Hello all,

Running Etch amd64.

I just found this in my logwatch:

--------------------- iptables firewall Begin ------------------------

Listed by source hosts:
Rejected 4 packets on interface ppp0
From 209.29.44.21 - 4 packets
To 207.246.138.125 - 1 packet
Service: 81 (tcp/81) (Shorewall:fw2net:REJECT - 1 packet
To 207.246.138.137 - 1 packet
Service: 81 (tcp/81) (Shorewall:fw2net:REJECT - 1 packet
To 207.246.138.139 - 1 packet
Service: 81 (tcp/81) (Shorewall:fw2net:REJECT - 1 packet
To 207.246.138.140 - 1 packet
Service: 81 (tcp/81) (Shorewall:fw2net:REJECT - 1 packet

---------------------- iptables firewall End -------------------------


And this is what I found in /var/log/syslog:

Apr 10 22:38:10 titan kernel: Shorewall:fw2net:REJECT:IN= OUT=ppp0
SRC=209.29.44.21 DST=207.246.138.125 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=34903 DF PROTO=TCP SPT=54446 DPT=81 WINDOW=5840 RES=0x00 SYN URGP=0

Apr 10 22:38:10 titan kernel: Shorewall:fw2net:REJECT:IN= OUT=ppp0
SRC=209.29.44.21 DST=207.246.138.137 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=31888 DF PROTO=TCP SPT=54278 DPT=81 WINDOW=5840 RES=0x00 SYN URGP=0

Apr 10 22:38:10 titan kernel: Shorewall:fw2net:REJECT:IN= OUT=ppp0
SRC=209.29.44.21 DST=207.246.138.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=38355 DF PROTO=TCP SPT=50574 DPT=81 WINDOW=5840 RES=0x00 SYN URGP=0

Apr 10 22:38:10 titan kernel: Shorewall:fw2net:REJECT:IN= OUT=ppp0
SRC=209.29.44.21 DST=207.246.138.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=20562 DF PROTO=TCP SPT=53783 DPT=81 WINDOW=5840 RES=0x00 SYN URGP=0


It seems to have been something from my box (fw) out to the net.

I'm on dialup. I don't see port 81 in /etc/services.

Any ideas?

Thanks
Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Wednesday, 11.04.2007 at 08:28 -0400, Douglas Allan Tutty wrote:

> I'm on dialup. I don't see port 81 in /etc/services.

*unsure* I vaguely remember that Smoothwall used this port for remote
access, I think. (i.e. you could connect to your own Smoothwall
installation on that port to configure it.

Dave.
--
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFGHNyKnhBnac0o2pIRAr3nAJ9xcLYsMOrB5BxjHRTBCt kdHGGA1wCg/o11
gtVYfa3ZLXGywO27SuLx2Kg=
=xzts
-----END PGP SIGNATURE-----

On Wed, Apr 11, 2007 at 02:03:06PM +0100, Dave Ewart wrote:
>
> *unsure* I vaguely remember that Smoothwall used this port for remote
> access, I think. (i.e. you could connect to your own Smoothwall
> installation on that port to configure it.
>

Reviewing what I was doing on the box last night:
aptitude was [still is ] in the midst of downloading a package

Konqueror kept not responding but;

KDE kept Konking Out (requiring Ctrl-Alt-BS)

(Konqueror works OK when accessed via SSH from other box)

I suppose its possible that in the process of Konking out it made
connection attempts on the wrong port. I'm not really interested in
fixing KDE; I think I'll be going back to XFCE but using K apps.

So should I forget about the port 81 attempt? I don't see any evidence
on the box that there's been a compromise.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Dave Ewart schrieb:
> On Wednesday, 11.04.2007 at 08:28 -0400, Douglas Allan Tutty wrote:
>
>
>> I'm on dialup. I don't see port 81 in /etc/services.
>>
>
> *unsure* I vaguely remember that Smoothwall used this port for remote
> access, I think. (i.e. you could connect to your own Smoothwall
> installation on that port to configure it.
>
> Dave.
>

According to http://www.iana.org/assignments/port-numbers it is a
service called "HOSTS2 Name Server". However, I got no clue what that
is. Usually an http service would listen to it. Using 81 as "spare" port.

Greetings
Björn



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGHOD7Y7BnBH/xFu8RAj6YAJ44TRHziW981Z+sJfTJDIbtNUtcFQCgjMyQ
3toi+RgcIsLqSgiKhwWKfZw=
=ZRh6
-----END PGP SIGNATURE-----

On Wednesday, 11.04.2007 at 09:21 -0400, Douglas Allan Tutty wrote:

> On Wed, Apr 11, 2007 at 02:03:06PM +0100, Dave Ewart wrote:
> >
> > *unsure* I vaguely remember that Smoothwall used this port for remote
> > access, I think. (i.e. you could connect to your own Smoothwall
> > installation on that port to configure it.
> >
>
> Reviewing what I was doing on the box last night:
> aptitude was [still is ] in the midst of downloading a package
>
> Konqueror kept not responding but;
>
> KDE kept Konking Out (requiring Ctrl-Alt-BS)
>
> (Konqueror works OK when accessed via SSH from other box)
>
> I suppose its possible that in the process of Konking out it made
> connection attempts on the wrong port. I'm not really interested in
> fixing KDE; I think I'll be going back to XFCE but using K apps.
>
> So should I forget about the port 81 attempt? I don't see any evidence
> on the box that there's been a compromise.

You misunderstand. This is nothing to do with you. Probably someone
who had your (dynamic) IP before you used to run Smoothwall.

You can ignore it.

Dave.
--
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFGHOy3nhBnac0o2pIRAj/JAJ0SItmEjjnZbuBE9N38vhTw6vIYiACaA/UH
fDqtUMGRoANWJBy0wQtxqDo=
=gAKx
-----END PGP SIGNATURE-----