port-mac68k: Re: Constant attack alert fromlocal IP

Subject: Re: Constant attack alert fromlocal IP
To: Mark R. Nathan <mark@nathan.net>
From: Allen Briggs <briggs@wasabisystems.com>
List: port-mac68k
Date: 11/17/2000 10:34:13

On Fri, Nov 17, 2000 at 01:32:42AM -0800, Mark R. Nathan wrote:
> Nov 17 01:01:58 dns1 portsentry[183]: attackalert: Connect from host: 192.168.1.1/192.168.1.1 to UDP port: 162
> Nov 17 01:01:58 dns1 portsentry[183]: attackalert: Host: 192.168.1.1 is already blocked. Ignoring

UDP port 162 is "snmp-trap".

> DSL modem <-> 5 port Dayna Hub
> 
>   Dayna Hub <-> BSD server  (Has its own seperate static IP)
>             <-> Linksys router/switch  (Has its own seperate static IP)
> 
>   Linksys Router/NAT <-> servers 6 local PC's and Mac's

Who has address 192.168.1.1?  Is that your BSD server or the router?
Are you running any snmp applications on either one?  Have you tried
running tcpdump to see what's actually coming in/going out?  How often
are you seeing this?  Am I out of questions yet?  ;-)

-allen