subject:"\[Leaf\-user\] Hits on port 53."

RE: [Leaf-user] Hits on port 53.

2001-12-02 Thread Paul Rimmer


  Has anybody out their seen the following, hits on port 53?

Yep, this is a well known problem (see archives, when they work...).  Change
ipfilter_firewall_cfg in ipfilter.conf with these extra lines (#New Port 53
filter start/end):

ipfilter_firewall_cfg () {
local ADDR
local DEST
local NET
local SERVICE

#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING!  If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY

# Clear any garbage rules out of the filters
ipfilter_flush

# New Port 53 filter start
  IP_LIST=`cat /etc/dns_floods`
  for IP in $IP_LIST; do
 $IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i
$EXTERN_IF

  done; unset IP
#New Port 53 filter end

# Set up Fair Queueing classifier lists
ipfilter_fairq

#
# Set up port forwards for internal services
#
snip etc.

Now create a dns_floods file in your /etc directory with all of the hosts
you receive port 53 spewage from.  Here's my current list:

128.121.10.90
128.242.105.34
129.250.244.10
194.205.125.26
194.213.64.150
202.139.133.129
203.194.166.182
203.208.128.70
207.55.138.206
207.68.131.17
212.78.160.237
216.220.39.42
216.33.35.214
216.34.68.2
216.35.167.58
62.23.80.2
62.26.119.34
64.14.200.154
64.37.200.46
64.56.174.186
64.78.235.14

Now do:
svi network ipfilter flush
svi network ipfilter reload

Make sure you backup your changes (/etc).

Paul Rimmer,
Calgary, Alberta, Canada


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.

2001-12-02 Thread Leaf Leaf


--- Kevin Kropf [EMAIL PROTECTED] wrote:
 
  Has anybody out their seen the following, hits on
 port 53?  
 
 Sample:
 Dec  1 14:48:57 kc_firewall kernel: Packet log:
 input DENY eth0 PROTO=6
 216.34.68.2:15209 24.80.151.202:53 L=44 S=0x00 I=0
 F=0x T=248 (#44)

No, but In a very cursory look through my recent logs
I have noticed one instance of about 100 packets from
one address denied in a 30 sec period. I'm guessing
it's a scan through my /27 block for some service on
port 27374, sample:

Nov 28 18:19:43 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.1.84.76:2017 216.136.89.98:27374
L=48 S=0x00 I=41493
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:43 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2018
216.136.89.99:27374 L=48 S=0x00 I=42517
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:44 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2019
216.136.89.100:27374 L=48 S=0x00 I=43285
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:45 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2022
216.136.89.103:27374 L=48 S=0x00 I=45077
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:46 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2023
216.136.89.104:27374 L=48 S=0x00 I=45589
   F=0x4000 T=109 SYN (#25)
   Nov 28 18:19:46 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2024
216.136.89.105:27374 L=48 S=0x00 I=46869
   F=0x4000 T=111 SYN (#25)

Most of the time however, my logs show a stream of
denials occurring at a round-the-clock average rate of
roughly 3 per minute (occasionally a period of a few
minutes with nothing) of packets from various ip
addresses denied mostly by the 'forward' rule to
primarily ports 80 and 21, and occasionally ports 111
113 137 and others I'm sure, directed to various ip's
of my /27 block defined in my DMZ, but on which most
have no services running.  

Would someone care to tell me what some of these are? 
And is this fairly typical of what goes on out there?

I know I should be concerned enough to learn how to
identify whether any of this is any form of attack, or
whether it is port scanning that may be hampering our
network useage.  In the mean time, does anyone care to
look through the following and let me know if you see
anything of concern?

My network is 216.136.89.96/27, isp router, my
networks gateway: .97, Dachstein eth0: .101, eth2 DMZ:
.102

Thanks.


Samples from today:

Dec 2 10:09:00 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1412
216.136.89.107:80 L=48 S=0x00 I=24134
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:09:03 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1412
216.136.89.107:80 L=48 S=0x00 I=25139
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:10:42 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1550
216.136.89.125:80 L=48 S=0x00 I=64214
   F=0x4000 T=115 SYN (#25)
   Dec 2 10:10:44 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1550
216.136.89.125:80 L=48 S=0x00 I=65482
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:11:11 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1512
216.136.89.114:80 L=48 S=0x00 I=12453
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:11:14 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1512
216.136.89.114:80 L=48 S=0x00 I=13254
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:11:36 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4181 216.136.89.118:80
L=44 S=0x00 I=10711
   F=0x4000 T=120 SYN (#25)
   Dec 2 10:11:39 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4181 216.136.89.118:80
L=44 S=0x00 I=35036
   F=0x4000 T=121 SYN (#25)
   Dec 2 10:11:45 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4595 216.136.89.124:80
L=44 S=0x00 I=9191
   F=0x4000 T=121 SYN (#25)
   Dec 2 10:11:48 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4595 216.136.89.124:80
L=44 S=0x00 I=31725
   F=0x4000 T=121 SYN (#25)
   Dec 2 10:13:27 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1832
216.136.89.122:80 L=48 S=0x00 I=1362
   F=0x4000 T=115 SYN (#25)
   Dec 2 10:13:30 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1832
216.136.89.122:80 L=48 S=0x00 I=2563
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:16:15 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.55.133.33:4520 216.136.89.112:80
L=48 S=0x00 I=21015
   F=0x4000 T=108 SYN (#25)
   Dec 2 10:16:32 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4645 216.136.89.100:80
L=44 S=0x00 I=3569
   F=0x4000 T=120 SYN (#25)
   Dec 2 10:16:35 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4645 216.136.89.100:80
L=44 S=0x00 I=59894
   F=0x4000 T=121 SYN (#25)

