Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1568 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[1.900] Portscan [CHECKING]

gkemter
Since yesterday (i setup fresh ACC) i got warnings from firewall/ips 

A portscan was detected. Details about the event:



Time.............: 2008:10:08-20:24:15



Source IP address: 192.168.254.252 (acc.sk-computer.local)

www.dnsstuff.com/.../ptr.ch

www.ripe.net/.../whois

ws.arin.net/.../whois.pl

cgi.apnic.net/.../whois.pl



-- 

System Uptime      : 1 days 1 hours 46 minutes

System Load        : 0.09

System Version     : Astaro Security Gateway Appliance 7.302


Just wonder why ACC make a portscan ?
Is there some kind of SkyNet working ??

BTW. all links to dnsstuff,ripe arin,apnic makes no sense on private ip-range

Gregor Kemter


This thread was automatically locked due to age.
Parents
  • 0
    Hi,

    could you please provide some more information on what exactly happened? The ACC is not making any portscans to our knowledge. What ports are affected?

    Regarding the lookup attempts for an RFC1918 address ... Please make a separate posting in the appropriate non-ACC section of this forum.

    Thanks and regards,
    Henning
  • 0 in reply to megaposer
    Maybe it comes from Up2date from ACC, but i setup a parentproxy for Up2date. 


    2008:10:09-02:24:08 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.198.93.249" proto="17" length="40" tos="0x00" prec="0x00" ttl="14" srcport="55503" dstport="33451" 

    2008:10:09-02:24:09 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="69.10.147.76" proto="17" length="40" tos="0x00" prec="0x00" ttl="14" srcport="55503" dstport="33452" 

    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.144.15.5" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33453" 

    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="218.213.238.229" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33454" 

    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.121.10.115" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33455" 

    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.242.114.243" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33456" 

    2008:10:09-02:24:12 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.198.93.249" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33457" 

    2008:10:09-02:24:13 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="69.10.147.76" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33458" 

    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.144.15.5" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33459" 

    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="218.213.238.229" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33460" 

    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.121.10.115" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33461" 

    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.242.114.243" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33462" 

    2008:10:09-02:24:15 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.198.93.249" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33463" 

    2008:10:09-02:24:16 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="69.10.147.76" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33464" 

    2008:10:09-08:24:12 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="218.213.238.229" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="33956" dstport="33454" 


    Gregor Kemter
  • 0 in reply to gkemter
    Hi,

    the ACC is using "netselect" to find the fastest Up2Date Server (just like every AxG is doing as well). Your Internet ASG is wrongly interpreting this as portscan. You could add an exception for service traceroute for your ACC address.

    Cheers
Reply
  • 0 in reply to gkemter
    Hi,

    the ACC is using "netselect" to find the fastest Up2Date Server (just like every AxG is doing as well). Your Internet ASG is wrongly interpreting this as portscan. You could add an exception for service traceroute for your ACC address.

    Cheers
Children
No Data
Unfiltered HTML