Internet Security Notes

Port 6346

Ok, so I wound up getting thousands of connects logged to port 6346. After investigation, I found that 6346 is the port for Gnutella services such as Limewire, Kaza, and Morpheus. I tried to write to a number of the ISP's that were owning the IP addresses of these connections. They all responded with a message that these are connects from legitimate Gnutella services, and were a result of me acquiring an IP address of a machine that had previously had a Gnutella service running on it.

I still didn't buy that. I have an "always on" connection that is kept alive by both my router and my web server. I had maintained the same IP address for 7 days, and I assume that connections would die out after a day or so once they realized I wasn't running such a service.

I probed further, and posted a message to a news group relating to the topic. It turns out that the Gnutella services use caching DNS-like servers that will cache the IP addresses of machines. These servers rank connections based on the quality of the service, the number of files shared, the number of requests for those files. These caching servers will maintain the IP of these machines for weeks from what I am told.

Anyhow, the best way to get rid of this is to lease a new IP address. Hopefully the new address will not have previously run a Gnutella service. So my new IP does not seem to have previously run this service. I haven't gotten any connections to 6346 since. I will keep monitoring.

Logging

One thing that came out of this is that I am now logging port connects and reporting them to a network service. I log everything coming into my router using the Kiwi Syslog Daemon.  I then use the DShield reporting tools to report the instances. DShield is a great service that will log all of your intrusive connections along with other peoples, and then report them to ISPs nation-wide. This was a very helpful site for setting up the Kiwi Syslog Daemon with the Linksys Router. This site helps you set up the Dshield client. This site helps you automatically report your "wrong" packets to Dshield.

Remote Desktop

I found that running Windows Remote Desktop is quite handy. My biggest fear was that it defaults to port 3389. Since everybody knows that port, it would be easier to hack if (when) an exploit becomes available. I found a registry hack that allows you to change the port. This helps make it less easy to find, and since my Linksys router will block port scans. Simply change HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber (in Decimal) from 3389 to whatever you like. Obviously pick a non-standard port.

Written 04/15/2003;Last Updated 10/19/2006