Re: Unusual logging

To: petes@movieworld.com.au
Cc: debian-security@lists.debian.org
Subject: Re: Unusual logging
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: Fri, 22 Mar 2002 00:03:12 +0000
Message-id: <[🔎] 86it7p8o5b.fsf@potato.vegetable.org.uk>
Reply-to: debian-reply@stirfried.vegetable.org.uk
In-reply-to: <[🔎] FD4587B2A38BD511BA1E00E0292EBAD83F8AD6@MWXCHANGE> (petes@movieworld.com.au's message of "Fri, 22 Mar 2002 08:59:52 +1000")
References: <[🔎] FD4587B2A38BD511BA1E00E0292EBAD83F8AD6@MWXCHANGE>

petes@movieworld.com.au writes:

> Packet log: input DENY eth0 PROTO=1 yyy.y.yy.yy:3 xxx.xx.xxx.xxx:13 L=56
> S=0x00 I=29688 F=0x0000 T=244 (#30)
>
> It's the :13 part that I found unusual, A little research has revealed
> that it may be an attempt to fingerprint our system to see what is
> available. I was lead to believe that this is the Timeday port. Is this
> correct ? xxx is our public IP address. And yyy is the remote IP address
> that is making the contact.

You should've started with the PROTO=1 bit...

 | zsh, spodzone 12:00AM piglet % ipchains -h icmp
 | ipchains 1.3.10, 1-Sep-2000
 | 
 | Valid ICMP Types:
 | Type Code Description
 | 0    0     echo-reply (pong)
 | 3          destination-unreachable
[snip]
 |      12      TOS-host-unreachable
 |      13      communication-prohibited
 |      14      host-precedence-violation
 |      15      precedence-cutoff

to which the short answer is, "don't go there then". More to the point, you
should *not* be filtering ICMP type 3 anyway.

<http://logi.cc/linux/NetfilterLogAnalyzer.php3> is your friend.

~Tim
-- 
<http://spodzone.org.uk/>

Reply to:

References:
- Unusual logging
  - From: petes@movieworld.com.au

Prev by Date: Unusual logging
Next by Date: Re: Unusual logging
Previous by thread: Unusual logging
Next by thread: Re: Unusual logging
Index(es):
- Date
- Thread