Results 1 to 5 of 5
Thread: CSF port scanning emails.
Hybrid View
-
08-29-2009, 06:42 AM #1Junior Guru Wannabe
- Join Date
- Jun 2001
- Posts
- 68
CSF port scanning emails.
I'm getting these email notifications several times per day.
I'll assume it's someone trying to get access to my server.
Is it something to worry about since it looks like CSF is taking care of it?
Time: Sat Aug 29 00:52:31 2009 -0400
IP: 76.121.205.202 (US/United States/c-76-121-205-202.hsd1.wa.comcast.net)
Hits: 6
Blocked: Temporary Block
Sample of block hits:
Aug 29 00:51:13 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9106 PROTO=UDP SPT=55060 DPT=500 LEN=60
Aug 29 00:51:21 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9133 PROTO=UDP SPT=55060 DPT=500 LEN=60
Aug 29 00:51:37 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9183 PROTO=UDP SPT=55060 DPT=500 LEN=60
Aug 29 00:51:53 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=114 ID=9263 PROTO=UDP SPT=55060 DPT=500 LEN=60
Aug 29 00:52:30 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=500 TOS=0x00 PREC=0x00 TTL=114 ID=9426 PROTO=UDP SPT=55060 DPT=500 LEN=480
Aug 29 00:52:30 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:02:b3:8a:27:ea:00:d0:02:6f:38:0a:08:00 SRC=76.121.205.202 DST=xx.xx.xx.xxx LEN=400 TOS=0x00 PREC=0x00 TTL=114 ID=9427 PROTO=UDP SPT=55060 DPT=500 LEN=380
-
08-29-2009, 07:06 AM #2Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
If it's the same IP over and over again I would suggest denying the IP manually since it appears to just be waiting for the temporary block to lift before trying again. I had the same issue with a dedicated server scanning me and getting blocked for 2 hours and coming back. For the most part you have nothing to worry about since it is being blocked after 6 ports but if it's the same machine it could be scanning all of your ports (6 at a time).
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
08-31-2009, 03:00 PM #3Junior Guru Wannabe
- Join Date
- Jun 2001
- Posts
- 68
I have started adding the ip's to the deny file if I see them more than once.
I have moved my ssh port. Can that be what they are looking for?
-
08-31-2009, 04:15 PM #4WHT Addict
- Join Date
- Nov 2004
- Location
- Toronto
- Posts
- 166
this is normal when it comes to internet, even your home internet is being scanned if you have the right tools to look it up.
CSF can do permanent block on first attempt, so you don't have to manually deny or wait for them to try 5 times. Look up the CSF config.
Just keep your box secured as much, as you can see the port scan does look for open ports so its not only ssh.
-
08-31-2009, 04:25 PM #5Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
According to a quick google search, looks like IPSec traffic:
http://www.google.com/search?hl=en&s...&aq=f&oq=&aqi=
Similar Threads
-
Port Scanning issuse
By sherwood in forum Hosting Security and TechnologyReplies: 11Last Post: 04-19-2009, 09:56 AM -
Port Scanning? Abuse?
By Sightless in forum Employment / Job OffersReplies: 5Last Post: 03-02-2006, 11:16 PM -
gnax and port scanning
By jondolar in forum Dedicated ServerReplies: 7Last Post: 01-24-2006, 07:31 PM -
Port scanning???
By atul in forum Hosting Security and TechnologyReplies: 1Last Post: 05-24-2004, 04:02 AM -
Virus scanning software for customers emails.
By OMaHTLD in forum Hosting Software and Control PanelsReplies: 4Last Post: 01-24-2004, 06:50 AM