I've just done a little "study" (well, nothing quite that pretentious) of the traffic hitting my router, that gets DROPped the router's firewall. there is a surprisingly (to me, at least) enormous amount of it. over about the last 3 weeks, it has dropped over 65,000 connection attempts.
I finally got around to figuring out how to have the router's logging mechanism connect to the rsyslog on my Centos workstation, so I can collect a large body of log entries to review. previously I could see only a few hundred at a time, since the router doesn't have huge storage.
Here's just the first few items from the list, listed as port number ordered by total number of hits:
DPT=3343 8859 DPT=23 7872 DPT=3344 5984 DPT=6 4925 DPT=68 4291 DPT=9 2625 DPT=3291 2524 DPT=32915 2523 DPT=143 2467 DPT=1433 2377 DPT=445 2037 DPT=33441 1544 DPT=33442 1522 DPT=33440 1511 DPT=33434 1511 DPT=33435 1487 DPT=33436 1486 DPT=33437 1476 DPT=33439 1458 DPT=33438 1439 DPT=80 1068 DPT=33443 1060 DPT=5060 948
Some of those are ports I've never been aware of, such as 3343, which /etc/services lists as "ms-cluster-net". Obviously something on MS systems, and apparently a lot of mal-dudes think it's a great port to hit on, in case it might just happen to be wide open.
then there's port 23 (telnet) which at 7872 hits is ample evidence for why everybody who knows anything says to NEVER put a system on the internet with an open telnet port.
sigh.
Then, even after all this garbage is filtered out, there is another HUGE pile of things hitting my mail server that get filtered out by a variety of filtering techniques including but not limited to greylisting email. (BTW, greylisting was by far the most effective of all the filtering techniques I've found for dropping spam before it ever gets into my mail system. For mail that does get in, SpamBayes works great, once one figures out how to configure it.)
If any of you don't believe that the 'net is populated by evil beings, let this be a lesson to ye!
Thanks for your time!
Fred