James G. Sack (jim) wrote:
http://www.mozy.com/Ralph Shumaker wrote:
James G. Sack (jim) wrote:
..
... Maybe there's some other place deep in the admin
interface to keep those from coming through?
I don't know about that. I still cannot access it since disabling those
services. I don't know why, unless those were services being supplied
by the DSL modem to *my* computer. Got any ideas how to get back in?
I thought you said it fixed itself?
I don't recall saying that. But in any case, to be clear, I lost access
to the admin of the modem and never got it back. It did not affect my
ability to surf the web. But I cannot access the admin of the modem.
Starting from
# ifconfig eth0:0 192.168.1.99
ifconfig -a
(to verify the 192.168.1.99 alias)
ping 192.168.1.1
All good.
if that works, browse to
http://192.168.1.1/
instantly gives me the dialog that says:
The connection was reset
The connection to the server was reset while the page was loading.
# The site could be temporarily unavailable or too busy. Try again in a few
moments.
# If you are unable to load any pages, check your computer's network
connection.
# If your computer or network is protected by a firewall or proxy,
make sure
that Firefox is permitted to access the Web.
[Try Again]
(Clicking on [Try Again] merely refreshes the dialog.)
Is this where I should call dslextreme?
I'm reluctant to offer advice, since if your admin interface is no
longer accessible, it may be my prior suggestion to disable http on the
Access Control—Services page that seemed to disable the admin interface.
In self-defense, though, I _would_ call that behavior a bug, and maybe
that is worth a call to them.
That may be so, jim, but I'm not blaming you, and I'm not upset about
it. I am somewhat concerned and would like to fix it. But I don't see
a reason to be upset about it. It's still letting me surf the web.
I'll find the number for dslextreme and give them a call.
If you are bothered by the garbage it seems to be leaking through,
another option is to get a cheapie residential gateway and put it
between the DSL modem and your computer(s).
If the only way that I am vulnerable is open ports with running
services, then reducing those to the essential few should be sufficient,
right?
Here's some other things you may find interesting:
..
or, if you like wireshark, possibly better is
wireshark -nr tcpdump.save
No manual entry for wireshark
Hmmm
http://en.wikipedia.org/wiki/Image:Wireshark_screenshot.png
Oh, now *that* looks kewl! It's like my tcpdump formula, but in
progress of accumulation.
But you used it as a command line. Is that preferable?
Not specifically preferable, but it is easier to give a sample command
line than to give a gui procedural recipe.
Agreed.
Oh, this is interesting (I wonder if it's actually down or has something
to do with the services that were disabled in my DSL modem which locked
me out of it since I haven't even tried yum since then):
(Creating this prompt on Sat Aug 16 at 10:33:24.)
# yum info wireshark
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* updates: mirror.stanford.edu
Could not retrieve mirrorlist
Nah, that's a (too common) repository problem. Usually temporary.
..
Actually, I may have been mistaken. I seem to recall doing yum install
gwget *after* losing DSL modem admin access (I think it was _after_?)
There's not much you can (easily/safely/reasonably) do about unsolicited
probes -- those _are_ (typically) the bad guys. Seeing the stats and
sources is mildly interesting.
OK, if I understand correctly, there's no harm in letting my computer
respond to port probes as long as I have no vulnerable services running?
What I meant is that you can't do much about probes arriving at your
public IP. That your DSL modem doesn't allow you to filter out those
things you don't want is a deficiency of the modem, IMO.
I believe your computer may not actually be doing any (real) responding,
it should be ignoring them. It would only respond by virtue of running a
service whose job is to respond.
I don't understand. Aren't these replies?
