Re: newbie iptables question
Incoming from Daniel Pittman: > On 14 Aug 2004, s. keeling wrote: > > > > Are you suggesting that I might see stuff in my logs that was destined > > for a foreign IP? > > Not often, but occasionally, depending on how your ISP connects you to > the Internet. It is most common on a LAN or a cable setup. Sorry, I meant "foreign IP" as "something outside of my LAN." -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Phillip Hofmeister <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > It is saying a rule matched. Doesn't say what you did with the packet > though, just tells you about the packet. If you want to know what you > did with it you would need to include a log-prefix in your iptables > scripts. > > Here is what we know: > > Interface Traffic came IN on: ppp0 > The IP Address the traffic came from is: 83.36.139.197 > THE IP Address it was destined to: 12.65.24.43 > The length of the packet was: 53 bytes > The Type of Service flag was set to null (00) > The SYN flag was set, this was a connection attempt > The IP ID Field (for IP Fragmentation) was: 19155 > The layer 4 protocol was: TCP > The layer 4 port was (source): 4346 > The layer 4 port destination was: 445 > The size of the TCP Window was: 16384 bytes > > Shorter version: Someone from 83.36.139.197 tried to connect to > 12.65.24.43 (presumably you) on port 445 via interface ppp0. We cannot > deduce what action was taken by your computer because you (or your > IPTABLES Interface program) did not log this. It is for this reason I > run my own IPTABLES script and edit it by hand (pretty > masochistichuh?). My guess is this packet was related to an > automated attack (worm). > Phillip, This is all great. I do want to thank you and Martin and S. Keeling (esp.) and Bernd--you've all been very helpful. Some of the information from this group has led me to a new study list! -- look at Bastille -- look at firehol and/or firestarter -- re-read all the Debian security docs Lists and newsgroups are the way to go! -- Wanda -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
On 14 Aug 2004, s. keeling wrote: > Incoming from Bernd Eckenfels: >> In article <[EMAIL PROTECTED]> you wrote: >> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= >> SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 >> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 >> ... >>> It all depends on whether you have services running on your machine >>> that listen on DPT (445 in this case). If something is there to "pick >>> up the phone" so to speak, anything can happen. That service could >>> answer on another port altogether. >> >> Well, you need to check if DST= is a local address, anyway. > > Are you suggesting that I might see stuff in my logs that was destined > for a foreign IP? Not often, but occasionally, depending on how your ISP connects you to the Internet. It is most common on a LAN or a cable setup. > If so, that would make me an open mail relay, no? No. Being an open mail relay would make you an open mail relay. Your firewall has pretty much nothing to do with that -- only the configuration of your mail server really matters. Have you considered using some sort of friendly setup, such as shorewall or firehol, to deal with the technical details of firewalling for you? I sounds like you are pretty unsure on your feet here, and those tools take a lot of the uncertainty out of building a firewall... Regards, Daniel -- We can keep from a child all knowledge of earlier myths, but we cannot take from him the need for mythology. -- Carl Jung -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
In article <[EMAIL PROTECTED]> you wrote: >> Well, you need to check if DST= is a local address, anyway. > > Are you suggesting that I might see stuff in my logs that was destined > for a foreign IP? If so, that would make me an open mail relay, no? If your system is a gateway, this is quite common. No thats not related to mail relays. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Bernd Eckenfels: > In article <[EMAIL PROTECTED]> you wrote: > >> > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > >> > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > >> > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > ... > > It all depends on whether you have services running on your machine > > that listen on DPT (445 in this case). If something is there to "pick > > up the phone" so to speak, anything can happen. That service could > > answer on another port altogether. > > Well, you need to check if DST= is a local address, anyway. Are you suggesting that I might see stuff in my logs that was destined for a foreign IP? If so, that would make me an open mail relay, no? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
