dmesg firewall messages

English Install/Boot/Login
#1

Hello,

I’m sorry if this has been asked before but I couldn’t really find any information it. I’ve just installed Tumbleweed and when I start up the PC, I check the logs with dmesg. I see some entries but was a little confused on where they’re coming from and I wanted to know if there was a way to stop them. Here’s the output that I’m talking about from dmesg.


   54.260898] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=87 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=47 
   55.261076] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=87 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=47 
   57.261416] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=87 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=47 
   70.384389] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
  618.008107] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  619.009506] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  619.435831] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42075 LEN=275 
  619.436350] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42075 LEN=258 
  619.936877] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42075 LEN=258 
  619.937511] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42075 LEN=275 
  620.437127] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=42075 LEN=258 
  621.011065] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  625.012096] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  633.016338] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  649.020989] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  681.053318] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  709.321299] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=59930 LEN=258 
  709.321933] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=59930 LEN=275 
  709.821979] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=59930 LEN=258 
  709.822585] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=59930 LEN=275 
  745.056301] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC= SRC=fe80:0000:0000:0000:021f:c6ff:fe4c:6f65 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=255 FLOWLBL=313910 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
  918.103324] perf interrupt took too long (2522 > 2500), lowering kernel.perf_event_max_sample_rate to 50000

Would the SPT=1900 UDP stuff be for UPNP? The UDP SPT=5353 stuff, would that be for mDNS? My understanding was mDNS was for discovering other networked PCs, printers, etc. If I don’t really network like that, could I simply do away with the service?

#2

I was thinking maybe the mDNS stuff, if it is mDNS stuff, was coming from the avahi services in the /etc/init.d directory. Would there be any noticeable side effects from disabling those two services? avahi-daemon and avahi-dnsconf? Thanks!

#3

Hi
Yes, just stop the service, then if you see things disappear, then disable the service…


systemctl status avahi-dnsconfd.service
systemctl status avahi-daemon.service
systemctl status avahi-daemon.socket

systemctl stop avahi-dnsconfd.service
systemctl stop avahi-daemon.service
systemctl stop avahi-daemon.socket

systemctl disable avahi-dnsconfd.service
systemctl disable avahi-daemon.service
systemctl disable avahi-daemon.socket
#4

Thank you very much! I had to play with the order a little bit it seems. I had to disable the socket one first, then I was able to disable the service one, for the avahi-daemon. I think it worked for the UDP port 5353 stuff. Now I just have to figure out the UDP port 1900 stuff. I believe it’s just UPNP stuff coming from my router. We tend to use UPNP here at the house. I wonder if there’s any security flaws a remote attacker could use to take advantage of that. I mean if I ran some code that someone gave me, they could open up a port on the router, but we’re pretty good about that kind of stuff. If it really is UPNP stuff, I wonder how I could safely allow the traffic through using iptables. It all appears to be coming from the local router.

#5

This is a bit weird…


[15254.630734] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=278 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60972 LEN=258 
[15254.631349] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=192.168.2.1 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=60972 LEN=275 
[15254.711547] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:1c:4b:d6:f8:90:fd:08:00 SRC=192.168.2.12 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=128 ID=22771 PROTO=UDP SPT=58789 DPT=60972 LEN=275 
[15254.812434] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:1c:4b:d6:f8:90:fd:08:00 SRC=192.168.2.12 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=128 ID=22772 PROTO=UDP SPT=58789 DPT=60972 LEN=275 
[15254.914258] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:1c:4b:d6:f8:90:fd:08:00 SRC=192.168.2.12 DST=192.168.2.28 LEN=295 TOS=0x00 PREC=0x00 TTL=128 ID=22773 PROTO=UDP SPT=58789 DPT=60972 LEN=275

192.168.2.1 is our router. 192.168.2.12 is my wife’s Windows box. I thought the router was trying to connect because of the UPNP stuff…but why is my wife’s PC trying to connect to port 60972 as well? I can’t seem to find anything on port 60972. I had just assumed because the source port was 1900 and there was traffic coming from the router, it was just UPNP. But seeing how the router and my wife’s PC are both trying to connect to my machine on port 60972, should I worry that something bad is happening?

