Security Basics mailing list archives
Re: help with log entries
From: "Steve () frij com" <steve () frij com>
Date: Wed, 5 Mar 2003 20:28:57 +1100
I might be wrong, but These packets looks like the target servers are rejecting connections from the clients a.b.c.d (or closing connections) and your firewall isn't allowing packets with those flags back into the connecting client. The ones with target port 25 and a external source address looks like the SMTP is closing the connection on you, and your firewall is rejecting it too. Just a guess based on the flags set and port numbers ... ----- Original Message ----- From: "David M. Fetter" <david.fetter () fetterconsulting com> To: <aduenas () skytel com co> Cc: <security-basics () securityfocus com> Sent: Friday, February 28, 2003 1:29 PM Subject: Re: help with log entries
It looks like those external ip addresses are being denied by your firewall to connect to the inside. All the from ports are 110 which is pop email, so it's almost like those people are trying to send relay traffic or something over your connection, but again it's being denied. aduenas () skytel com co wrote:Hi, I am getting some confusing log entries from my Cisco Pix firewall. At first I thought that it was a network problem but I don't have any other evidence to support that assumption. The log entries look like this. Destination IP addresses changed.... Feb 26 15:32:49 firewall %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3782 flags RST ACK on interface outside Feb 26 15:32:50 firewall %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3783 flags RST PSH ACK on interface outside Feb 26 15:32:50 firewall %PIX-6-106015: Deny TCP (no connection) from 200.24.76.3/110 to a.b.c.d/3796 flags RST ACK on interface outside Feb 26 15:32:51 firewall %PIX-6-106015: Deny TCP (no connection) from 200.24.76.8/110 to a.b.c.d/3768 flags RST ACK on interface outside Feb 26 15:33:02 firewall %PIX-6-106015: Deny TCP (no connection) from 66.35.250.206/59231 to 10.10.10.4/25 flags RST on interface outside Feb 26 15:33:02 firewall %PIX-6-106015: Deny TCP (no connection) from 66.35.250.206/59231 to 10.10.10.4/25 flags RST on interface outside Feb 26 15:33:04 firewall %PIX-6-106015: Deny TCP (no connection) from 66.35.250.206/59231 to 10.10.10.4/25 flags RST PSH ACK on interface inside Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3843 flags RST ACK on interface outside Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3845 flags RST ACK on interface outside Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3847 flags RST ACK on interface outside Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3846 flags RST ACK on interface outside Feb 26 15:33:48 firewall %PIX-6-106015: Deny TCP (no connection) from 200.24.76.8/110 to a.b.c.d/3830 flags RST ACK on interface outside Feb 26 15:33:51 firewall %PIX-6-106015: Deny TCP (no connection) from 200.24.76.3/110 to a.b.c.d/3860 flags RST ACK on interface outside If anyone has any clues or suggestions I would be most grateful!-- David M. Fetter - http://www.fetterconsulting.com/ "The world is full of power and energy and a person can go far by just skimming off a tiny bit of it." Neal Stephenson - Snow Crash
Current thread:
- Re: help with log entries Steve () frij com (Mar 05)