Why am I getting hits on port 119?

Why am I getting hits on port 119?

Post by Luke » Thu, 24 Feb 2000 04:00:00




denial log and I'm getting a lot of messages like this:

Feb 23 06:19:07 (myHostName) kernel: Packet log: input DENY eth0 PROTO=6
24.0.94.130:44054 xx.xx.xx.xx:119 L=40 S=0x00 I=65406 F=0x0000 T=242
(#106)



computer's ip address).

My firewall shuts out all packets, so I can understand why I was getting

server to 1024, and now 119.

Does sendmail (or whatever MTA they're using) try a variety of ports on
the end computer if the first doesn't work?  I don't understand how this
works...

 
 
 

Why am I getting hits on port 119?

Post by travmac » Thu, 24 Feb 2000 04:00:00


I don't know why you'd be getting hits on this port, but it is for nntp.
Newsgroups


> denial log and I'm getting a lot of messages like this:

> Feb 23 06:19:07 (myHostName) kernel: Packet log: input DENY eth0 PROTO=6
> 24.0.94.130:44054 xx.xx.xx.xx:119 L=40 S=0x00 I=65406 F=0x0000 T=242
> (#106)



> computer's ip address).

> My firewall shuts out all packets, so I can understand why I was getting

> server to 1024, and now 119.

> Does sendmail (or whatever MTA they're using) try a variety of ports on
> the end computer if the first doesn't work?  I don't understand how this
> works...


 
 
 

Why am I getting hits on port 119?

Post by David . » Thu, 24 Feb 2000 04:00:00


Port 119 is the  nntp  or news server port. Do you have a news server
setup?

You might want to checkout Portsentry available at:

http://www.psionic.com/abacus/portsentry/

Also you may want to block those ports with your firewall.

David
--
Due to the extreme spam abuse! Remove all z's and x's from above to
reach me.
Thank the spammer's the A..holes that they are! Still can't reach me?
Then your address range has been blocked due to previous SPAM abuse.
SORRY! I hate SPAM!

 
 
 

Why am I getting hits on port 119?

Post by Kevin Mart » Thu, 24 Feb 2000 04:00:00



>I don't know why you'd be getting hits on this port, but it is for nntp.
>Newsgroups


blacklist) if they continued to allow people who didn't know how to secure
their machines to operate open servers.  They are now aggressively checking
to make sure that port 119 is locked down.  That might be what Luke is
seeing.



>> denial log and I'm getting a lot of messages like this:

>> Feb 23 06:19:07 (myHostName) kernel: Packet log: input DENY eth0 PROTO=6
>> 24.0.94.130:44054 xx.xx.xx.xx:119 L=40 S=0x00 I=65406 F=0x0000 T=242
>> (#106)


>> sending.

 
 
 

Why am I getting hits on port 119?

Post by Luke » Thu, 24 Feb 2000 04:00:00


That could be a possibility.  I'm not running a news server though.

> >I don't know why you'd be getting hits on this port, but it is for nntp.
> >Newsgroups


> blacklist) if they continued to allow people who didn't know how to secure
> their machines to operate open servers.  They are now aggressively checking
> to make sure that port 119 is locked down.  That might be what Luke is
> seeing.




> >> denial log and I'm getting a lot of messages like this:

> >> Feb 23 06:19:07 (myHostName) kernel: Packet log: input DENY eth0 PROTO=6
> >> 24.0.94.130:44054 xx.xx.xx.xx:119 L=40 S=0x00 I=65406 F=0x0000 T=242
> >> (#106)


> >> sending.

 
 
 

Why am I getting hits on port 119?

Post by Kevin Philli » Fri, 25 Feb 2000 04:00:00



>That could be a possibility.  I'm not running a news server though.

A bunch of people are running windows boxes with wingate.  Wingate
provides proxy services so a small network can access the internet
through a single ip address (while everyone on the LAN uses the
192.168.x.x address range).

The problem is that in it's default configuration, Wingate is wide
open and will provide proxy services for everyone.  Thus, if a
user is running Wingate without taking the time to set it up, a

and spam the hell out of everyone.  This can also work for all
the other standard ports (telnet, smtp, www, etc.).


looking for more open proxies.

Best regards,
Kevin

 
 
 

Why am I getting hits on port 119?

Post by Sellar » Tue, 29 Feb 2000 04:00:00



> Feb 23 06:19:07 (myHostName) kernel: Packet log: input DENY eth0 PROTO=6
> 24.0.94.130:44054 xx.xx.xx.xx:119 L=40 S=0x00 I=65406 F=0x0000 T=242
> (#106)



> computer's ip address).

> My firewall shuts out all packets, so I can understand why I was getting

> server to 1024, and now 119.

> Does sendmail (or whatever MTA they're using) try a variety of ports on
> the end computer if the first doesn't work?  I don't understand how this
> works...

No... Port 119 is NNTP server port. Maybe some computer out of your
network is trying to access your NNTP server or, even though I don't think
so, somebody miss configured a newsfeeding sytstem and is trying to use
your server to this end...

--
Sellaro

Laboratorio do Mestrado em Ciencia da Computacao
Network Administrator - Departamento de Computacao - UFC

PGP Key Available Upon Request

 
 
 

Why am I getting hits on port 119?

Post by Lew Pitch » Tue, 29 Feb 2000 04:00:00





>> Feb 23 06:19:07 (myHostName) kernel: Packet log: input DENY eth0 PROTO=6
>> 24.0.94.130:44054 xx.xx.xx.xx:119 L=40 S=0x00 I=65406 F=0x0000 T=242
>> (#106)



>> computer's ip address).

>> My firewall shuts out all packets, so I can understand why I was getting

>> server to 1024, and now 119.

>> Does sendmail (or whatever MTA they're using) try a variety of ports on
>> the end computer if the first doesn't work?  I don't understand how this
>> works...

>No... Port 119 is NNTP server port. Maybe some computer out of your
>network is trying to access your NNTP server or, even though I don't think
>so, somebody miss configured a newsfeeding sytstem and is trying to use
>your server to this end...




implementing tighter security on their nntp servers, and by
instituting a policy of not allowing customers to run unsecured nntp
servers.


nntp servers within their network.

Lew Pitcher
System Consultant
Toronto Dominion Financial Group


(Opinions expressed are my own, not my employer's.)

 
 
 

1. I can't 'tredir 119 remote_nntpserver:119' :Help,pls.


Ports below 1024 are restricted to superuser only. Also, many of these ports
are taken for use during booting time. Looking at your error message i would
say that this is your, and also mine problem. You need to redirect another
port (1119 for example) to port 119 of the remote news server and use this
port in Netscape. The same things most surely will also hold for you mail port.

Patrick Reijnen

--
************************* Patrick Reijnen *************************
* Department of Computer Science, Catholic University of Nijmegen *

* WWW:    http://zeus.cs.kun.nl:4080/homepage.html                *

2. "Industrial" Ethernet

3. TERM tredir 119 119 problems

4. Samba

5. Why am I not getting the right port number?

6. rpm v2.3.11 broken

7. Why am I getting "ILLEGAL PORT COMMAND" messages?

8. CD-RW......

9. Why am I not getting the right port number?

10. iptables natting and port 119

11. I can't connect() to port 119 (nntp service)

12. how do i tredir port 119 ??

13. HELP: Telnet problem, port 119