Anyone else getting this type of traffic?
(my mac + IP censored)
Mar 7 00:24:06 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62184 DF PROTO=TCP SPT=59710 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:24:30 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62185 DF PROTO=TCP SPT=59710 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:25:30 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16496 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:25:33 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16497 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
Mar 7 00:25:39 localhost kernel: Denied TCP: IN=eth0 OUT= MAC=fe:fd:45:a4:d1:49:00:00:00:00:00:00:00:00 SRC=217.66.27.184 DST=69.164.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=16498 DF PROTO=TCP SPT=54651 DPT=11370 WINDOW=5808 RES=0x00 SYN URGP=0
It keeps repeating from some russian IP: 217.66.27.184 and keeps going steady since I setup my Linode. My logs are just slowly filling up with this repeated 'ping' always on port 11370.
I did some research and found this info:
Could that be the service they are scanning for (i don't run it)?
ICS shows this:
Thoughts? Is anyone else getting this?
5 Replies
@arjones85:
Just block the IP in iptables….
… thanks, my question was more aim at whether others were getting this traffic to their boxes.
I'm reluctant to edit it for you, but if you're genuinely concerned about your privacy (again, not sure why), you may want to edit that portion out.
@jed:
For the record, if you want to sanitize your hardware address in the future – although I'm not sure why you'd want to, you are connected to the Internet after all -- you missed it. It starts with FE:FD, and also divulges your public IP address.
I'm reluctant to edit it for you, but if you're genuinely concerned about your privacy (again, not sure why), you may want to edit that portion out.
Jed, I just did it as a rule of thumb, thanks for the heads up about the MAC 'fe:fd', live and learn. I don't really care about having the ip remain anonymous, but I would rather have it low on the radar if anything. I'm not paranoid, I just have a rule of thumb to not post identifying info when I don't need to.
Also to the rest, I understand I have a public facing machine, I was just curious what this specific traffic was to that one port. As I usually see port scans, but not a repeated 'tap-tap-tap' on one port looking for a service. Maybe my IP was recycled from someone running something before me?