On Tue, 2011-08-30 at 20:15 -0400, brian wrote:
On 08/30/2011 07:58 PM, Always Learning wrote:
Curiously examining some of the blocked IP addresses in the daily Logwatch report, I notice strange sites attempting to connect to our servers on port 123 (the time port).
I also notice our servers successfully contacting official time references centres which are not those sites trying to connect to us. I notice too the installed time software is listening on every available IP. I can not identity any options in any configuration files to turn-off this listening.
Why are unknown sites attempting to connect to our server to, I assume, sample the time and how does one turn-off the software's listening on every IP address, including 127.0.0.1 ?
You can use iptables to block that port for all but specified addresses...
assuming you have iptables set up to deny (drop) all by default, simply adding
-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT
I think the -i eth0 is not needed with only one physical network interface. I don't use -m tcp and the instruction shown in your example works well without the -m tcp.
Using IPtables caused the block ports with their IP addresses and their packet details to appear in Logwatch. As a keen user of IPtables I am currently looking at blocking some packets on their contents (-m string ......) before trying the 'bad guy' site IP blocking determined by hackers packets (-m recent .......)
However I am curious to know why strange sites contact our servers on port 123 and why the installed Centos time software listens on every available IP address.
Best regards,
Paul.