0

Today I read in my the below iptables-dropped packet logs and I don't really understand this log. I hope somebody can help me.

I only opened an inbound SSH port 2221 and for my outgoing traffic I opened DNS port 53 as protocol UDP.

 iptables-dropped: IN= OUT=eno1 SRC=myserver.ip DST=179.124.36.195 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=42743 PROTO=ICMP TYPE=3 CODE=3 [SRC=179.124.36.195 DST=myserver.ip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=58511 DF PROTO=TCP SPT=57351 DPT=2221 WINDOW=29200 RES=0x00 SYN URGP=0 ]

After reading the log, I asked myself, "how can he (attacker) try an ICMP request, does this mean that my server is compromised?

Then I read the bracket, where we see an attempt to log in to the SSH port.

One drop but 2 different log-messages?

Citizen
  • 1,103
  • 1
  • 10
  • 19
beard black
  • 67
  • 2
  • 14

1 Answers1

0

It appears your ssh server was down (3=ICMP_DEST_UNREACH) when 179.124.36.195 tried to connect to it, or you have iptables REJECT rules blocking access, resulting in the ICMP response, generated by your system, not the "attacker" system, which was dropped due to iptables rules.

There is one log message. If you want details on the log format, in the linux source code examine net/ipv4/netfilter/nf_log_ipv4.c. For 5.4.8-gentoo, the ICMP log format starts here:

111   case IPPROTO_ICMP: {

The useful details about what caused ICMP_DEST_UNREACH are added to the log message starting here:

177     case ICMP_DEST_UNREACH:
Mark Wagner
  • 18,019
  • 2
  • 32
  • 47