[m.brown]

I use an Airport Express for my wireless network, and since activating the Firewall log in the Sharing Preferences in Tiger, it has been logging incoming network traffic trying to access my machine.
I'm listing below part of the log (which I have removed multiple listings from the same IP).

Each line represents a log entry from a different IP address.

Can anyone decipher what the traffic is and what port it is querying?

May 3 12:51:31 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:51487 from ###.###.###.##:80

May 3 22:01:56 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:55562 from ###.###.###.##:80

May 3 22:02:28 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:55588 from ###.###.###.##:80

May 3 22:04:07 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:55594 from ###.###.###.##:80

May 3 22:04:24 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:55605 from ###.###.###.##:80

May 3 22:04:30 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:55614 from ###.###.###.##:80

May 3 22:04:30 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:55613 from ###.###.###.##:80

May 4 10:10:15 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:56297 from ###.###.###.##:80

May 4 11:13:49 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:57311 from ###.###.###.##:80

May 4 11:35:13 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:57739 from ###.###.###.##:80

May 4 12:01:40 Macintosh ipfw: Stealth Mode connection attempt to TCP 10.0.1.2:58287 from ###.###.###.##:80

[SoBayJake]

Looks to me like you are being port-scanned...which happens ALL the time on most broadband connections.

What is the IP address of your machine? 10.0.1.2?

And the Airport Express connects to your cable/DSL modem? So it has the IP address 10.0.1.1? Are you port forwarding everything from your AE to your computer?

All the connection attempts are "to 10.0.1.2:XXXXX" where XXXXX is the port its trying to connect to.

I assume all the ###.###.###.## are real IP addresses, that are coming from your broadband access, right?

-Jake

[amazing]

if you're really curious where all the port scans are coming from, do a lookup in a WHOIS database. the following webpage has a whole bunch of links to different whois servers. you'll be totally amazed at where all the port scanning bots are coming from, like the far east, europe, california, everywhere.

http://www.arin.net/whois/

you know how your broadband modem has lights that are blinking all the time, even when your computers are asleep or turned off? well, those are the bot port scans. all the windows machines all over the world that have been infected and taken over by remote operations.

[Macpilot]

I have an Airport Express hooked up to a DSL modem which I have enabled Access Control on, for two iMacs in my house.

How in the world can my machine get scanned if the inquiring computers don't have access?

Is there a way to hack Access Control?

Should I even bother with the Firewall and/or and of it's advanced settings?

Not that I have any National Security stuff to hide, just interested.

[CKr]

Originally Posted by Macpilot

I have an Airport Express hooked up to a DSL modem which I have enabled Access Control on, for two iMacs in my house.

How in the world can my machine get scanned if the inquiring computers don't have access?

Is there a way to hack Access Control?

Should I even bother with the Firewall and/or and of it's advanced settings?

Not that I have any National Security stuff to hide, just interested.

If you have stealth mode enabled than these scanners don't receive a reply from your computer; almost as if it's non-existant.

Port scans happen all the time, you can't stop it. All you can do is make sure your computer is secure by using a firewall, which will prevent hackers from getting into your computer. I would also advise to not run Personal Web Sharing and FTP Access unless you need it. If, for example, you have FTP Access enabled while you get port scanned and the person running the scan notices, they will try to gain FTP access to your system. Usually by first trying an anonymous login and then by using some well known usernames. Sometimes they will try bruit-force and try a bunch of random passwords until they get in or give up. If you use a good password they most likely wont get in. Now keep in mind this is only if you have FTP Access enabled.

[Scott-G]

I assume you are using NAT with DHCP on your Airport Express (Since your IP is 10.0.1.2). My question would be how is the port scan getting to the computer if port mapping is not turned on?

[Scott-G]

Originally Posted by Scott-G

I assume you are using NAT with DHCP on your Airport Express (Since your IP is 10.0.1.2). My question would be how is the port scan getting to the computer if port mapping is not turned on?

On second thought. All the incoming IP numbers in your list are on port 80 which is the default web server port number. Could all these be responses from web sites? Once you make an outgoing connection through the firewall or router the incoming is automatically mapped back to your machine.

[Millennium]

Originally Posted by Scott-G

On second thought. All the incoming IP numbers in your list are on port 80 which is the default web server port number. Could all these be responses from web sites? Once you make an outgoing connection through the firewall or router the incoming is automatically mapped back to your machine.

Although you initiate a connection to a Web server on port 80, the server answers back on a different port. So no, this probably isn't just innocent Web traffic. It is probably a port scan. It's common for portscanners to use port 80, because it gets through most firewalls. Admins often allow outgoing connections to that port but forget to block outgoing connections from that port, and so this doesn't raise any alarm bells.

The good news is that if your firewall is in stealth mode then there's probably nothing to worry about. The scanner isn't getting any data back from your machine. Not only does he (she?) have no way of knowing for sure that a machine is there, but his port scans are being slowed down, because he has to wait for every ping to time out before attempting the next. This is, as one might imagine, highly annoying to a scanner. He will probably give up soon. In the meantime, the pings shouldn't be consuming enough bandwidth to affect your network speed significantly, so it should be safe to ignore it.

[amazing]

Basic answer: If you're on a Mac, you don't need to worry about any of these port scans, period. Even if you don't have the firewall up, you don't need to worry. There are no exploits on the Mac that I know of. You should have the firewall up in any case, natch, and if you've got any services enabled, then make sure you don't have a dictionary-type password or user ID.

All these bot port scans are looking for vulnerable and exploitable Windows PCs and servers, so they can install all sorts of malware. Bot scans are a fact of life on the internet, but just as there are 177,000 or whatever viruses yet Macs don't have to worry about any of them (except passing them on to their PC friends, or Office Macro junk), in the same way, you don't need to worry about port scanning.

If you've got a PC on your LAN, then you need to worry.

[Millennium]

Originally Posted by amazing

Basic answer: If you're on a Mac, you don't need to worry about any of these port scans, period.

Not quite true; it depends on what you're doing with it. It's possible to misconfigure a service in such a way that you can be hacked. I did it myself once, back in the early days of OSX. In my case, I set up my FTP server in a dumb way. Port scans will find FTP servers which can be examined later for exploits like these.

That said, if you're not running any servers, then you don't need to worry about that. OSX's defaults are quite secure, so unless you've gone fiddling with things there then there is little to fear.