Re: iptables log random access attempts to my server. why?

[Jason Healy <jhealy@logn.net>]

My best guess is that these are typical script-kiddie connection
attempts.  I too get hundreds of scans a day, many to the same ports.

> the primary candidates for connection attempts so far have been to
> 21/tcp(ftp)

Root exploits, places to get/store warez.

> 53/tcp(dns)

Root exploits.

> 80/tcp(http)

Code red worm, free files.

> 111/tcp(sunrpc)

Root expoits.

> 515/tcp(lpd)

Root exploits.

> 79/tcp(finger)

Info on system (use cfingerd, or some other logging finger program to
find out who is fingering you and what they're looking for).

> 25/tcp(smtp)

Possible sendmail exploits, or a spammer looking for an open relay.

> 43/tcp(whois).

Dunno.

As you can see, most of those ports have root exploits attached to
them.  Admittedly, most of the exploits are old, but if there's one
thing that Code Red has taught us, it's that sysadmins don't always
patch their systems.  Since scanning is cheap, may as well look for
the holes!

I personally keep the log files and have them reported to me.
However, you might look into "fwanalog" and see if you can just get
daily summaries of the blocked packets, rather than hourly reports.

Also, look into iptables "--limit" directive; it keeps the reporting
of similar packets (same host/port) down to a reasonable level.

Jason

--
Jason Healy    |     jhealy@logn.net
LogN Systems   |   http://www.logn.net/