On 08/25/2017 03:49 AM, Davide Marchi wrote: >> Il 2017-08-24 20:48 Tom Eastep ha scritto: >> >> As far as I am aware, neither UDP port 1370 nor TCP port 1328 have >> anything to do with Postfix. [..] > > > Well, this is already something.. > > > Il 2017-08-24 21:47 Tom Eastep ha scritto: >> On 08/24/2017 11:48 AM, Tom Eastep wrote: >> >>> >>> As far as I am aware, neither UDP port 1370 nor TCP port 1328 have >>> anything to do with Postfix. Port 1370 is us-gv (Unix Shell to >>> GlobalView) while 1328 is echoserver (and also used by malware). I >>> suggest that you use netstat to try to determine the process that is >>> using these ports: >>> >>> On SERVER1 >>> >>> netstat -unap | fgrep 1370 >>> >>> On SERVER2 >>> >>> netstat -tnap | fgrep 1328 > [..] >>> >> >> Actually, those are backwards. You want: >> >> On SERVER1 >> >> netstat -tnap | fgrep 1328 >> >> On SERVER2 >> >> netstat -unap | fgrep 1360 >> >> -Tom > > > Thanks again for your help, I am not expert and I appreciate very much > what you do that allows me to learn ;-) > Well, I've make as you suggested, but the netstat output seem null, > except for port 23. > >>> >>> You may have to repeat each command multiple times to catch a process >>> that is bound to the specific port. > > Is there a way to continuously make listen netstat on a particular port > and record its output? > >
No. But I don't think that the messages below have anything to do with your MX configuration. > > ---------------------------- SERVER1 ------------------------------- > [..] > Aug 25 11:25:16 server kernel: [17880669.219599] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=38443 DPT=1370 LEN=35 > Aug 25 11:25:53 server kernel: [17880706.456383] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=47055 DPT=1370 LEN=35 > Aug 25 11:25:57 server kernel: [17880710.177281] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.236.38.63 > DST=91.205.175.213 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=44240 PROTO=TCP > SPT=64626 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 > Aug 25 11:25:57 server kernel: [17880710.245664] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=91.211.0.103 > DST=91.205.175.213 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=52662 PROTO=TCP > SPT=52212 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0 > Aug 25 11:26:04 server kernel: [17880717.162323] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=189.219.254.21 > DST=91.205.175.213 LEN=40 TOS=0x08 PREC=0x20 TTL=235 ID=5462 PROTO=TCP > SPT=19429 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 > Aug 25 11:26:16 server kernel: [17880729.255432] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=38443 DPT=1370 LEN=35 > Aug 25 11:26:53 server kernel: [17880766.484037] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=47055 DPT=1370 LEN=35 > Aug 25 11:27:05 server dovecot: > imap(book...@hotelsangiorgioriccione.com): save: box=Drafts, uid=435, > msgid=<d416e588-fdb7-fedc-e907-ba2f87ff2...@hotelsangiorgioriccione.com>, > size=113827 > > Aug 25 11:27:12 server kernel: [17880785.159752] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=91.223.82.136 > DST=91.205.175.213 LEN=66 TOS=0x08 PREC=0x40 TTL=58 ID=0 DF PROTO=UDP > SPT=51884 DPT=161 LEN=46 > Aug 25 11:27:16 server kernel: [17880789.285575] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=38443 DPT=1370 LEN=35 > > > netstat -unap | fgrep 161 > root@server:/home/vage# netstat -unap | fgrep 1370 > root@server:/home/vage# netstat -unap | fgrep 3389 > root@server:/home/vage# netstat -tnap | fgrep 1328 > > > > netstat -unap | fgrep 23 > udp 0 0 91.205.175.213:123 0.0.0.0:* > 522/ntpd > udp 0 0 127.0.0.1:123 0.0.0.0:* > 522/ntpd > udp 0 0 0.0.0.0:123 0.0.0.0:* > 522/ntpd > udp6 0 0 fe80::250:56ff:fe3c:123 :::* > 522/ntpd > udp6 0 0 2a02:c205:2008:934::123 :::* > 522/ntpd > udp6 0 0 ::1:123 :::* > 522/ntpd > udp6 0 0 :::123 :::* > 522/ntpd > > > > netstat -tnap | fgrep 23 > tcp 0 0 0.0.0.0:3306 0.0.0.0:* > LISTEN 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52641 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52646 > ESTABLISHED 12310/mysqld > tcp 0 0 91.205.175.213:3306 5.189.166.16:53435 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52644 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52645 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52643 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52640 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52648 > ESTABLISHED 12310/mysqld > tcp 0 0 127.0.0.1:3306 127.0.0.1:52642 > ESTABLISHED 12310/mysqld > > The messages below on SERVER2 appear to simply be 113:111.6.15 and 2.210.162.192 attempting to access a web cache on your server. They have nothing whatsoever to do with your MX configuration. > > ----------------------- SERVER2 ---------------------------- > [..] > Aug 25 11:34:18 server2 kernel: [11724555.361345] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15 > DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=17270 DF PROTO=TCP > SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 > Aug 25 11:34:19 server2 kernel: [11724556.342860] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15 > DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=31661 DF PROTO=TCP > SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 > Aug 25 11:34:20 server2 kernel: [11724556.829862] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15 > DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=25278 DF PROTO=TCP > SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 > Aug 25 11:34:20 server2 kernel: [11724557.345019] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15 > DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=64471 DF PROTO=TCP > SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 > Aug 25 11:34:27 server2 kernel: [11724564.111568] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=62.210.162.192 > DST=5.189.166.16 LEN=52 TOS=0x02 PREC=0x00 TTL=123 ID=10751 DF PROTO=TCP > SPT=55487 DPT=3128 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 > Aug 25 11:34:30 server2 kernel: [11724567.119137] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=62.210.162.192 > DST=5.189.166.16 LEN=52 TOS=0x02 PREC=0x00 TTL=123 ID=10752 DF PROTO=TCP > SPT=55487 DPT=3128 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 > Aug 25 11:34:36 server2 kernel: [11724573.119060] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=62.210.162.192 > DST=5.189.166.16 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=10753 DF PROTO=TCP > SPT=55487 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0 > In short, they look like the kind of messages we all see, You can always blacklist the sending hosts to quiet down your log... -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
