Topic: What are these messages in the log

[kozel]

I have a couple of SME running at different locations and at one I'm these frequently, any idea what they mean?
Feb 21 10:56:53 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=12.216.248.151 DST=24.186.121.46 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=49130 DF PROTO=TCP SPT=3654 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 11:00:58 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=66.135.35.33 DST=24.186.121.46 LEN=656 TOS=0x00 PREC=0x00 TTL=112 ID=38520 PROTO=UDP SPT=3563 DPT=1026 LEN=636
Feb 21 11:22:06 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=211.42.222.159 DST=24.186.121.46 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=13795 DF PROTO=TCP SPT=4198 DPT=4899 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 11:27:19 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=131.229.42.99 DST=24.186.121.46 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=1648 DF PROTO=TCP SPT=4979 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 11:27:22 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=131.229.42.99 DST=24.186.121.46 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=1699 DF PROTO=TCP SPT=4979 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 11:27:28 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=131.229.42.99 DST=24.186.121.46 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2238 DF PROTO=TCP SPT=4979 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 11:28:34 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=172.128.11.252 DST=24.186.121.46 LEN=1106 TOS=0x00 PREC=0x00 TTL=117 ID=11321 PROTO=UDP SPT=8533 DPT=1026 LEN=1086
Feb 21 11:43:17 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=64.156.39.12 DST=24.186.121.46 LEN=574 TOS=0x00 PREC=0x00 TTL=115 ID=57152 PROTO=UDP SPT=666 DPT=1026 LEN=554
Feb 21 11:48:51 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=66.135.35.33 DST=24.186.121.46 LEN=656 TOS=0x00 PREC=0x00 TTL=112 ID=161 PROTO=UDP SPT=1452 DPT=1026 LEN=636

[chris burnat]

A new feature in the logs for version 6.  It is telling you that access to your box via eth0 with a MAC address of 00:c0 ...etc (your Lan card connecting to the WAN) has been denied by the kernel.  In other words, your firewall is doing its job.

For example, take the line:

Feb 21 11:48:51 smith kernel: denylog:IN=eth0 OUT= MAC=00:c0:f0:03:18:05:00:05:9a:d2:e0:55:08:00 SRC=66.135.35.33 DST=24.186.121.46 LEN=656 TOS=0x00 PREC=0x00 TTL=112 ID=161 PROTO=UDP SPT=1452 DPT=1026 LEN=636

It is telling you that whoever tried to access your box was from IP address 66.135.35.33 You are at IP 24.186.121.46  The attempt was initiated from Port 1452 using the UDP protocol, trying to get into you on Port 1026.  In recent times, I've noticed a lot of this sort of activities coinciding with the Doom virus, ie.e attempt at port 335 on my box for days on end.