In article <[EMAIL PROTECTED]> you wrote: >> > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= >> > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 >> > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 ... > It all depends on whether you have services running on your machine > that listen on DPT (445 in this case). If something is there to "pick > up the phone" so to speak, anything can happen. That service could > answer on another port altogether. Well, you need to check if DST= is a local address, anyway. Gruss Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Wanda Round: > "s. keeling" <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > > Incoming from Wanda Round: > > > > > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > > > - It came in over ppp0. > > Many thanks for the clear, tiny-bite answer! Which specific item > tells you that it "didn't get back out"? I spoke too soon on that. Sorry. :-P > You're saying that as long as the incoming doesn't get back out > I'm ok, correct? It all depends on whether you have services running on your machine that listen on DPT (445 in this case). If something is there to "pick up the phone" so to speak, anything can happen. That service could answer on another port altogether. The trick is, don't run services that you don't need to run. Go into /etc/inetd.conf and comment out anything that you don't like; things like ftpd, telnetd, rsh (remote shell), portmap, identd. If you never need to ssh _into_ your box, tell it not to run sshd. You'll still be able to ssh out. > thing only with different MAC addresses. Does this mean, FROM > THE LITTLE YOU'VE SEEN, that the iptables is doing a good job? It _may_ be, but if you're running services you don't need to, you will have opened the door and iptables can't solve that. All a firewall does is _break connectivity_. Unix was designed to listen to a lot of ports and respond to requests appropriately. iptables just slaps duct tape over those ports. I'd get one of the firewall management tools (fwbuilder, shorewall, etc.) and play with it. It'll build you your iptables rules for you. That's the best way to wrap your head around this stuff. My theory on iptables rules, for a personal workstation, is: anything outgoing NEW,ESTABLISHED,RELATED is allowed anything incoming NOT from localhost that's NEW - log and drop anything incoming over ppp0 that's ESTABLISHED,RELATED to existing connections - accept then you can add exceptions; I allow tcp 113 because I run something called fauxident. some cvs servers demand it. groups.google.com for comp.os.linux.security can be a lot of help. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
"s. keeling" <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > Incoming from Wanda Round: > > After reading that I should look through /var/log/messages, I did > > and found many lines like these: > > > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > - It came in over ppp0. > > - It didn't get back out. > > - No network card was involved. > > - It came from 201.129.122.85 > > - Your IP was 12.65.24.43 > > - [Other stuff] > > - It was TCP protocol (as opposed to UDP, ICMP, ...) > > - It came from their port #4346. > > - It went at your port #445. > > - [Other stuff] > > The only thing I tend to care about is: > > - What, on my machine, is at port #445 (nothing). "grep 445 /etc/services". > > - If it's an INcoming or OUTgoing packet, is it (related to) > something I started? > > - Many things (like 53, DNS) are just idiots out there who (for > whatever reason) think you are their nameserver. Ignore them. > > - Many hits on your box are from viruses and worms looking to infect > your box. Ignore them. > > - Many hits are from spammers trying to find out if they can use you > as an open mail relay. Ignore them. > S. Keeling, Many thanks for the clear, tiny-bite answer! Which specific item tells you that it "didn't get back out"? You're saying that as long as the incoming doesn't get back out I'm ok, correct? Every line I saw in the /var/log/messages had the same kind of thing only with different MAC addresses. Does this mean, FROM THE LITTLE YOU'VE SEEN, that the iptables is doing a good job? -- Wanda -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Le 12643ième jour après Epoch, s. keeling écrivait: > Incoming from Wanda Round: >> After reading that I should look through /var/log/messages, I did >> and found many lines like these: >> >> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= >> SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 >> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > - It came in over ppp0. > > - It didn't get back out. Arf... > - No network card was involved. Arf... > - Your IP was 12.65.24.43 Arf... > - [Other stuff] Please, ask google for explaining you this kind of info. What you can guess on a rejected packet (nothing here can affirm the packet was rejected) is 'it was rejected'. Nothing about it didn't get back out. Things logged are only things you (or a f.cking frontend) asking for logging. -- Necessity hath no law. -- Oliver Cromwell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
On Fri, Aug 13, 2004 at 08:13:21AM -0700, Wanda Round wrote:
> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115
> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
>
> What are these lines telling me? Where can I find a simpler explanation
> of iptables logs?
They are TCP/IP header fields, and if you don't already know what they
mean, they probably aren't useful to you; but a reference on TCP/IP
would be enlightening.
If you're trying to figure out why they were printed in the first place,
it's because your iptables configuration ("iptables --list") decided
they were worth logging, probably because the packets were dropped. You
should try to figure out which rule matched the packet. You can do this
by either tracing the rules "by hand", or adding a --log-prefix to the
logging rules. If the rules are created by a firewall tool, the latter
might be hard (I wish firewall tools would always add a string to the
log, so the user can see which policy is violated); perhaps you could
iptables-save, add the --log-prefix options, iptables-restore.
But it's probably not worth spending too much time tracking this down.
Bad packets, not even malicious ones, are part of the background noise
of the internet.
