RE: [expert] Firewall Log Question
Also add to this that there are 192.168.0.0 packets leaking onto the internet from misconfigured routers all the time! -JMS |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]] On Behalf Of Ed Tharp |Sent: Thursday, November 22, 2001 4:18 PM |To: [EMAIL PROTECTED] |Subject: Re: [expert] Firewall Log Question | | |It's always been my understanding that one of the reasons to |have 192.168.x.x |Ip numbers in a internal network is to enable,,, oh say a GOOD |network (or |even a really lame) Admin to block those IPs frpom external |sources. just how |much do you "share" this network? just having THOSE ip numbers |don't mean |anything execpt that the ADMIN IS AN A$$. in my humble |opinion. to accuse |some one who owns a dog that looks like your dog of stealing |your dog, when |their dog ran away because they did not fed it or shelter it |seems...shall we |say...dis-inginuous. if the other Admin can not close his |system (might be a |M$winder$ system,,, why should he blame you, because you have a closed |(linux) system? | Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall Log Question
On Thu, 22 Nov 2001 14:41, eduardo wrote: > Thanks for your help. > > With this I sent a small description about how network has bean > setting up and the hardware that the we are using. > > Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall) > > Network 2 : 192.168.5.X.X / 255.255.0.0 (My company) > > The Switch we have 2 Vlans. > > The Switch and Gateway/Firewall is controlled by the other company. > > The Router connect us to the internet. The router is controlled by ISP > > > - > > |Router| |HUB ||Comp. (Win)|(192.168.X.X) > |Cisco |>| |--->|Network 2 | > > - > (192.168.X.X) | |_ > (10.10.X.X) | |(port Vlan2) > v v > -- --(Vlan 2) 192.168.X.X > > |Gateway | |Switch |>NetWork 2 (Windows) > |FireWall|>|3Com|(Vlan 1) > |(Linux) | (port Vlan1)||>NetWork 1 (Windows) > > -- -- 10.10.X.X > (10.10.X.X)(10.10.X.X) Well, the firewall logs you sent look like they were generated on the linux box. The linux box is connected by a hub to your windows network. Why are they suprised to see traffic from that network hit their linux box, when it's physically on the same network? Also, just as a question of configuration, shouldn't the VLAN's be on different subnets to the main networks? Is this 3COM switch handling the VLAN authentication and so forth? Is eth0 on the linux box connected to the hub or to the switch? t -- PGP key : http://n12turbo.com/tarragon/public.key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall Log Question
Thanks for your help. With this I sent a small description about how network has bean setting up and the hardware that the we are using. Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall) Network 2 : 192.168.5.X.X / 255.255.0.0 (My company) The Switch we have 2 Vlans. The Switch and Gateway/Firewall is controlled by the other company. The Router connect us to the internet. The router is controlled by ISP - |Router| |HUB ||Comp. (Win)|(192.168.X.X) |Cisco |>| |--->|Network 2 | - (192.168.X.X) | |_ (10.10.X.X) | |(port Vlan2) v v -- --(Vlan 2) 192.168.X.X |Gateway | |Switch |>NetWork 2 (Windows) |FireWall|>|3Com|(Vlan 1) |(Linux) | (port Vlan1)||>NetWork 1 (Windows) -- -- 10.10.X.X (10.10.X.X)(10.10.X.X) - Original Message - From: "Tarragon Allen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2001 11:32 PM Subject: Re: [expert] Firewall Log Question > On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote: > > We are in a mixed network, which includes a router Cisco, a 3COM swich > > common to the two networks and a hub where gateway/fire wall linux computer > > is connected. > > > > One of the network is my company network (192.168.X.X / 255.255.0.0. I am > > in charge of it) and the other network belongs to other company (10.10.X.X > > / 255.255.0.0). This company has a VPN. Now, they are accusing me as > > hacker, alleging we have tried to go into their VPN. As prove of tha t , > > they are showing the following type of message: > > How do they know it's your network? The 192.168.x.x range is used by many > many many people out there to define their internal networks, and is in fact > supplied on spec (in one of the RFC's) for this very purpose. Just showing > some logs with that IP in it doesn't seem to constitute any proof whatsoever > that your particular network was involved. > > The actual packets they've listed here appear to be NetBIOS broadcasts. > These are sent by Windows clients when they are trying to poll the network > for other Windows machines. It looks to me like Windows machines using > 192.168.x.x is trying to poll something on their network. Again, no > indication that it's neccesarily from *your* network, it could be any machine > using those IPs with a subnet mask of 255.255.0.0. > > If they are seeing these packets, how did they make it there? If they are > running a VPN, the only way they could see these packets from your network > would be if someone using that IP connected to their VPN and then forwarded > packets to them. Unless they can provide more proof (perhaps with > explanations of where they think the traffic is coming from, rather than a > pile of oblique logs from a network and host you have no more information > about) there's not much you can do. > > A "more information is required" situation. Also, I'd assume it's not > "hacking" - it feels more like some sort of misconfiguration to me. > > Btw, is this other company on the same network or share network hardware? > What connections do you have to this company? Could it be something as > simple as a patch lead connecting two hubs together? > > t > > > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > > SYN (#70) > > > > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 > > 192.168.2.185:138 > > > > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71) > > > > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > > SYN (#70) > > -- > PGP key : http://n12turbo.com/tarragon/public.key > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall Log Question
On Thu, 22 Nov 2001 10:08, Leif Madsen wrote: > I have to agree with Tarragon here. It doesn't look to me like any sort of > hacking attempt as it looks like their firewall is just recieving packets > to ports which they are blocking and it is dropping them. It very well > could be a machine on their network which has the IP address of 192.168.X.X > misconfigured. I doubt it's a single misconfigured machine using an IP in that range : there are denys for many different IP's in the range, which seems to indicate that the networks (whether it's Eduardo's or someone elses) are connected somehow. t -- PGP key : http://n12turbo.com/tarragon/public.key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall Log Question
