Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There is a forum at a reputed Hungarian portal which suddenly became unavailable to our users.
Digging into the problem, I found that the reason why the Hungarian forum became unreachable is that my portscan detection script automatically denied IP address 128.59.19.58 as it sent us a tcp SYN package to port 6000.
The port scanning IP address belongs to a university, in the US.
Do you know any legal reasons why a foreign computer in the US scans yours port 6000 when you visit a forum in Hungary?
(and the Hungarian forum becomes unreachable when you deny that IP address)
Port 6000 if I'm not mistaken is for remote access to the X server.
So apparently someone is trying to access your system.
Everything I have read about security regarding this port is that it is a good idea to keep it closed . Don't know any specific legalities
regarding this, but my personal policy regarding people who scan/ try to access my system without permission is to assume they are doing so with bad intentions and respond accordingly.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Yes, port 6000/TCP is the default port for display :0 when listening for TCP connections. If some site automatically tries to probe your IP when you connect to it, the intentions are almost certainly bad. The one case where this routinely happens is when connecting to IRC. Because of all the IRC wars, many ircd operators have modified their daemons to initiate a portscan against an IP before allowing the connection. If the IP has any exploitable services running, it won't allow the connection (because either the user is going to get owned by IRC kiddies, or because the host could very well be a zombie that's already owned and is dialing home).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.