Port scanning concern

Jason P. suscricions at gmail.com
Sun Nov 25 17:06:30 UTC 2012 

El 25/11/12 17:35, Tony Arnold escribió:
> Jason,
>
> I presume the DST=local_ip shows as a real local IP address behind your
> router (e.g., 192.168.1.27)? And that you do not have any port
> forwarding on your router thaty could be relevant?
>

You're right. local_ip is a real LAN IP adress. Port forwarding is 
irrelevant here.

> It looks to me like return traffic from outgoing connections to
> 88.191.127.22. The outgoing connection would be http so it would connect
> on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
> a random high number destination port (DST).
>

Does it make sense trying to connect in sequence apparently to random 
ports? Other days port numbers are different, but always consecutives. 
Normally 10 in a row or so.

> UFW should allow such return traffic if it's set up iptables correctly.
>
> Do these log entries correspond to a time of day when your system may be
> looking for updates?
>

Maybe. I should check it. Thanks for the tip.

> Regards,
> Tony.
>
> On 25/11/12 15:31, Jason P. wrote:
>> Hi folks.
>>
>> These days I've been noticing port scanning attempts in my UFW log that
>> I can barely understand.
>>
>> First, I'm behind the router's firewall and this is supposed to protect
>> me from the outside.
>>
>> Second and more strange is that the attacker's ip is Medibuntu's repo one.
>>
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45681 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45682 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45683 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45684 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45685 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45686 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45687 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45688 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45689 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0
>>
>>
>> I don't want to seem paranoid, but although I'm not 100% sure, I believe
>> some time ago I installed an unsigned package from there. I'd appreciate
>> your help so I could sleep better hehe.
>>
>>
>> Thanks to all!
>>
>

More information about the ubuntu-users mailing list