#6

On Mon 18 Jan 2016 02:46:02 AM CST, Spork Schivago wrote:

Thank you very much! I had to play with the order a little bit it
seems. I had to disable the socket one first, then I was able to
disable the service one, for the avahi-daemon. I think it worked for
the UDP port 5353 stuff. Now I just have to figure out the UDP port
1900 stuff. I believe it’s just UPNP stuff coming from my router. We
tend to use UPNP here at the house. I wonder if there’s any security
flaws a remote attacker could use to take advantage of that. I mean if
I ran some code that someone gave me, they could open up a port on the
router, but we’re pretty good about that kind of stuff. If it really
is UPNP stuff, I wonder how I could safely allow the traffic through
using iptables. It all appears to be coming from the local router.

Hi
AFAIK it only relates to external (as in incoming from the net?), but I
would disable and see, I have it off here without issues. If you need
it on specific devices then open a port in the firewall for openSUSE
systems via YaST Firewall allowed services and go to advanced and open
port 1900 UDP.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.51-60.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

#7

Hi
Run nmap (zenmap for a GUI) against your wifes pc to see what service is active, then run wireshark on your machine to capture the traffic and inspect.

#8

Thank you. I can run nmap on my machine against her PC? Wow, that’s really cool. Any ideas what switches I might want to pass along to nmap to see what services are active? I shouldn’t need any help with the wireshark bit. Thanks!

#9

Hi
As root user, just try the defaults to start with;


nmap -T4 -A -v <host to scan>
#10

I know this really isn’t an OpenSUSE problem anymore so I really do appreciate your help here. This is the results from the scan:


nmap -T4 -A -v 192.168.2.12


Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-17 23:19 EST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Initiating ARP Ping Scan at 23:19
Scanning 192.168.2.12 [1 port]
Completed ARP Ping Scan at 23:19, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:19
Completed Parallel DNS resolution of 1 host. at 23:19, 0.03s elapsed
Initiating SYN Stealth Scan at 23:19
Scanning 192.168.2.12 [1000 ports]
SYN Stealth Scan Timing: About 24.00% done; ETC: 23:21 (0:01:38 remaining)
SYN Stealth Scan Timing: About 48.00% done; ETC: 23:21 (0:01:06 remaining)
SYN Stealth Scan Timing: About 72.00% done; ETC: 23:21 (0:00:35 remaining)
Completed SYN Stealth Scan at 23:21, 126.59s elapsed (1000 total ports)
Initiating Service scan at 23:21
Initiating OS detection (try #1) against 192.168.2.12
Retrying OS detection (try #2) against 192.168.2.12
NSE: Script scanning 192.168.2.12.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Nmap scan report for 192.168.2.12
Host is up (0.13s latency).
All 1000 scanned ports on 192.168.2.12 are filtered
MAC Address: 1C:4B:D6:F8:90:FD (AzureWave Technology)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop


TRACEROUTE
HOP RTT       ADDRESS
1   125.16 ms 192.168.2.12


NSE: Script Post-scanning.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.85 seconds
           Raw packets sent: 2049 (94.700KB) | Rcvd: 1 (28B)

Everything looks good, right? She has some Norton program on her PC. I don’t know which one, either Norton AV, Norton 360 or Norton Internet Security. I could check if you want. From the output of nmap though, to me, it looks like Norton is doing it’s job. Am I right in that assumption and have nothing to worry about? I’ll still fire up wireshark though. Haven’t gotten any messages in a long time from her machine though. I wonder if maybe Norton was trying to create a network map or something. I almost remember one of the Norton’s she had on there over the years doing something like that.

