Find the answer to your Linux question:
Results 1 to 5 of 5
I've recently installed Firestarter Firewall on my Ubuntu Desktop and Laptop. Since then I have noticed that on my desktop the events page of firestarter is picking up alot of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 08-28-2010 #1
    Jonny87
    Jonny87 is offline
    Just Joined!
    Join Date
    Mar 2010
    Posts
    34

    Am I under attack?

    I've recently installed Firestarter Firewall on my Ubuntu Desktop and Laptop. Since then I have noticed that on my desktop the events page of firestarter is picking up alot of activity (see the "Screenshot-2" for an example of just this morning). Is this normal?

    I ask this because my laptop with the same OS and firestarter doesn't seem to get anything, they are on the same network.
    Last night I got 1403 serious hits from my router and many that weren't classed as serious, I can't think of why I would be getting anything from my router (see "Screenshot-1" for the details. I have even had the odd ssh attempt from somewhere ("Screeshot") the past few days.

    I was feeling confident in the security of my machine, but now I'm not so sure.

    My question, is any of this activity that firestarter is picking up normal, is there a logical explanation?
    Or is it possible that someone is trying to hack my desktop? If so how can I track down who it is?
    Attached Images Attached Images
    Reply With Quote Reply With Quote
  2. 08-29-2010 #2
    GNU-Fan
    GNU-Fan is offline
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Posts
    935
    The screenshots are a bit small really.

    But as far as I can recognize it, there are many connection attempts for SSH and HTTPS. This in itself is nothing unusual. It is not an attack specifically against your computer, but just some botnet trying each IP for shell access with trivial passwords.
    Every server owner experiences this.

    If you don't need it, you should disable sshd or move its services to another port.

    I assume your router is set up so as to route incoming SSH (port 22) packages to your desktop, not to your laptop. This is why the former gets it all.
    Debian GNU/Linux -- You know you want it.
    Reply With Quote Reply With Quote
  3. 08-29-2010 #3
    Jonny87
    Jonny87 is offline
    Just Joined!
    Join Date
    Mar 2010
    Posts
    34
    Thanks, that clarifies a few things for me. I was hoping that it would be just bot activity doing a bit of door knock or something like that but I wanted to be sure. I don't like to take chances when it comes to that sort of thing and I would have tolerated having some trying to get into my system.

    As for the ssh, I do knd of need that as I've had trouble getting my remote desktop to work correctly and I like to be able to access my desktop from other parts of the house with my laptop to do the odd thing or to shut the thing down and with out the remote desktop working properly ssh is my next option.
    As I'm new to still learning some of this stuff in Linux, how can I correctly shift the service to another port? Is there a config file or a switch on a command? Or do just keep 22 blocked and direct any ssh that I do to a port each time I connect?

    As for the router directing everything to my desktop, I'm not sure if theres much that I can do about that as my router config interface seems to be that limiting that I get really fustrated with it, as I'm not a complete novice, and I want to go in a complete set it as I want it.

    Also with the serious threats coming straight from the router itself, any idea what could cause this? I also forgot to mention with that one that I was still getting them after I unpluged the DSL cable from the router, seeing this I was worried that perhaps someone had hacked into my wireless (despite having it as secure as I can possibly make it).
    Reply With Quote Reply With Quote
  4. 08-29-2010 #4
    rcgreen
    rcgreen is offline
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,129
    By default, most home type routers reject all
    unsolicited traffic coming from the internet. It should
    not be possible for someone out there to log on
    to any of the services on your computer unless
    you specifically configure the router to send the
    incoming requests to one of your internal IP addresses.

    If you have no intention of running services available
    to the net, make sure you are familiar with the router's
    manual, so that you haven't enabled something you
    didn't want.

    As for what's coming from the router itself, devices on a small
    network are sometimes quite chatty, sending ARP broadcasts
    and so forth.
    Reply With Quote Reply With Quote
  5. 08-29-2010 #5
    Jonny87
    Jonny87 is offline
    Just Joined!
    Join Date
    Mar 2010
    Posts
    34
    If you have no intention of running services available
    to the net, make sure you are familiar with the router's
    manual, so that you haven't enabled something you
    didn't want.
    Thanks for the suggestion, I've just checked it and I think I may have found the setting, I wait and see if I still get as much activity after disabling it.

    As for what's coming from the router itself, devices on a small
    network are sometimes quite chatty, sending ARP broadcasts
    and so forth.
    ARP is a normal protocol though, would that be enough for firestarter to read it as a serious threat?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules