[KLUG Members] Re: Shorewall.log file analysis help

[Rusty Yonkers]

> >
> >> DPT=21 	Destination Port number used by ftp	listening daemon

> In the firewall log file entry I broke down, the incoming ftp
> packet was
> dropped at the external interface. But the packet did have to be
> read by the
> firewall to know that it should be dropped. 

This was an attempt from a computer to connect via port 21 for ftp
vulnerabilities.  Basically the log file is telling you that the
firewall is doing it's job!  This is a good thing.  Some hacks will
try to simply connect via 21 to see if they can do it.  I have seen
this many times.  Often I will just put a rule in to drop the packet
without logging it since you will get a number of them.  Since your
system did not respond to the request the hacking machine will simply
move on looking for another target.  It is kinda like a port scan of
only 21 since they evidently have a hack that exploits that service. 


There are some other ports that you may see on a regular basis.  137
through 139 often will show up since these are used for Microsoft
networking stuff.  I usually set a rule to drop these without logging
as well.  Usually you will not get enough to bottleneck the system so
it will not be worth worrying about.  It only starts to become
troublesome if you are getting like thousands an hour...... Onesy
twosy's the firewall will be able to handle.  :-)


=====
Rusty Yonkers
CNE, MCP, A+, CCNA, Linux+, Server+, Network+ certified
-----------------------------------------
Department of Redundancy Department
-----------------------------------------
Devoted RedHat fan... looking for penguin domination

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com