Am I being attacked??!??

[carlosc]

Hi. I'm new to linux and web serving I'm currently running an apache webserver on Linux Mandrake 7.0. Everything works good, so far. I notice sometimes, out of no where the server box just starts making lots of noise (accessing the HD) when I hardly get any traffic on my site. I unplug the cat-5 from the hub and the noise persisted for a bit, so I figured that was normal?

My real concern is that I use trafip. For those who aren't familiar with that it's just a konsole program that let's me know in real-time the statistics of what ports and protocols are being used, packets sent, etc. I noticed that a small amount of packets coming in from UDP ports 67 and 68 when someone accesses a page. I know to expect port 80, but not any others??? Could this be a security issue, or is it normal? I figure it might just be request from the client computers? Any help would be very appreciated. Thanks in advance.

 

[ifincham]

Hi,



Well DHCP uses UDP from client port 68 to DHCP server port 67 so it could just be that, especially if you are running a DHCPD daemon. Check your log files after you detect access on those ports. If you're not running a dhcp server then you could just firewall inbound stuff to port 67 but obviously not to port 68 (unless all your IP addresses are static) because its udp and, unlike tcp, you can't detect if its part of an established connection. If you block it that would prevent you getting a dhcp lease from your ISP.



Hope this helps

 

[carlosc]

I use DHCP because the computer hooked up to the net (cable) is a win98 machine. I use ICS to connect all other comps to the net. I assume that's the use for the UDP ports being accessed. It's not a heavy load at all. The only load is on port 80 for web and 21 when I do FTP. Thanks a lot for your input, that put my mind to ease.

Carlos

 

[RhythmAce]

I wouldn't worry about all that noise that it makes either. It's more than likely, Cron doing its thing.