Is Apple port scanning me?

I have logcheck configured to send me daily reports of system log anomalies, and expect to see endless port scans and cracking attempts from all over the world. However, for the last week or so, I've been getting entries like below, always with the same source address…which belongs to apple.com.

Feb  7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=51 ID=100 PROTO=TCP SPT=48696 DPT=80 WINDOW=32767 RES=0x00 URGP=0

Feb  7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=52 ID=100 PROTO=TCP SPT=48640 DPT=80 WINDOW=32767 RES=0x00 URGP=0

Feb  7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=51 ID=100 PROTO=TCP SPT=48696 DPT=80 WINDOW=32767 RES=0x00 URGP=0

The destination port is always 80. Of course I can blacklist this IP, but I'm curious as to what is going on here. Any ideas?

2 Replies

If they only ever hit one port, it's by definition not a port scan…

Maybe it's a really slow one! They try one port per week.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct