Network activity through port 17500

Question

I'm trying to track network activities on my machine running CentOS-7.

According to iptables logs, I'm getting many inputs from unknown machines into port 17500.

Is there any reason for attackers to access that port?

Can I safely disable it with iptables?

Thanks!

16:50:29 kernel: IN=eth0 OUT= MAC=... SRC=5.100.254.27 DST=255.255.255.255 LEN=173 TOS=0x00 PREC=0x00 TTL=128 ID=9324 PROTO=UDP SPT=17500 DPT=17500 LEN=153 
16:50:29 kernel: IN=eth0 OUT= MAC=... SRC=195.28.181.79 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=2073 PROTO=UDP SPT=17500 DPT=17500 LEN=184 
16:50:32 kernel: IN=eth0 OUT= MAC=... SRC=5.100.255.153 DST=255.255.255.255 LEN=378 TOS=0x00 PREC=0x00 TTL=128 ID=5482 PROTO=UDP SPT=17500 DPT=17500 LEN=358 
16:50:32 kernel: IN=eth0 OUT= MAC=... SRC=5.100.255.153 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=128 ID=5483 PROTO=UDP SPT=17500 DPT=17500 LEN=355 
16:50:34 kernel: IN=eth0 OUT= MAC=... SRC=195.28.181.106 DST=255.255.255.255 LEN=174 TOS=0x00 PREC=0x00 TTL=128 ID=8467 PROTO=UDP SPT=17500 DPT=17500 LEN=154 
16:50:34 kernel: IN=eth0 OUT= MAC=... SRC=5.100.250.67 DST=255.255.255.255 LEN=162 TOS=0x00 PREC=0x00 TTL=128 ID=5903 PROTO=UDP SPT=17500 DPT=17500 LEN=142 
16:50:36 kernel: IN=eth0 OUT= MAC=... SRC=185.241.6.152 DST=255.255.255.255 LEN=366 TOS=0x00 PREC=0x00 TTL=128 ID=14192 PROTO=UDP SPT=17500 DPT=17500 LEN=346 
16:50:36 kernel: IN=eth0 OUT= MAC=... SRC=185.241.6.152 DST=255.255.255.255 LEN=378 TOS=0x00 PREC=0x00 TTL=128 ID=14193 PROTO=UDP SPT=17500 DPT=17500 LEN=358 
16:50:46 kernel: IN=eth0 OUT= MAC=... SRC=5.100.253.17 DST=255.255.255.255 LEN=172 TOS=0x00 PREC=0x00 TTL=128 ID=10333 PROTO=UDP SPT=17500 DPT=17500 LEN=152 
16:50:46 kernel: IN=eth0 OUT= MAC=... SRC=212.199.177.237 DST=255.255.255.255 LEN=410 TOS=0x00 PREC=0x00 TTL=128 ID=6963 PROTO=UDP SPT=17500 DPT=17500 LEN=390 
16:50:46 kernel: IN=eth0 OUT= MAC=... SRC=212.199.177.237 DST=255.255.255.255 LEN=418 TOS=0x00 PREC=0x00 TTL=128 ID=6965 PROTO=UDP SPT=17500 DPT=17500 LEN=398 
16:50:46 kernel: IN=eth0 OUT= MAC=... SRC=212.199.177.237 DST=255.255.255.255 LEN=408 TOS=0x00 PREC=0x00 TTL=128 ID=6967 PROTO=UDP SPT=17500 DPT=17500 LEN=388 
16:50:46 kernel: IN=eth0 OUT= MAC=... SRC=212.199.177.237 DST=255.255.255.255 LEN=417 TOS=0x00 PREC=0x00 TTL=128 ID=6969 PROTO=UDP SPT=17500 DPT=17500 LEN=397 
16:50:51 kernel: IN=eth0 OUT= MAC=... SRC=185.106.128.105 DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=128 ID=13709 PROTO=UDP SPT=17500 DPT=17500 LEN=141 
16:50:52 kernel: IN=eth0 OUT= MAC=... SRC=194.36.90.146 DST=255.255.255.255 LEN=366 TOS=0x00 PREC=0x00 TTL=128 ID=21383 PROTO=UDP SPT=17500 DPT=17500 LEN=346 
16:50:52 kernel: IN=eth0 OUT= MAC=... SRC=194.36.90.146 DST=255.255.255.255 LEN=378 TOS=0x00 PREC=0x00 TTL=128 ID=21384 PROTO=UDP SPT=17500 DPT=17500 LEN=358 
16:50:53 kernel: IN=eth0 OUT= MAC=... SRC=185.241.6.127 DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=128 ID=8621 PROTO=UDP SPT=17500 DPT=17500 LEN=141

do you use dropbox? this is the UDB port dropbox LANsync uses — mael', Jul 17 '19 at 14:13
Well...actually you should disable _all_ incoming traffic to all ports you don't use and whitelist the ones you need. — Lenniey, Jul 17 '19 at 14:14
Thanks for the responses! I don't use Dropbox on this machine. What is the motivation for many remotes to access my machine under port 17500? — ishahak, Jul 17 '19 at 14:19
Probably the same reason your server is being contacted on port 993: https://serverfault.com/questions/975594/why-is-google-approaching-my-vps-machine — Lenniey, Jul 17 '19 at 14:21
Wondering how many of the internet traffic is left-overs from previous owners of the IP :) — ishahak, Jul 17 '19 at 14:26
This is not unheard of at all. Public IPs _will_ get reused, of course. If someone points their service/ client/ bot/ etc. to this IP, the traffic will end up on your server, of course. No need to worry. As I said: you should be blocking **everything** except the ports you need. — Lenniey, Jul 17 '19 at 14:30

score 2 · Accepted Answer · answered Jul 17 '19 at 16:07

2

Your server is hosted at a provider, where other customers of that server who are on the same LAN are running Dropbox. Its LAN Sync feature broadcasts on UDP port 17500. If you don't also have Dropbox running, you can ignore this traffic.

answered Jul 17 '19 at 16:07

Michael Hampton

237,123
42
477
940

Network activity through port 17500

1 Answers1