Port scanning concern

Gene Heskett gheskett at wdtv.com
Sun Nov 25 19:03:09 UTC 2012 

On Sunday 25 November 2012 13:48:36 Tony Arnold did opine:

> Jason,
> 
> On 25/11/12 17:06, Jason P. wrote:
> > El 25/11/12 17:35, Tony Arnold escribiأ³:
> >> Jason,
> >> 
> >> I presume the DST=local_ip shows as a real local IP address behind
> >> your router (e.g., 192.168.1.27)? And that you do not have any port
> >> forwarding on your router thaty could be relevant?
> > 
> > You're right. local_ip is a real LAN IP adress. Port forwarding is
> > irrelevant here.
> > 
> >> It looks to me like return traffic from outgoing connections to
> >> 88.191.127.22. The outgoing connection would be http so it would
> >> connect on port 80/tcp. Return traffic would have a source port
> >> (SPT) of 80 and a random high number destination port (DST).
> > 
> > Does it make sense trying to connect in sequence apparently to random
> > ports? Other days port numbers are different, but always consecutives.
> > Normally 10 in a row or so.
> 
> Quite possibly. Each outgoing connection would have a destination port
> of 80 and a source port of some high number random port. Consecutive
> connections could well use consecutive ports, thus the return traffic
> would have consecutive destination ports as you are seeing.
> 
> It's also unlike that any malware would be scanning your machine with a
> source port of 80! Besides, such scanning should not get through your
> router.
 
Slight correction here, incoming port 80 would not get past his ISP. I've 
had several internet providers over the last 20 years, and even in 2400 
baud dialup days no incoming port 80 gets past the ISP so they're forcing 
the conventional folks to use their web server farm, which of course loads 
YOUR web page up with THEIR advertising.

> It looks to me like UFW has not set up iptables properly.
> 
> >> UFW should allow such return traffic if it's set up iptables
> >> correctly.
> >> 
> >> Do these log entries correspond to a time of day when your system may
> >> be looking for updates?
> > 
> > Maybe. I should check it. Thanks for the tip.
> 
> That would help.
> 
> Regards,
> Tony.

Regarding routers, DD-WRT, installed on a router with enough resources, has 
been bullet proof against the black hat attacks here for several years. 
Sitting on a cable modem, they are there by the kajillians, but watching 
the logs long ago grew boring.

Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene> is up!
Bershere's Formula for Failure:
	There are only two kinds of people who fail: those who
	listen to nobody... and those who listen to everybody.

More information about the ubuntu-users mailing list