On Tue, 2011-08-30 at 20:15 -0400, brian wrote:
On 08/30/2011 07:58 PM, Always Learning wrote:
Curiously examining some of the blocked IP addresses in the daily
Logwatch report, I notice strange sites attempting to connect to our
servers on port 123 (the time port).
I also notice our servers successfully contacting official time
references centres which are not those sites trying to connect to us. I
notice too the installed time software is listening on every available
IP. I can not identity any options in any configuration files to
turn-off this listening.
Why are unknown sites attempting to connect to our server to, I assume,
sample the time and how does one turn-off the software's listening on
every IP address, including 127.0.0.1 ?
You can use iptables to block that port for all but specified addresses...
assuming you have iptables set up to deny (drop) all by default, simply adding
-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT
I think the -i eth0 is not needed with only one physical network
interface. I don't use -m tcp and the instruction shown in your example
works well without the -m tcp.
Using IPtables caused the block ports with their IP addresses and their
packet details to appear in Logwatch. As a keen user of IPtables I am
currently looking at blocking some packets on their contents (-m
string ......) before trying the 'bad guy' site IP blocking determined
by hackers packets (-m recent .......)
However I am curious to know why strange sites contact our servers on
port 123 and why the installed Centos time software listens on every
available IP address.
With best regards,