Results 1 to 5 of 5

Hybrid View

  1. #1
    Join Date
    Jun 2001
    Posts
    68

    CSF port scanning emails.

    I'm getting these email notifications several times per day.
    I'll assume it's someone trying to get access to my server.

    Is it something to worry about since it looks like CSF is taking care of it?



    Time: Sat Aug 29 00:52:31 2009 -0400
    IP: 76.121.205.202 (US/United States/c-76-121-205-202.hsd1.wa.comcast.net)
    Hits: 6
    Blocked: Temporary Block

    Sample of block hits:
    Aug 29 00:51:13 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9106 PROTO=UDP SPT=55060 DPT=500 LEN=60
    Aug 29 00:51:21 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9133 PROTO=UDP SPT=55060 DPT=500 LEN=60
    Aug 29 00:51:37 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9183 PROTO=UDP SPT=55060 DPT=500 LEN=60
    Aug 29 00:51:53 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9263 PROTO=UDP SPT=55060 DPT=500 LEN=60
    Aug 29 00:52:30 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=500 TOS=0x00 PREC=0x00 TTL=114 ID=9426 PROTO=UDP SPT=55060 DPT=500 LEN=480
    Aug 29 00:52:30 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=400 TOS=0x00 PREC=0x00 TTL=114 ID=9427 PROTO=UDP SPT=55060 DPT=500 LEN=380

  2. #2
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    If it's the same IP over and over again I would suggest denying the IP manually since it appears to just be waiting for the temporary block to lift before trying again. I had the same issue with a dedicated server scanning me and getting blocked for 2 hours and coming back. For the most part you have nothing to worry about since it is being blocked after 6 ports but if it's the same machine it could be scanning all of your ports (6 at a time).
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  3. #3
    Join Date
    Jun 2001
    Posts
    68
    I have started adding the ip's to the deny file if I see them more than once.
    I have moved my ssh port. Can that be what they are looking for?

  4. #4
    Join Date
    Nov 2004
    Location
    Toronto
    Posts
    166
    this is normal when it comes to internet, even your home internet is being scanned if you have the right tools to look it up.

    CSF can do permanent block on first attempt, so you don't have to manually deny or wait for them to try 5 times. Look up the CSF config.

    Just keep your box secured as much, as you can see the port scan does look for open ports so its not only ssh.

  5. #5
    Join Date
    Apr 2005
    Posts
    1,767
    According to a quick google search, looks like IPSec traffic:

    http://www.google.com/search?hl=en&s...&aq=f&oq=&aqi=

Similar Threads

  1. Port Scanning issuse
    By sherwood in forum Hosting Security and Technology
    Replies: 11
    Last Post: 04-19-2009, 09:56 AM
  2. Port Scanning? Abuse?
    By Sightless in forum Employment / Job Offers
    Replies: 5
    Last Post: 03-02-2006, 11:16 PM
  3. gnax and port scanning
    By jondolar in forum Dedicated Server
    Replies: 7
    Last Post: 01-24-2006, 07:31 PM
  4. Port scanning???
    By atul in forum Hosting Security and Technology
    Replies: 1
    Last Post: 05-24-2004, 04:02 AM
  5. Virus scanning software for customers emails.
    By OMaHTLD in forum Hosting Software and Control Panels
    Replies: 4
    Last Post: 01-24-2004, 06:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •