Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Dec 2008
Firestarter is blocking so many connection attempts. How to analyse?
Since yesterday Firestarter has been prompting me that it is blocking external connection attempts as shown in the picture below:
I'm not even going to bother covering the IP addresses because I personally don't see why I should care but as you can see, there has been loads of them attempting to connect to ports 3674 - 3675. I ran nmap 127.0.0.1 and it came back as 631 being the only one open. So then I thought maybe lsof -i would mention much more but all it shown was:
@boris:~$ cat meh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 1644 root 5u IPv6 14329 0t0 TCP localhost:ipp (LISTEN)
cupsd 1644 root 6u IPv4 14330 0t0 TCP localhost:ipp (LISTEN)
kmess 2430 garry 25u IPv4 90196 0t0 TCP Henry.home:60020->by2msg4020412.phx.gbl:msnp (ESTABLISHED)
dhclient 2628 root 5u IPv4 11084 0t0 UDP *:bootpc
perl 7951 garry 3u IPv4 86223 0t0 TCP Henry.home:58891->bartol.freenode.net:ircd (ESTABLISHED)
perl 8248 garry 3u IPv4 86221 0t0 TCP Henry.home:53212->anthony.freenode.net:ircd (ESTABLISHED)
flock-bin 9150 garry 22u IPv4 93424 0t0 TCP Henry.home:53250->126.96.36.199:www (ESTABLISHED)
flock-bin 9150 garry 61u IPv4 97114 0t0 TCP Henry.home:35590->ww-in-f17.1e100.net:https (ESTABLISHED)
flock-bin 9150 garry 62u IPv4 93390 0t0 TCP Henry.home:45306->188.8.131.52:www (ESTABLISHED)
flock-bin 9150 garry 65u IPv4 92998 0t0 TCP Henry.home:53187->184.108.40.206:www (ESTABLISHED)
flock-bin 9150 garry 74u IPv4 92999 0t0 TCP Henry.home:53188->220.127.116.11:www (ESTABLISHED)
flock-bin 9150 garry 78u IPv4 93038 0t0 TCP Henry.home:53191->18.104.22.168:www (ESTABLISHED)
flock-bin 9150 garry 81u IPv4 93069 0t0 TCP Henry.home:54010->22.214.171.124:www (ESTABLISHED)
flock-bin 9150 garry 82u IPv4 93048 0t0 TCP Henry.home:53193->126.96.36.199:www (ESTABLISHED)
flock-bin 9150 garry 83u IPv4 93049 0t0 TCP Henry.home:53194->188.8.131.52:www (ESTABLISHED)
flock-bin 9150 garry 84u IPv4 93050 0t0 TCP Henry.home:53195->184.108.40.206:www (ESTABLISHED)
irssi 11383 garry 3u IPv4 89811 0t0 TCP Henry.home:57920->leguin.acc.umu.se:ircd (ESTABLISHED)
But also, the last two external connection blocks in the Firestarter window. I checked my router's DHCP and it says that I'm the only one connected and that is the IP the router has assigned to me for my internal network IP so I was wondering if somebody could suggest what that may be?
But in total, is there anything I can do which can help me analyse these attacks and exactly what is happening a little bit more in-depth rather than it blocked an attack from IP=*, Protocol=*, Service=*?
Someone is probing your system thinking there is something open on those 2 ports. Might be in the windows world, don't know. As to the last 2 "192.168.1.254" ip addresses can be spoofed and that is what is happening here. If you are running no external accessable apps then you should be blocking everything. If you want to analyze this further then start google'ing for the port and maybe the ip address. I would not waste my time if the ports are not open to the public.
The adventure of a life time.
Linux User #296285