# tcpdump -lr tcpdumped
reading from file tcpdumped, link-type EN10MB (Ethernet)
11:09:03.700039 IP host86-168-240-81.range86-168.btcentralplus.com.54271
> netblock-68-183-me-me.dslextreme.com.33925: UDP, length 35
11:09:03.700134 IP netblock-68-183-me-me.dslextreme.com >
host86-168-240-81.range86-168.btcentralplus.com: ICMP host
netblock-68-183-me-me.dslextreme.com unreachable - admin prohibited,
length 71
11:10:10.370860 IP 218.61.17.231.http >
netblock-68-183-me-me.dslextreme.com.16999: S 2443851322:2443851322(0)
ack 2961120453 win 64
11:10:10.370955 IP netblock-68-183-me-me.dslextreme.com > 218.61.17.231:
ICMP host netblock-68-183-me-me.dslextreme.com unreachable - admin
prohibited, length 48
11:11:08.695015 IP S01060014851b1bbb.cg.shawcable.net.33877 >
netblock-68-183-me-me.dslextreme.com.cap: UDP, length 484
11:11:08.695113 IP netblock-68-183-me-me.dslextreme.com >
S01060014851b1bbb.cg.shawcable.net: ICMP host
netblock-68-183-me-me.dslextreme.com unreachable - admin prohibited,
length 520
11:11:08.702138 IP S01060014851b1bbb.cg.shawcable.net.33877 >
netblock-68-183-me-me.dslextreme.com.1027: UDP, length 484
11:11:08.702157 IP netblock-68-183-me-me.dslextreme.com >
S01060014851b1bbb.cg.shawcable.net: ICMP host
netblock-68-183-me-me.dslextreme.com unreachable - admin prohibited,
length 520
11:11:08.709039 IP S01060014851b1bbb.cg.shawcable.net.33877 >
netblock-68-183-me-me.dslextreme.com.1028: UDP, length 484
11:11:08.709058 IP netblock-68-183-me-me.dslextreme.com >
S01060014851b1bbb.cg.shawcable.net: ICMP host
netblock-68-183-me-me.dslextreme.com unreachable - admin prohibited,
length 520
11:16:45.755625 IP 122.224.6.166.x11 >
netblock-68-183-me-me.dslextreme.com.epmap: S 1035272192:1035272192(0)
win 16384
11:16:45.755723 IP netblock-68-183-me-me.dslextreme.com > 122.224.6.166:
ICMP host netblock-68-183-me-me.dslextreme.com unreachable - admin
prohibited, length 48
Would there be any harm in having my computer drop all port probes
except for services I want running (like ntp)? Would that even do any
good, as in less visible being less vulnerable (like camouflage, like a
white moth on white tree bark)? If scans of a certain port, say 1026,
on sequential IP addresses is done to merely identify IP addresses that
answer back, wouldn't it be better to *not* answer back? Is that what
iptables is? (man iptables Description doesn't answer this for me, tho,
it probably would if I understood it better).
Ahhh, ok, if I understand correctly, you are distinguishing between a
policy of REJECT vs DROP. A REJECT is like a negative ack, whereas a
DROP returns nothing at all to the sender. Normally firewalls use REJECT
on the inside (LAN) and DROP on the outside interface, just so there is
less visibility, as you say. For the packets that your DSL modem is
allowing through, the response would be dependent on the behavior of
your computer, which is probably running iptables. I do believe the
default configuration would be to REJECT rather than DROP, so your
concern seems justified. I believe if you want to change a default
policy to DROP, you may need to add explicit rules for proper behavior
of some protocols. Of course you could also add explicit DROP rules for
those garbage packets (which makes the most sense to me, if there are
only a few).
Admittedly, I know little on the subject, but since only a few services
are running (like ntp), wouldn't it be better to DROP everything and
then just ACCEPT the few that are welcome?
==> I'm a little rusty, so perhaps someone else will step in with
firewall configuration suggestions for your PC.
I keep forgetting what OS you are running, but I believe it's some
fedora. What do you get for
# service iptables status
or if that fails, try
# iptables -L
I added my OS to the subject line.
# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:22
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Or should I set up a secure honey pot for them to waste their time on?
Maybe make it look like a juicy whendoze machine that only answers back
something akin to "error reading drive C:". :))
Well, I would not recommend running a honeypot except in a secure(!)
dmz, on a sacrificial host, and only if you have quite a bit more
expertise than I do.
Agreed. (My statement was entirely tongue-in-cheek.)
--
I don't see much point in providing much if any lenience
When something obnoxious is done "for my convenience".
--Stewart Stremler
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
