Andy Green wrote:
Somebody in the thread at some point said:
So I turned off sshd but that didn't stop the problem. I am getting hit
several times a second by someone. I would sure like to at least know
the IP they are from.
tcpdump -i eth0
will give you an overview of what is happening on your network interface
(change eth0 to whichever interface it actually is).
If the DNS lookups are distracting, you can do
tcpdump -i eth0 -n
to just get IP addresses. Paste a few lines of the results here if it
didn't make any sense.
-Andy
Thanks Andy but this guy is a pro. Here is the printout:
08:36:54.556722 IP hpc-mirror.usc.edu.http > 192.168.0.2.36230: .
332880:334340(1460) ack 1 win 108
08:36:54.556773 IP 192.168.0.2.36230 > hpc-mirror.usc.edu.http: . ack
334340 win 4850
08:36:54.559933 IP ftp1.nacs.uci.edu.ftp > 192.168.0.2.51487: P 0:19(19)
ack 1 win 1448 <nop,nop,timestamp 2065179405 11859719>
08:36:54.559998 IP 192.168.0.2.51487 > ftp1.nacs.uci.edu.ftp: . ack 19
win 92 <nop,nop,timestamp 11953292 2065179405,nop,nop,sack 1 {0:19}>
08:36:54.613139 IP hpc-mirror.usc.edu.http > 192.168.0.2.36230: .
334340:335800(1460) ack 1 win 108
08:36:54.613189 IP 192.168.0.2.36230 > hpc-mirror.usc.edu.http: . ack
335800 win 4895
08:36:54.669234 IP hpc-mirror.usc.edu.http > 192.168.0.2.36230: P
335800:337260(1460) ack 1 win 108
08:36:54.669286 IP 192.168.0.2.36230 > hpc-mirror.usc.edu.http: . ack
337260 win 4941
I am not sure what is being done, but it is being relayed by USC and others.
Karl
--
Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
