In a few minutes I will be on my way to the Linux Plumbers Conference in Portland.
Monthly Archive for September, 2008
Today we received an email accusing our mirror server (ftp-stud.hs-esslingen.de – 129.143.116.10) of an attack on another system. To prove the so-called attack they sent us the output of netstat:
tcp 1 0 91.194.90.207:60992 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60998 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60999 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60997 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60930 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60931 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60928 129.143.116.10:80 CLOSE_WAIT
tcp 1 0 91.194.90.207:60929 129.143.116.10:80 CLOSE_WAIT
So they are actually complaining about that they are opening connections to port 80 on our mirror server. Their solution to the “attack” is to drop any packets coming from our system with iptables -A INPUT -s 129.143.116.10 -j DROP.
It looks like we lost a clueless user who will not be able to connect to our mirror server any more (probably until he reboots his system) and not receive any more updates.