Am 2016-08-08 13:14, schrieb André Paulsberg-Csibi:
I adjusted logs to keep only "smallest crital" data left :)
Hmm, I think I should filter that a bit. ;-)
From what I can see these logs show , you have 2 things happening :
the last from AUG 6 seem like a normal session that is no longer
responding ( maybe timed-out )
No outbound connections to TCP 1433 here, and no inbound either.
Maybe the attackers are looking for systems behind old non-stateful FW
who only block SYN packets and
allows any other flaged packets into their systems assuming they are
"safe" ...
... most likely ( and you can try ) if you grep for
"SRC=109.170.163.174" you will most likely find
3-8 tries , and maybe 1 or 2 with SYN first .
Actually that have been 53 connections, berhaps because I am tarpitting
instead of rejecting.
Olaf
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