#11

Hi
Have no idea, ugh norton commiserations :wink: I use avira and the ccleaner to keep things squared away on the windows partitions if I visit them…

Add a -p- to scan all ports.


nmap -T4 -A -v -p- 192.168.2.1

Leave wireshark running and just filter UDP and the port(s) your interested in would be my suggestion.

#12

Sorry for the delay. I had to take care of some business for the past couple days. Anyway, I’m back at this now and that -p to scan all points shows some interesting results I think. Since I removed that service, the avihd one or whatever it was called, I haven’t had her machine trying to connect to mine. At least not from what I can tell by looking at dmesg. I wonder if iTunes on her PC was looking for something. Anyway, here’s what I got now:


Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-21 19:44 EST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Initiating ARP Ping Scan at 19:44
Scanning 192.168.2.12 [1 port]
Completed ARP Ping Scan at 19:44, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:44
Completed Parallel DNS resolution of 1 host. at 19:44, 0.03s elapsed
Initiating SYN Stealth Scan at 19:44
Scanning 192.168.2.12 [65535 ports]
SYN Stealth Scan Timing: About 2.27% done; ETC: 20:07 (0:22:12 remaining)
SYN Stealth Scan Timing: About 5.47% done; ETC: 20:07 (0:21:01 remaining)
SYN Stealth Scan Timing: About 10.04% done; ETC: 20:06 (0:19:52 remaining)
SYN Stealth Scan Timing: About 14.84% done; ETC: 20:06 (0:18:45 remaining)
SYN Stealth Scan Timing: About 19.87% done; ETC: 20:06 (0:17:37 remaining)
SYN Stealth Scan Timing: About 24.90% done; ETC: 20:06 (0:16:29 remaining)
SYN Stealth Scan Timing: About 29.92% done; ETC: 20:06 (0:15:23 remaining)
SYN Stealth Scan Timing: About 34.95% done; ETC: 20:06 (0:14:16 remaining)
SYN Stealth Scan Timing: About 39.98% done; ETC: 20:06 (0:13:10 remaining)
SYN Stealth Scan Timing: About 45.01% done; ETC: 20:06 (0:12:03 remaining)
Discovered open port 62050/tcp on 192.168.2.12
SYN Stealth Scan Timing: About 52.09% done; ETC: 20:04 (0:09:32 remaining)
SYN Stealth Scan Timing: About 58.96% done; ETC: 20:03 (0:07:34 remaining)
SYN Stealth Scan Timing: About 66.24% done; ETC: 20:02 (0:05:48 remaining)
SYN Stealth Scan Timing: About 73.14% done; ETC: 20:01 (0:04:21 remaining)
SYN Stealth Scan Timing: About 79.87% done; ETC: 20:00 (0:03:07 remaining)
SYN Stealth Scan Timing: About 86.68% done; ETC: 19:59 (0:01:59 remaining)
Discovered open port 2554/tcp on 192.168.2.12
SYN Stealth Scan Timing: About 94.54% done; ETC: 19:59 (0:00:46 remaining)
Completed SYN Stealth Scan at 19:58, 823.55s elapsed (65535 total ports)
Initiating Service scan at 19:58
Scanning 2 services on 192.168.2.12
Completed Service scan at 19:58, 6.10s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.2.12
Retrying OS detection (try #2) against 192.168.2.12
NSE: Script scanning 192.168.2.12.
Initiating NSE at 19:58
Completed NSE at 19:58, 8.22s elapsed
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Nmap scan report for 192.168.2.12
Host is up (0.0013s latency).
Not shown: 65533 filtered ports
PORT      STATE SERVICE    VERSION
2554/tcp  open  rtsp       NUUO IP Surveillance rtpsd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE
62050/tcp open  tcpwrapped
MAC Address: 1C:4B:D6:F8:90:FD (AzureWave Technology)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: FreeBSD 6.2-RELEASE (94%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Windows Server 2008 R2 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows Embedded Standard 7 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 6.122 days (since Fri Jan 15 17:03:02 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Device: webcam


TRACEROUTE
HOP RTT     ADDRESS
1   1.33 ms 192.168.2.12


NSE: Script Post-scanning.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 844.55 seconds
           Raw packets sent: 131339 (5.784MB) | Rcvd: 201 (9.124KB)

If her PC is infected with something, running wireshark on it might not show anything, depending on what it’s infected with I guess. We have a router that has a built-in switch so I’ll probably flood the ARP table to put it in hub mode and then put my NIC in promiscuous mode and see what’s going on. Thanks for the help!

