[NTLUG:Discuss] Is this an attack?
Kelledin
kelledin at users.sourceforge.net
Mon May 27 19:26:40 CDT 2002
On Monday 27 May 2002 06:46 pm, you wrote:
> Hello:
>
> I am seeing many messages like this in my /var/log/messages file:
>
> May 27 15:37:13 server2 kernel: IN= OUT=eth0 SRC=[My Server IP]
> DST=62.254.128.6 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=32512 DF PROTO=TCP
> SPT=80 DPT=58768 WINDOW=7574 RES=0x00 ACK URGP=0
>
> This looks like a response from apache on my server, but I do have these
> firewall
> rules set-up:
> # Allow http connections
> /sbin/iptables -A INPUT -i eth0 -d $MY_IP -p tcp --dport www -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -s $MY_IP -p tcp --sport www -m
> state --state ESTABLISHED -j ACCEPT
> And I can connect to the apache server on my machine.
>
> Does anyone know what these messages are?
> Is it attack?
Not sure what it means. What iptables rules do you have to direct packets to
the LOG target? You should specify a unique log prefix for each one, so
you'll know which iptables rule is catching this packet.
--
Kelledin
"If a server crashes in a server farm and no one pings it, does it still cost
four figures to fix?"
More information about the Discuss
mailing list