Andrew
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
On Fri, 13 Aug 2004 at 08:13:21AM -0700, Wanda Round wrote: > After reading that I should look through /var/log/messages, I did > and found many lines like these: > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46 > ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc > were from Mexico and Spain. > > MAN iptables didn't help me at all! > > What are these lines telling me? Where can I find a simpler explanation > of iptables logs? It is saying a rule matched. Doesn't say what you did with the packet though, just tells you about the packet. If you want to know what you did with it you would need to include a log-prefix in your iptables scripts. Here is what we know: Interface Traffic came IN on: ppp0 The IP Address the traffic came from is: 83.36.139.197 THE IP Address it was destined to: 12.65.24.43 The length of the packet was: 53 bytes The Type of Service flag was set to null (00) The SYN flag was set, this was a connection attempt The IP ID Field (for IP Fragmentation) was: 19155 The layer 4 protocol was: TCP The layer 4 port was (source): 4346 The layer 4 port destination was: 445 The size of the TCP Window was: 16384 bytes Shorter version: Someone from 83.36.139.197 tried to connect to 12.65.24.43 (presumably you) on port 445 via interface ppp0. We cannot deduce what action was taken by your computer because you (or your IPTABLES Interface program) did not log this. It is for this reason I run my own IPTABLES script and edit it by hand (pretty masochistichuh?). My guess is this packet was related to an automated attack (worm). Hope this helps, -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Hi What those lines is saying is that on your ppp0 interface (your dialup) you got a SYN packet from 201.129.122.85 (SRC) to 12.65.24.43 (DST) sent from port 4346 (SPT) to port 445 (DPT). SYN packages is sent to establish a connection. Port 445 is listed as microsoft-ds (Microsoft Naked CIFS) so I would guess it was some search for windows machines for some exploit ... But what you need to know to learn how to read the logs is: SRC = reported sending IP for the package. DST = reported target IP for the package. SPT = reported sending port for the package. DPT = reported target port for the package. For the target port you can often find it in /etc/services if its a standard port for a known service. Hope this cleared this up a little, I'm not that much of a teacher ... :) /Martin 13 Aug 2004, Wanda Round wrote: > After reading that I should look through /var/log/messages, I did > and found many lines like these: > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46 > ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc > were from Mexico and Spain. > > MAN iptables didn't help me at all! > > What are these lines telling me? Where can I find a simpler explanation > of iptables logs? > > -- > Wanda > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- /Martin Grape Network and System Admin Trema Laboratories SARL Email : [EMAIL PROTECTED] | 1300 route des Cretes Phone : +33-4-92384149 | Parc de Sophia-Antipolis GSM : +33-6-30655938 | F-06560 Valbonne, France -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from s. keeling: > Incoming from Wanda Round: > > After reading that I should look through /var/log/messages, I did > > and found many lines like these: > > > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > - It came in over ppp0. [snip] > The only thing I tend to care about is: > > - What, on my machine, is at port #445 (nothing). "grep 445 /etc/services". /bin/netstat -tnupl /bin/netstat -nr -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Wanda Round: > After reading that I should look through /var/log/messages, I did > and found many lines like these: > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 - It came in over ppp0. - It didn't get back out. - No network card was involved. - It came from 201.129.122.85 - Your IP was 12.65.24.43 - [Other stuff] - It was TCP protocol (as opposed to UDP, ICMP, ...) - It came from their port #4346. - It went at your port #445. - [Other stuff] The only thing I tend to care about is: - What, on my machine, is at port #445 (nothing). "grep 445 /etc/services". - If it's an INcoming or OUTgoing packet, is it (related to) something I started? - Many things (like 53, DNS) are just idiots out there who (for whatever reason) think you are their nameserver. Ignore them. - Many hits on your box are from viruses and worms looking to infect your box. Ignore them. - Many hits are from spammers trying to find out if they can use you as an open mail relay. Ignore them. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[François TOURDE] Re: newbie iptables question
Sorry for personnal posting. I've changed my keys recently under Gnus, and it's hard to change old usage ;) --- Begin Message --- Le 12643ième jour après Epoch, Wanda Round écrivait: > After reading that I should look through /var/log/messages, I did > and found many lines like these: > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46 > ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc > were from Mexico and Spain. > > MAN iptables didn't help me at all! > > What are these lines telling me? Where can I find a simpler explanation > of iptables logs? They're telling you that somebody in Spain and Mexico is trying to contact your computer using 445 port (DST=445). And This port is: [EMAIL PROTECTED]:~$ grep 445 /etc/services microsoft-ds445/tcp # Microsoft Naked CIFS microsoft-ds445/udp HTH -- Ego sum ens omnipotens. --- End Message --- -- Before marriage the three little words are "I love you," after marriage they are "Let's eat out." -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 URL: http://francois.tourde.org/
