Hello, This log keep appearing every days. Could anyone tell me what this guy possibly up to? Is this a scan, or break in attemp? It''s always the same newnotsyn log, and there are bunch of them. I''m wondering if I should just put him in blacklist. Sep 12 07:21:00 voyager kernel: Shorewall:newnotsyn:DROP:IN=eth0 OUT= MAC=00:10:dc:27:e3:d7:00:d0:79:91:27:fc:08:00 SRC=66.27.56.213 DST=160.36.28.203 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=60473 DF PROTO=TCP SPT=49020 DPT=25 WINDOW=5840 RES=0x00 ACK FIN URGP=0 -- Reuben D. Budiardja Department of Physics and Astronomy The University of Tennessee, Knoxville, TN ------------------------------------------------- /"\ ASCII Ribbon Campaign against HTML \ / email and proprietary format X attachments. / \ ------------------------------------------------- Have you been used by Microsoft today? Choose your life. Choose freedom. Choose LINUX. -------------------------------------------------
Destination Port tcp 25 smtp mail......Don''t know much about your network and what SMTP would have to do with it. This could be allot of stupid things. If you don''t host a public smtp server then put that ip on the black list if it makes you feel better. If your hosting a public smtp sever then you obviously need to make sure that you don''t have something misconfigured on your end mail server or dns wise.. My 2cents... JBanks --- "Reuben D. Budiardja" <techlist@voyager.phys.utk.edu> wrote:> > Hello, > This log keep appearing every days. Could anyone tell me what this guy > possibly up to? Is this a scan, or break in attemp? It''s always the same > newnotsyn log, and there are bunch of them. I''m wondering if I should just > put him in blacklist. > > Sep 12 07:21:00 voyager kernel: Shorewall:newnotsyn:DROP:IN=eth0 OUT= > MAC=00:10:dc:27:e3:d7:00:d0:79:91:27:fc:08:00 SRC=66.27.56.213 > DST=160.36.28.203 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=60473 DF PROTO=TCP > SPT=49020 DPT=25 WINDOW=5840 RES=0x00 ACK FIN URGP=0 > > > -- > Reuben D. Budiardja > Department of Physics and Astronomy > The University of Tennessee, Knoxville, TN > ------------------------------------------------- > /"\ ASCII Ribbon Campaign against HTML > \ / email and proprietary format > X attachments. > / \ > ------------------------------------------------- > Have you been used by Microsoft today? > Choose your life. Choose freedom. > Choose LINUX. > ------------------------------------------------- > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
On Saturday 13 September 2003 02:11 am, you wrote:> Destination Port tcp 25 smtp mail......Don''t know much about your network > and what SMTP would have to do with it. This could be allot of stupid > things. If you don''t host a public smtp server then put that ip on the > black list if it makes you feel better. If your hosting a public smtp sever > then you obviously need to make sure that you don''t have something > misconfigured on your end mail server or dns wise..I don''t run public SMTP, I just use sendmail for myself. I open port 25 because I want to also be able to receive mail to my machine. However,I''ve never have any business with this IP, and this happens everyday many times, which makes me suspicious. So I guess I''ll just blacklist it then. Thanks.> My 2cents... > > JBanks > > --- "Reuben D. Budiardja" <techlist@voyager.phys.utk.edu> wrote: > > Hello, > > This log keep appearing every days. Could anyone tell me what this guy > > possibly up to? Is this a scan, or break in attemp? It''s always the same > > newnotsyn log, and there are bunch of them. I''m wondering if I should > > just put him in blacklist. > > > > Sep 12 07:21:00 voyager kernel: Shorewall:newnotsyn:DROP:IN=eth0 OUT> > MAC=00:10:dc:27:e3:d7:00:d0:79:91:27:fc:08:00 SRC=66.27.56.213 > > DST=160.36.28.203 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=60473 DF PROTO=TCP > > SPT=49020 DPT=25 WINDOW=5840 RES=0x00 ACK FIN URGP=0 > > > > > > -- > > Reuben D. Budiardja > > Department of Physics and Astronomy > > The University of Tennessee, Knoxville, TN > > ------------------------------------------------- > > /"\ ASCII Ribbon Campaign against HTML > > \ / email and proprietary format > > X attachments. > > / \ > > ------------------------------------------------- > > Have you been used by Microsoft today? > > Choose your life. Choose freedom. > > Choose LINUX. > > ------------------------------------------------- > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com-- Reuben D. Budiardja Department of Physics and Astronomy The University of Tennessee, Knoxville, TN ------------------------------------------------- /"\ ASCII Ribbon Campaign against HTML \ / email and proprietary format X attachments. / \ ------------------------------------------------- Have you been used by Microsoft today? Choose your life. Choose freedom. Choose LINUX. -------------------------------------------------
In my opinion, if you do recognize something, blacklist it. If someone yells you''ll know who it is and you can then decide what to do with it. Just being safe. Kev -- Subject: Re: [Shorewall-users] What is this guy up to? To: Joshua Banks <l0f33t@yahoo.com>, Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> Message-ID: <200309131151.35578.techlist@voyager.phys.utk.edu> Content-Type: text/plain; charset="iso-8859-1" On Saturday 13 September 2003 02:11 am, you wrote:> Destination Port tcp 25 smtp mail......Don''t know much about your network > and what SMTP would have to do with it. This could be allot of stupid > things. If you don''t host a public smtp server then put that ip on the > black list if it makes you feel better. If your hosting a public smtpsever> then you obviously need to make sure that you don''t have something > misconfigured on your end mail server or dns wise..I don''t run public SMTP, I just use sendmail for myself. I open port 25 because I want to also be able to receive mail to my machine. However,I''ve never have any business with this IP, and this happens everyday many times, which makes me suspicious. So I guess I''ll just blacklist it then.
On Sat, 2003-09-13 at 11:51, Reuben D. Budiardja wrote:> On Saturday 13 September 2003 02:11 am, you wrote: > I don''t run public SMTP, I just use sendmail for myself. I open port 25 > because I want to also be able to receive mail to my machine. However,I''ve > never have any business with this IP, and this happens everyday many times, > which makes me suspicious. > So I guess I''ll just blacklist it then.He''s prob just a spammer looking for a host, nothing to be too alarmed about :-)