Unusually large? number of connection attempts to MY system...

[imagenious]

I have been doing some looking about how to better secure my system as I'm getting satellite internet (ONLY option available for me if I want better than dialup - and I mean ONLY) and will be always connected, so to speak. Actually, for many months now, I am basically always connected via AOL - they never disconnect me so I just stay on for days at a time until I reboot or disconnect for some other reason, so I really should have known more about being secure to the maximum all along.

I have just always used OS X firewall and set at most secure - Stealth Mode enabled no services enabled. Probably I am ok with these settings?

However, in checking Firewall Log, I was shocked to see such a large (IMO) number of connection attempts - between midnight last night and 9 PM tonight a total of 444! Yes, 444 - is that a lot? Seems so to me, but that's why I'm here asking.

Most have similar wording in the log, usually one of the two following:

1. Stealth Mode connection attempt to UDP 172.192.183.182 from (some IP here) - this is most frequent type

2. 12190 Deny TCP 12.24.127.147:16679 172.192.183.182:2967 in via ppp0 in via ppp0 with the 2nd IP being mine; only item that changes is other IP number

Ran a Whois on just a few if the IP numbers and came up with such innocent-sounding names as:

Women's Health
Shaw Cable

and then came to one that said:

OrgName: African Network Information Center
OrgID: AFRINIC
Address: 03B3 - 3rd Floor - Ebene Cyber Tower
Address: Cyber City
Address: Ebene
Address: Mauritius
City: Ebene
StateProv:
PostalCode: 0001
Country: MU

ReferralServer: whois://whois.afrinic.net

Have the Nigerian emailers found me? I NEVER read their emails.

But seriously, folks, does anyone that knows about this kind of stuff have any thoughts on all this - does anyone that doesn't know but might hazard a guess?

Thanks for any thoughts.

[ztirffritz]

Only 444?

I had 2500 attempts in 2 hours on my Asterisk server. I had to take down the web access because it was starting to impact my call quality. That sucks. I need to learn how to create an ssh tunnel.

[ztirffritz]

Seriously, Most Windows computers not under corporate IT care (ie. Mom and mDad's computer) are serving at least 1 botnet overloard. They just hang out on the net scanning random IP addresses looking for victims. They curse under their breath every time that they scan your IP address...D@mn Macs!

I'd say that you're fine.

[mattkime]

there really isn't anything out there in the way of mac exploits.

if you have any sharing turned on then make sure your passwords are good.

otherwise, relax.

[imagenious]

Thanks for the info - I didn't know if 444 was an unusually large number or not - nothing to compare to.

I only recently discovered the Firewall Log - I've had the OS firewall set up pretty locked up all along, I figured, and also figured that I was ok. I never really thought that many, if any, other computers would be trying to access my system. Especially when I was signing on and off more frequently; I discovered about 2 years ago that AOL never bothered me but I still disconnected daily, or more often sometimes. Then, I started staying online longer and longer until now - for a week or two at a time. With satellite, I suppose it will be forever.

Sounds like you guys responding in this post pretty much are saying that I needn't worry. I appreciate the input.

If I ever have File Sharing on, as I sometimes do when connected to another Mac I use, would that pose additional risk with all other settings (firewall) remaining the same?

[mikebw]

The only thing that would then become vulnerable are the files you are sharing, but only if your password gets compromised. It is possible to block the File Sharing port number using a router so that you can still share locally, but not to the outside world.

[imagenious]

Thanks mikebw - I'm pretty sure my pw is safe and although I won't be using a router initially, I will get one shortly and share access with a couple more computers.

Appreciate all the info provided and I feel pretty good about being secure; kind of thought I might be but still not as sure/knowledgable about these issues as I would like.

All brought on by my "discovery" of all these "folkses" trying to attack me...never had any thought that it was happening much, if at all. Guess I learned a bit here.

Thanks again.

[imagenious]

In reviewing these connection attempts, I find that they all are of 3 "types"

1. "Stealth Mode connection connection attempt to UDP (my IP number)"

2. "12190 Deny TCP (their IP number) (my IP number) in via pppO"

3. "20000 Deny ICMP (their IP number) (my IP number) in via pppO"

Now, what are they "sending" and what are they "getting" - and if they are getting nothing in the way of a reply, as I suppose, how would having my password help, or would it?

Some of my port numbers being "queried" are: 2968, 2967. 1026, 1027, 1028, and 1434.

Thanks.

[modelamac]

Read my answer in the other forum.

[imagenious]

Thanks modelamac - didn't even know my post went up there. I tried to post, got error message, other erratic behavior to the extent that I wrote email to them.

If anyone is reading this that might have some info on my "One more thing" post just above, please go ahead and sock it to me (and others that might like to know...)