Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[anonposter]

Lately I've been getting a number of messages and I don't know how to decipher them. 

[INFO] Sun Jun 14 00:14:34 2009 Blocked incoming TCP packet from XX.XXX.XX.XXX:80 to XX.XXX.XX.XXX:53404 as FIN:ACK received but there is no active connection
[INFO] Sun Jun 14 00:14:31 2009 Blocked incoming TCP packet from XX.XXX.XX.XXX:80 to XX.XXX.XX.XXX:53398 as FIN:ACK received but there is no active connection
[INFO] Sun Jun 14 00:14:22 2009 Blocked incoming TCP packet from XX.XXX.XX.XXX:80 to XX.XXX.XX.XXX:53400 as FIN:ACK received but there is no active connection
[INFO] Sun Jun 14 00:14:21 2009 Blocked incoming TCP packet from XX.XXX.XX.XXX:80 to XX.XXX.XX.XXX:53412 as FIN:ACK received but there is no active connection

This will continue using the same destination ip with a different port.  I've also seen a similar number of RST:ACK errors doing the same.  Can anyone help me identify what I can do on my end to solve these?  I can give additional information about my setup if that will help, but I don't know what information is useful.

[Henk55]

I uncheck the  'Informational' setting in the LOG OPTIONS and apply it.
It saves me over 200 logs a day!

But for attacks analyze you could turn it on for some time.
Feel free to use it.

[Demonized]

Nothing to worry about. These entries will occur when a either the browsing window has already closed or the website visited is already exited, but still gives a connection acknowledgement (which is no longer valid).

[EddieZ]

Like Demonized says, this are not attacks. It's just blocking traffic to connections already closed on your PC.

[Henk55]

During the night I've logged last year, btw no PC (or NAS) running that time and one hour before.
These are the attacks;

[INFO]   Sun Jul 06 01:44:46 2008   Blocked incoming TCP connection request from 86.121.209.52:35918 to 217.122.231.245:22
[INFO]   Sun Jul 06 01:44:43 2008   Above message repeated 1 times
[INFO]   Sun Jul 06 03:32:01 2008   Blocked incoming TCP connection request from 82.201.237.193:3140 to 217.122.231.245:23
[INFO]   Sun Jul 06 05:30:40 2008   Blocked incoming TCP connection request from 217.153.169.251:51228 to 217.122.231.245:22
[INFO]   Sun Jul 06 05:30:37 2008   Above message repeated 1 times

Therefore I uncheck the Informational setting.
They never can reach my LAN (sofar), and never can connect to my old IP-adress.

[Demonized]

I guess you have/had an FTP running on the LAN?


Remove your IP address, by the way / Verwijder je IP even :-)

[Henk55]

I guess you have/had an FTP running on the LAN?


Remove your IP address, by the way / Verwijder je IP even :-)

No!
Every device was off!

My IP is changed to a new IP adress, so no wurry about it, or...

[Demonized]

...When your PC/NAS was turned on I mean...

[Clancy]

At the risk of showing what I don't know, when I unblocked my SMTP, TCP port on my McAfee firewall, thinking it would help send router logs, I began receiving a flood of such requests. Blocking it again stopped that nonsense and it had no effect on log mail delivery. Do you have any TCP ports unnecessarily unblocked?

[Henk55]

...When your PC/NAS was turned on I mean...

No not on that time (Jul 06 2008, midnight), and the LOG's are retrieved from the WAN side!

[Demonized]

No not on that time (Jul 06 2008, midnight), and the LOG's are retrieved from the WAN side!

I mean: when you have your NAS/FTP enabled and you can reach them from the oustidde (WAN) side, there is no logging or blocking (because the FTP/NAS is responding). When the FTP is inactive you will see these messages.