[quote author=Blaqb0x link=board=5;threadid=4797;start=0#47735 date=1030792998]
I was looking at my /var/log/messages log and found this entry repeaditly.
It looks like DST was trying to connect to DPT.
I looked up the port (TCP 1433) and it's ms-sql. Im not running ms-sql of course. Im kinda new to iptables but, is this where the packets get logged? can anyone do more analysis on this log entry.
TOS? PREC? WINDOW? RES? SYN?
Aug 28 18:05:40 cvd-bs3-8 kernel: gShield (default drop) IN=eth0 OUT= MAC=00:01:02:83:de:73:00:10:67:00:50:21:08:00 SRC=18.104.22.168 DST=MY_IP LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=40680 DF PROTO=TCP SPT=22486 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
It looks like a packet from ip 66-64.20.87 was trying to connect to a mysql server on your box. You original assumption was correct. Really there's nothing else to report about it.
TOS = (type of service) An 8 bit field in the IP header that provides prioritization information. Basically this flags tells recieving hosts to give an IP packed higher priority than others waiting to be processed. This field is rarely used.
PREC = I would like to say this field is part of the type of service portion of the ip header, but I'm not sure.
Window = A 16 bit field of the TCP header used for flow control. In a nut shell it is the amount of data that a a sending host's buffer can recieve based upon the amount of room availible in the buffer, the frequency at which the buffer is drained and other factors.
RES = (reserved) A 6 bit field of the tcp header that should remain unused and set to zero.
SYN = (syncronize) Means that the syn flag was set in the incoming packet header. The syn flag is the first part of the tcp/ip three-way-handshake and usually is a tell-tale sign of a host trying to establish a session with a service on your box.
As far as I can tell, all those fields are zeroed out (meaning no flags are set in them) so the packet simply appears to be a reqular old packet sent from a sql client (or something else probing that port on your box). See if you can find out who is at that ip. They may have just misconfigured their box. I would grep /var/log/messages for other packets from that source to see what else that ip is up to. Also grep messages to see if other src ips are trying to connect to that port. Chances are--if you have nothing running on that port and are getting tons of establishment requests from the same host--its simply a misconfigured client somewhere. Have you nmapped your box to see what ports are open?