My best guess is that these are typical script-kiddie connection attempts. I too get hundreds of scans a day, many to the same ports.
> the primary candidates for connection attempts so far have been to > 21/tcp(ftp) Root exploits, places to get/store warez. > 53/tcp(dns) Root exploits. > 80/tcp(http) Code red worm, free files. > 111/tcp(sunrpc) Root expoits. > 515/tcp(lpd) Root exploits. > 79/tcp(finger) Info on system (use cfingerd, or some other logging finger program to find out who is fingering you and what they're looking for). > 25/tcp(smtp) Possible sendmail exploits, or a spammer looking for an open relay. > 43/tcp(whois). Dunno. As you can see, most of those ports have root exploits attached to them. Admittedly, most of the exploits are old, but if there's one thing that Code Red has taught us, it's that sysadmins don't always patch their systems. Since scanning is cheap, may as well look for the holes! I personally keep the log files and have them reported to me. However, you might look into "fwanalog" and see if you can just get daily summaries of the blocked packets, rather than hourly reports. Also, look into iptables "--limit" directive; it keeps the reporting of similar packets (same host/port) down to a reasonable level. Jason -- Jason Healy | [EMAIL PROTECTED] LogN Systems | http://www.logn.net/