Dec 2 12:56:42 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1188
216.136.89.118:80 L=48 S=0x00 I=17741
   F=0x4000 T=115 SYN (#25)
   Dec 2 12:56:45

Re: Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.

2001-12-02 Thread Patrick Benson


Leaf Leaf wrote:

 No, but In a very cursory look through my recent logs
 I have noticed one instance of about 100 packets from
 one address denied in a 30 sec period. I'm guessing
 it's a scan through my /27 block for some service on
 port 27374, sample:
 
 Nov 28 18:19:43 firewall kernel: Packet log: forward
 DENY eth2 PROTO=6 216.1.84.76:2017 216.136.89.98:27374
 L=48 S=0x00 I=41493
F=0x4000 T=111 SYN (#25)
Nov 28 18:19:43 firewall kernel: Packet log:
 forward DENY eth2 PROTO=6 216.1.84.76:2018
 216.136.89.99:27374 L=48 S=0x00 I=42517
F=0x4000 T=111 SYN (#25)
Nov 28 18:19:44 firewall kernel: Packet log:
 forward DENY eth2 PROTO=6 216.1.84.76:2019
 216.136.89.100:27374 L=48 S=0x00 I=43285
F=0x4000 T=111 SYN (#25)
Nov 28 18:19:45 firewall kernel: Packet log:
 forward DENY eth2 PROTO=6 216.1.84.76:2022
 216.136.89.103:27374 L=48 S=0x00 I=45077
F=0x4000 T=111 SYN (#25)
Nov 28 18:19:46 firewall kernel: Packet log:
 forward DENY eth2 PROTO=6 216.1.84.76:2023
 216.136.89.104:27374 L=48 S=0x00 I=45589
F=0x4000 T=109 SYN (#25)
Nov 28 18:19:46 firewall kernel: Packet log:
 forward DENY eth2 PROTO=6 216.1.84.76:2024
 216.136.89.105:27374 L=48 S=0x00 I=46869
F=0x4000 T=111 SYN (#25)
 
 Most of the time however, my logs show a stream of
 denials occurring at a round-the-clock average rate of
 roughly 3 per minute (occasionally a period of a few
 minutes with nothing) of packets from various ip
 addresses denied mostly by the 'forward' rule to
 primarily ports 80 and 21, and occasionally ports 111
 113 137 and others I'm sure, directed to various ip's
 of my /27 block defined in my DMZ, but on which most
 have no services running.
 
 Would someone care to tell me what some of these are?
 And is this fairly typical of what goes on out there?

Take a look at:  http://www.dshield.org/topports.html

and it all makes some sense. Look at the sequence of the ports
originating from the one who is probing, 2017, 2018, 2019, etc. No use
in trying to locate who, what is doing this, they're usually cracked
boxes, anyway

 I know I should be concerned enough to learn how to
 identify whether any of this is any form of attack, or
 whether it is port scanning that may be hampering our
 network useage.  In the mean time, does anyone care to
 look through the following and let me know if you see
 anything of concern?
 
 My network is 216.136.89.96/27, isp router, my
 networks gateway: .97, Dachstein eth0: .101, eth2 DMZ:
 .102
 
 Thanks.
 
 Samples from today:
 
 Dec 2 10:09:00 firewall kernel: Packet log: forward
 DENY eth2 PROTO=6 216.136.86.206:1412
 216.136.89.107:80 L=48 S=0x00 I=24134
F=0x4000 T=116 SYN (#25)

Nimda is a real pain...


-- 
Patrick Benson
Stockholm, Sweden

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Hits on port 53.

2001-12-01 Thread Kevin Kropf



 Has anybody out their seen the following, hits on port 53?  Their is about
100 entries like this in a few seconds then nothing?  This only happens now
and again, once or twice a week.  I am using EigerStein2BETA.exe.

Sample:
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
216.34.68.2:15209 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=248 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
64.14.200.154:59888 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=244 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
128.242.105.34:38500 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=246 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
203.208.128.70:62137 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=245 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
64.78.235.14:57670 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=245 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
64.37.200.46:34818 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=245 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
216.220.39.42:14956 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=247 (#44)
Dec  1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6
216.35.167.58:19075 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=243 (#44)
Dec


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Hits on port 53.

Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.

Re: Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.

[Leaf-user] Hits on port 53.

4 matches

Site Navigation

Mail list logo

Footer information