#13

Hi
So you have some surveillance video and software running for port 2554?

Not sure about iTunes…maybe? I have a MacBook and use iTunes on it and don’t see any traffic like that when it’s running. When you get the urge, fire up wireshark may be the easiest way to see.

#14

We don’t have any surveillance video or software, that’s why I thought the nmap output was interesting. I went to the target machine though and ran that netstat command. One belonged to Google Chrome, something called incognito mode, but we weren’t using Chrome in incognito mode. I think maybe it just kept the port open in case we do? We have Google Chrome on that machine open with a lot of tabs, two windows. One for her stuff, one for mine. Mine has maybe 12 tabs right now. The other port, I confirmed that to be Norton Security.

My best guess is that Norton was trying to confuse nmap. It successfully hid the OS. It registered my port scan but allowed it, because I have it setup to allow all traffic on the local area network. I guess I have nothing to worry about. Soon as I disabled that service, the other traffic stopped.

Only thing I see now is people trying to connect to my machine from the net, port 123, udp. I believe that port is for time. I don’t understand why our cheap Netgear router is allowing the traffic through though. We don’t have port 123 open in the port forwarding section. I’m not in the DMZ zone. Even if I had a time server setup on my machine, how would the router know to route traffic going to 123 udp to my machine?


[392505.301043] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=185.94.111.1 DST=192.168.2.28 LEN=36 TOS=0x00 PREC=0x00 TTL=231 ID=54321 PROTO=UDP SPT=58772 DPT=123 LEN=16 
[396567.358849] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=204.42.253.2 DST=192.168.2.28 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=23451 DF PROTO=UDP SPT=34163 DPT=123 LEN=20 
[452242.519938] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=184.105.139.68 DST=192.168.2.28 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=59183 DF PROTO=UDP SPT=42203 DPT=123 LEN=20 
[455769.550283] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=134.147.203.115 DST=192.168.2.28 LEN=40 TOS=0x08 PREC=0x00 TTL=91 ID=0 PROTO=UDP SPT=28681 DPT=123 LEN=20 
[455769.550814] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=134.147.203.115 DST=192.168.2.28 LEN=36 TOS=0x08 PREC=0x00 TTL=91 ID=0 PROTO=UDP SPT=28682 DPT=123 LEN=16 
[459858.589318] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=208.110.85.58 DST=192.168.2.28 LEN=220 TOS=0x08 PREC=0x20 TTL=240 ID=54321 PROTO=UDP SPT=60995 DPT=123 LEN=200 
[466081.993232] SFW2-INext-DROP-DEFLT IN=enp2s0 OUT= MAC=00:1f:c6:4c:6f:65:e0:91:f5:dc:85:0e:08:00 SRC=184.105.139.102 DST=192.168.2.28 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=48378 DF PROTO=UDP SPT=42038 DPT=123 LEN=20

UPNP is turned on, on the router. I should turn it off. I see this under the UPNP section:


|YES|UDP|3074|3074|192.168.2.5|
|---|---|---|---|---|
|YES|UDP|9308|9308|192.168.2.5|
|YES|UDP|9307|9307|192.168.2.5|
|YES|UDP|54293|54293|192.168.2.15|
|YES|UDP|49164|49164|192.168.2.15|
|YES|UDP|52274|52274|192.168.2.12|
|YES|UDP|65133|65133|192.168.2.17|

192.168.2.2 is the printer and it’s static. 192.168.2.5 is the PS4 and that’s static. 192.168.2.10 is the cell phone. She’s 192.168.2.12. I’m 192.168.2.28 right now. 192.168.2.11 is the tablet. Not sure what 192.168.2.12, 192.168.2.15 and 192.168.2.17 is. I’m guessing the DHCP server handed them out to one of the clients and then the machines just got a new IP address. I don’t understand why that’d happen though. The leases generally last a while.

