ipv4 and ipv6 operate at a layer that is different from the physical card. There is no such thingas an ipv6 mac address. On Tue, 10 Aug 2004 09:00:51 -0400, Scot L. Harris <webid@xxxxxxxxxx> wrote: > On Tue, 2004-08-10 at 04:54, Brian Fahrlander wrote: > > I was just noticing, while trying to reload a machine with FC1 (long > > story- don't ask) I was watching the log and noticed something I noticed > > earlier: > > > > Aug 10 03:45:24 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=18935 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0 > > Aug 10 03:45:30 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=20211 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0 > > > > <slight delay here and then:> > > Aug 10 03:45:45 evv kernel: martian destination 0.0.0.0 from 65.218.63.155, dev eth1 > > > > > > I'm no firewall-guru, but this having happened more than once, I get > > the feeling our new SSH-hacking friend might be trying to get around the > > firewall. > > > > Does anyone else concur? > > Double check your system and make sure port 1025 is closed or disabled. > That appears to be the port they are trying to hit. What I find > interesting is the MAC address info. It appears to be a IPV6 MAC > address not a IPV4 (to many octets). If you don't need IPV6 you may > want to disable that as well. > > A quick google on port 1025 had it listed in one place as network > blackjack. Not sure how accurate that is. But most likely this just > someone scanning various ports for something open or for a specific > exploit on a service that uses port 1025. > > -- > Scot L. Harris <webid@xxxxxxxxxx> > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list >
