I'm alittle confused how torrents are actually supposed to work. I have an inbound port forwarded in my router and I have an inbound port open in iptables on my computer.
Transmission shows port being open. I have iptables set up to log dropped packets on my computer and I am getting alot of inbound dropped packets to weird dst ports. I thought all inbound packets should be directed to the port I have set up in Transmission, so should I be getting these dropped packets, or does it possibly have something to do with timeouts occuring in either the router firewall or iptables on my computer?
I'm alittle confused so sorry if this doesnt make sense. I'm also wondering why these packets are getting through the firewall on my router in the first place.
Do you want to be a torrent tracker, or just a user? If not a tracker, then you don't need to open ports in your firewall. I'm not sure about trackers, but I suppose it depends upon the software. I know that most torrent software doesn't need ports open to work, and it will result in a lot less attempts to hack your system (as in zero vs. "a lot").
Thanks Rubberman, I closed ports on router. Just recieved another weird dropped packet and also this.
*****-desktop /USR/SBIN/CRON: (root) CMD (test -f "`ls -1 /var/spool/hylafax/recvq/*.tif* 2>&1 | head -1`" && /usr/share/freemed/scripts/fax_import/import_all_hylafax.sh)
Feb 6 19:20:01 ******-desktop /USR/SBIN/CRON: (root) CMD ([ -x /usr/sbin/update-motd ] && /usr/sbin/update-motd 2>/dev/null)
came right along with a dropped packet in iptables.
also keep getting this in auth.log
********-desktop su: pam_unix(su:session): session closed for user root
Feb 5 11:47:57 mcclellan-desktop dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.30" (uid=1000 pid=3704 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.43" (uid=0 pid=5809 comm="/usr/lib/NetworkManager/nm-dispatcher.action "))
Very strange. I don't really know what this means though. The Hylafax looks like some knd of fax software which I don't think I have on my system. These errors keep coming even with ports closed. It has to be some kind of bug in torrent software. Looks like logs from my webserver, people trying to exploit software.
The dbus daemon messages are interesting. A sender with user id 1000 and receiver with user id 0. The receiver makes sense. UID 0 is root and that is the dbus daemon, but the sender of the packet/message was UID 1000. You need to see what user in /etc/passwd (assuming your aren't running YP or LDAP for authentication, just standard Linux/Unix authentication) has ID 1000. The user id is the third field in /etc/passwd. If it isn't a valid user, or an unknown one, you may have been hacked already, but I don't think so. It probably just means that something has a glitch, or your network has a glitch. If a packet has a bad checksum because it was corrupted (happens often enough on ethernets and on the internet), then it will be dropped.
Yes 1000 was my user, but the hylafax thing looks pretty wierd since I don't have that installed, why would i be getting those dropped packets right along with a probes to fax software I don't have. I never get those at any other times which is weird. I just pulled another wierd entry at boot. I'm beginning to wonder about the tomato firmware
martian source xxx.xxx.xxx.xxx from 126.96.36.199, on dev eth0
IN=eth0 OUT=eth0 SRC=188.8.131.52 DST=xxx.xxx.xxx.xxx LEN=45 TOS=0x00 PREC=0x00 TTL=102 ID=16679 DF PROTO=TCP SPT=23019 DPT=2918 WINDOW=258 RES=0x00 ACK PSH URGP=0
came right through router firewall. I might be just paranoid I guess, IP is in the range of bombay india WTF.lol
Well, if your system isn't totally hidden behind a hardware firewall, then you certainly will get probes from malware sites as well as sites with mis-constructed addresses that they are trying to innocently connect with.
Thanks for reply, shouldn't my router have blocked that though. I'm wondering if it wasn't a weather program which starts at boot. Thats the only thing it could have been because I had no other programs running since I was doing a reboot on my computer.
I found the hylafx was a cron job. I guess I'm just being parnoid I hope.:)
Better paranoid that pwnd these days! However, though they exist, Linux viruses and botnets are rare, and generally aimed at high-return targets.
FWIW, hylafax is a fax tool for Linux. If you aren't using your computer to send/receive faxes, then just uninstall it.