Port scanning concern

Jason P. suscricions at gmail.com
Sun Nov 25 18:23:26 UTC 2012


El 25/11/12 18:51, Tony Arnold escribió:
> Jason,
>
> On 25/11/12 17:06, Jason P. wrote:
>> El 25/11/12 17:35, Tony Arnold escribió:
>>> Jason,
>>>
>>> I presume the DST=local_ip shows as a real local IP address behind your
>>> router (e.g., 192.168.1.27)? And that you do not have any port
>>> forwarding on your router thaty could be relevant?
>>>
>>
>> You're right. local_ip is a real LAN IP adress. Port forwarding is
>> irrelevant here.
>>
>>> It looks to me like return traffic from outgoing connections to
>>> 88.191.127.22. The outgoing connection would be http so it would connect
>>> on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
>>> a random high number destination port (DST).
>>>
>>
>> Does it make sense trying to connect in sequence apparently to random
>> ports? Other days port numbers are different, but always consecutives.
>> Normally 10 in a row or so.
>
> Quite possibly. Each outgoing connection would have a destination port
> of 80 and a source port of some high number random port. Consecutive
> connections could well use consecutive ports, thus the return traffic
> would have consecutive destination ports as you are seeing.
>
> It's also unlike that any malware would be scanning your machine with a
> source port of 80! Besides, such scanning should not get through your
> router.
>
> It looks to me like UFW has not set up iptables properly.
>
>>> UFW should allow such return traffic if it's set up iptables correctly.
>>>
>>> Do these log entries correspond to a time of day when your system may be
>>> looking for updates?
>>>
>>
>> Maybe. I should check it. Thanks for the tip.
>
> That would help.
>
> Regards,
> Tony.
>

Thanks, I'll rest better ;)






More information about the ubuntu-users mailing list