This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[1.900] Portscan [CHECKING]

Since yesterday (i setup fresh ACC) i got warnings from firewall/ips

A portscan was detected. Details about the event:

Time.............: 2008:10:08-20:24:15

Source IP address: 192.168.254.252 (acc.sk-computer.local)
www.dnsstuff.com/.../ptr.ch
www.ripe.net/.../whois
ws.arin.net/.../whois.pl
cgi.apnic.net/.../whois.pl

-- 
System Uptime      : 1 days 1 hours 46 minutes
System Load        : 0.09
System Version     : Astaro Security Gateway Appliance 7.302



Just wonder why ACC make a portscan ?
Is there some kind of SkyNet working ??

BTW. all links to dnsstuff,ripe arin,apnic makes no sense on private ip-range

Gregor Kemter


This thread was automatically locked due to age.
Parents
  • Hi,

    could you please provide some more information on what exactly happened? The ACC is not making any portscans to our knowledge. What ports are affected?

    Regarding the lookup attempts for an RFC1918 address ... Please make a separate posting in the appropriate non-ACC section of this forum.

    Thanks and regards,
    Henning
  • Maybe it comes from Up2date from ACC, but i setup a parentproxy for Up2date.


    2008:10:09-02:24:08 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.198.93.249" proto="17" length="40" tos="0x00" prec="0x00" ttl="14" srcport="55503" dstport="33451" 
    2008:10:09-02:24:09 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="69.10.147.76" proto="17" length="40" tos="0x00" prec="0x00" ttl="14" srcport="55503" dstport="33452" 
    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.144.15.5" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33453" 
    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="218.213.238.229" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33454" 
    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.121.10.115" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33455" 
    2008:10:09-02:24:11 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.242.114.243" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33456" 
    2008:10:09-02:24:12 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.198.93.249" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33457" 
    2008:10:09-02:24:13 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="69.10.147.76" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33458" 
    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.144.15.5" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33459" 
    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="218.213.238.229" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33460" 
    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.121.10.115" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33461" 
    2008:10:09-02:24:14 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="128.242.114.243" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33462" 
    2008:10:09-02:24:15 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="213.198.93.249" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33463" 
    2008:10:09-02:24:16 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="69.10.147.76" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="55503" dstport="33464" 
    2008:10:09-08:24:12 (none) ulogd[2646]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" outitf="eth1" dstmac="00:1a:8c:15:64:b9" srcmac="00:0c:29:c5:a6:f0" srcip="192.168.254.252" dstip="218.213.238.229" proto="17" length="40" tos="0x00" prec="0x00" ttl="22" srcport="33956" dstport="33454" 


    Gregor Kemter
  • Hi,

    the ACC is using "netselect" to find the fastest Up2Date Server (just like every AxG is doing as well). Your Internet ASG is wrongly interpreting this as portscan. You could add an exception for service traceroute for your ACC address.

    Cheers
Reply
  • Hi,

    the ACC is using "netselect" to find the fastest Up2Date Server (just like every AxG is doing as well). Your Internet ASG is wrongly interpreting this as portscan. You could add an exception for service traceroute for your ACC address.

    Cheers
Children
No Data