I have to agree with Tarragon here. It doesn't look to me like any sort of hacking attempt as it looks like their firewall is just recieving packets to ports which they are blocking and it is dropping them. It very well could be a machine on their network which has the IP address of 192.168.X.X misconfigured. I'd be hesitant to say that it is you.. but if it is, how are you guys connected together? Anything physical or is this remote, over the internet? If this is remote over the internet and they are saying that 192.168.X.X is hacking them, I don't think it's you :) Leif Madsen - Project Manager [EMAIL PROTECTED] http://www.plannettechnologies.com - Original Message - From: "Tarragon Allen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2001 10:32 PM Subject: Re: [expert] Firewall Log Question > A "more information is required" situation. Also, I'd assume it's not > "hacking" - it feels more like some sort of misconfiguration to me. > > Btw, is this other company on the same network or share network hardware? > What connections do you have to this company? Could it be something as > simple as a patch lead connecting two hubs together? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall Log Question
Hiya, well looking at the port numbers 137 & 138 if I remember right thats netbios ports, are you running SAMBA ? on your network ?, anyway if you turn off those two ports on outgoing packets that should stop the other company accusing you of hacking. But if the other co had a real sys admin person they know thatr anyway. HTH Eduardo Bencomo wrote: > > We are in a mixed network, which includes a router Cisco, a 3COM > swich common to the two networks and a hub where gateway/fire wall > linux computer is connected. > > One of the network is my company network (192.168.X.X / 255.255.0.0. I > am in charge of it) and the other network belongs to other company > (10.10.X.X / 255.255.0.0). This company has a VPN. Now, they are > accusing me as hacker, alleging we have tried to go into their VPN. As > prove of tha t , they are showing the following type of message: > > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 > PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 > T=109 SYN (#70) > > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.185:138 > > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71) > > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 > PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 > T=109 SYN (#70) > > Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.138:137 > > 192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71) > > Oct 21 04:10:16 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.20:138 > > 192.168.2.255:138 L=238 S=0x00 I=56451 F=0x000 T=32 (#71) > > Oct 21 04:10:20 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.5:138 > > 192.168.2.255:138 L=234 S=0x00 I=39272 F=0x000 T=128 (#71) > > Oct 21 04:11:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.5:137 > > 192.168.2.255:138 L=78 S=0x00 I=39528 F=0x000 T=128 (#71) > > Oct 21 04:12:00 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.100:138 > > 192.168.255.255:138 L=241 S=0x00 I=31461 F=0x000 T=128 (#71) > > Oct 21 04:14:04 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.172:137 > > 192.168.255.255:137 L=78 S=0x00 I=50473 F=0x000 T=32 (#71) > > They have as many as 40 pages of this type of messages , presenting > this "deny" access as the evidence we have tried to penetrate their > network. > > Since we are not int er ested is go into that VPN, nor we have tried > to do it, please help me in find a technnical explanation for the > "evidences" the have shown. > > Thanks. -- Richard Bown Ericsson Microwave Systems AB SE-431 84 Mölndal e-mail [EMAIL PROTECTED] tel +46 31 74 72422 mobile +46 7098 72422 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall Log Question
On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote: > We are in a mixed network, which includes a router Cisco, a 3COM swich > common to the two networks and a hub where gateway/fire wall linux computer > is connected. > > One of the network is my company network (192.168.X.X / 255.255.0.0. I am > in charge of it) and the other network belongs to other company (10.10.X.X > / 255.255.0.0). This company has a VPN. Now, they are accusing me as > hacker, alleging we have tried to go into their VPN. As prove of tha t , > they are showing the following type of message: How do they know it's your network? The 192.168.x.x range is used by many many many people out there to define their internal networks, and is in fact supplied on spec (in one of the RFC's) for this very purpose. Just showing some logs with that IP in it doesn't seem to constitute any proof whatsoever that your particular network was involved. The actual packets they've listed here appear to be NetBIOS broadcasts. These are sent by Windows clients when they are trying to poll the network for other Windows machines. It looks to me like Windows machines using 192.168.x.x is trying to poll something on their network. Again, no indication that it's neccesarily from *your* network, it could be any machine using those IPs with a subnet mask of 255.255.0.0. If they are seeing these packets, how did they make it there? If they are running a VPN, the only way they could see these packets from your network would be if someone using that IP connected to their VPN and then forwarded packets to them. Unless they can provide more proof (perhaps with explanations of where they think the traffic is coming from, rather than a pile of oblique logs from a network and host you have no more information about) there's not much you can do. A "more information is required" situation. Also, I'd assume it's not "hacking" - it feels more like some sort of misconfiguration to me. Btw, is this other company on the same network or share network hardware? What connections do you have to this company? Could it be something as simple as a patch lead connecting two hubs together? t > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > SYN (#70) > > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.185:138 > > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71) > > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > SYN (#70) -- PGP key : http://n12turbo.com/tarragon/public.key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
