAC address.
> I do have an IPMI card in the new server that I have not figured out how
> to setup and configure because I have been focused on other issues first.
If you remove that card, does this happens still?
> port 161 is an snmp port but I can find no reference to anything like
> that in the motherboard user's guide for the SuperMicro X6DHT-G motherboard.
>
There is likely a firmware option onto your IPMI card that will enable some
remote monitoring features. For example, you can enable the LAN
monitoring stuff so that you can remotely use some hardware monitoring
tools like FreeIPMI or OpenIPMI.
It may be possible that your card is also capable of using SNMP for
sending monitoring events.
Are there such options when you enter the firmware at boot stage, or
maybe under the bios menu?
Cheers,
--
Bruno Ducrot
-- Which is worse: ignorance or apathy?
-- Don't know. Don't care.
Reply to: