> I received several warnings in the log file of our production server,
> all in the form
>
> /var/log/messages:Dec 3 04:01:18 yabba kernel: Warning: possible SYN flood from a.b.c.d on ip.of.my.box:113. Sending cookies.
>
> Now, this looks to me like some bozo tried to synflood me. Probably had
> a look at my server and found almost no TCP services running, thought it
> could be an NT box and wouldn't it be fun to nuke me.
>
> But, I could be wrong. Are these messages safe enough that I can go to
> the admins and ask them if they know of any offender at their site?
No
> Yes, I know that the IP numbers can be faked. That would not stop me
> from contacting the admins of the possibly spoofed IP numbers, though.
No use.
What likely happened is for example you sent out a lot of email to that
server, and that server did a bunch of ident requests back to you (that's
port 113). Sendmail can be configured to do ident lookups.
> I had a few port scans, too. Since my machine runs almost nothing, I
> consider it pretty on the safe side now.
> For an internet server, that is.
Port scans can be useful. At least you'll have a valid IP#. And you can
do idents in response to those, in case this would give useful information
(prob not, since advanced scanners require raw sockets, meaning root access,
so it's likely some dialup IP)
> BTW: I installed a small program that logs connecting IP numbers and
> have it run by inetd on a few well-known ports so people find something
> if they port-scan me. Does anyone see any problem with that (except
> that it could overflow my disk space with log messages)
Check out xinetd. It can do all that for you without the need for your own
programs. It can also do ident lookups on services for you that you are not
running (like rsh) my changing the rsh daemon into a c program that does
sleep(60); to give you time to finish the ident :)
(check out Linux Journal of last august, it has an article in it about this)
Paul