What’s weird is I try pinging 192.168.2.17, I get Destination Host Unreachable. That’s expected. But when I ping the other two, 192.168.2.12 and 192.168.2.15, I get nothing. Ping tries sending data but it doesn’t give any messages or anything. It just waits there. No messages about Destination Host Unreachable, nothing about trying to resend ICMP packets…nothing.

NAT filtering is set to open. We needed to do that for some reason to get the PS4 on NAT type 2. I don’t play video games because they give me seizures but my wife seems to love them and plays online. Before, when it was set to secure, she couldn’t play on-line. We kept getting kicked off. She ended up going to some forum for support and they said turn NAT filter to open instead of secure. That fixed the problem. Maybe that’s what is allowing the 123 UDP traffic to go to my machine? IPTables blocks it so I won’t be able to see the traffic in Wireshark. I only get maybe 4 people a day trying to connect. They only connect once.

I’m usually static but since I redid my machine, I haven’t set it up for static yet. I’ve been having trouble with hackers trying to get into my newly setup Virtual Private Server with GoDaddy. It runs CentOS and every day, I see a massive brute-force attack. Mostly, SSH type stuff, but there’s sooooo many attempts, they could be trying more and I just don’t see it. Right now, over 12,000 entries in the /var/log/secure! Gotta find good software to automatically block these bad people. The IP address changes, slightly, each day. That’s for a different forum though I guess.

#15

Hi
On the windows machine, AFAIK the time service is active, click on the date time and should see an internet time tab?

I would look at installing ccleaner on the windows machine and in one of the tabs you can see what services are running and disable or delete…

Plus it cleans up the registry, temp files etc, a good tool IMHO.

If you open any ports on the outside, I would go back to your static ip address and the port forward to the specific machine.

On the centos machine, install fail2ban, that should sort things out…

Is it an ISP provided router? Else maybe time to upgrade the existing one with some more features?

#16

I didn’t get a lot of sleep last night. I just realized the reason ping was stalling on 192.168.2.12 was because it’s my wife’s laptop, running Norton! I wonder if the other one is her real IP address or something and there’s maybe a Norton network interface that all traffic goes through and if it’s legit and good, it passes it to her real IP address, the 192.168.2.15. Maybe that’s her real IP address or something…

#17

Thanks. The time stuff isn’t coming from her machine though. It’s people from the internet trying to connect to the time port on my machine. The router isn’t provided by the ISP. It’s just a cheap Netgear N300 WNR2000v2. Nothing fancy like a Cisco wireless router. I’ll through ccleaner on there and see what happens. Hopefully it supports Windows 10 real good. I used some registry cleaner a long time ago on an XP machine. It ruined the registry. Deleted keys that it felt were invalid (ie, pointing to files that didn’t exist). But if i remember correctly, they weren’t really files. Something about virtual stuff. Or maybe they were but it didn’t have permission to access it. So I’m a little wary about running programs that automatically “fix” the registry. I’m sure things have progressed a lot since then and I’ll have complete control over how I want ccleaner to modify the registry. You know, it’ll give me a list of changes it wants to make and I can approve or deny them.

I tried, unsuccessfully, to properly setup fail2ban on my machine when I had an ssh server running and open to the internet. Maybe I can find a forum where people could help me successfully set it up. GoDaddy has WHM / cPanel on there and it’s running some program, cPHulk, which is supposed to automatically ban failed attempts and stuff but it doesn’t seem to be working for ssh. I’m using key based authentication. It only seems to show SMTP based attacks. Thanks for the help!