RE: [Leaf-user] Hits on port 53.
Has anybody out their seen the following, hits on port 53? Yep, this is a well known problem (see archives, when they work...). Change ipfilter_firewall_cfg in ipfilter.conf with these extra lines (#New Port 53 filter start/end): ipfilter_firewall_cfg () { local ADDR local DEST local NET local SERVICE # # set default policies # # ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If # you turn off the filters, the box will become opaque to any traffic! # ipfilter_policy DENY # Clear any garbage rules out of the filters ipfilter_flush # New Port 53 filter start IP_LIST=`cat /etc/dns_floods` for IP in $IP_LIST; do $IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i $EXTERN_IF done; unset IP #New Port 53 filter end # Set up Fair Queueing classifier lists ipfilter_fairq # # Set up port forwards for internal services # snip etc. Now create a dns_floods file in your /etc directory with all of the hosts you receive port 53 spewage from. Here's my current list: 128.121.10.90 128.242.105.34 129.250.244.10 194.205.125.26 194.213.64.150 202.139.133.129 203.194.166.182 203.208.128.70 207.55.138.206 207.68.131.17 212.78.160.237 216.220.39.42 216.33.35.214 216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34 64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14 Now do: svi network ipfilter flush svi network ipfilter reload Make sure you backup your changes (/etc). Paul Rimmer, Calgary, Alberta, Canada ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.
--- Kevin Kropf [EMAIL PROTECTED] wrote: Has anybody out their seen the following, hits on port 53? Sample: Dec 1 14:48:57 kc_firewall kernel: Packet log: input DENY eth0 PROTO=6 216.34.68.2:15209 24.80.151.202:53 L=44 S=0x00 I=0 F=0x T=248 (#44) No, but In a very cursory look through my recent logs I have noticed one instance of about 100 packets from one address denied in a 30 sec period. I'm guessing it's a scan through my /27 block for some service on port 27374, sample: Nov 28 18:19:43 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2017 216.136.89.98:27374 L=48 S=0x00 I=41493 F=0x4000 T=111 SYN (#25) Nov 28 18:19:43 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2018 216.136.89.99:27374 L=48 S=0x00 I=42517 F=0x4000 T=111 SYN (#25) Nov 28 18:19:44 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2019 216.136.89.100:27374 L=48 S=0x00 I=43285 F=0x4000 T=111 SYN (#25) Nov 28 18:19:45 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2022 216.136.89.103:27374 L=48 S=0x00 I=45077 F=0x4000 T=111 SYN (#25) Nov 28 18:19:46 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2023 216.136.89.104:27374 L=48 S=0x00 I=45589 F=0x4000 T=109 SYN (#25) Nov 28 18:19:46 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2024 216.136.89.105:27374 L=48 S=0x00 I=46869 F=0x4000 T=111 SYN (#25) Most of the time however, my logs show a stream of denials occurring at a round-the-clock average rate of roughly 3 per minute (occasionally a period of a few minutes with nothing) of packets from various ip addresses denied mostly by the 'forward' rule to primarily ports 80 and 21, and occasionally ports 111 113 137 and others I'm sure, directed to various ip's of my /27 block defined in my DMZ, but on which most have no services running. Would someone care to tell me what some of these are? And is this fairly typical of what goes on out there? I know I should be concerned enough to learn how to identify whether any of this is any form of attack, or whether it is port scanning that may be hampering our network useage. In the mean time, does anyone care to look through the following and let me know if you see anything of concern? My network is 216.136.89.96/27, isp router, my networks gateway: .97, Dachstein eth0: .101, eth2 DMZ: .102 Thanks. Samples from today: Dec 2 10:09:00 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1412 216.136.89.107:80 L=48 S=0x00 I=24134 F=0x4000 T=116 SYN (#25) Dec 2 10:09:03 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1412 216.136.89.107:80 L=48 S=0x00 I=25139 F=0x4000 T=116 SYN (#25) Dec 2 10:10:42 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1550 216.136.89.125:80 L=48 S=0x00 I=64214 F=0x4000 T=115 SYN (#25) Dec 2 10:10:44 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1550 216.136.89.125:80 L=48 S=0x00 I=65482 F=0x4000 T=116 SYN (#25) Dec 2 10:11:11 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1512 216.136.89.114:80 L=48 S=0x00 I=12453 F=0x4000 T=116 SYN (#25) Dec 2 10:11:14 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1512 216.136.89.114:80 L=48 S=0x00 I=13254 F=0x4000 T=116 SYN (#25) Dec 2 10:11:36 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.81.30:4181 216.136.89.118:80 L=44 S=0x00 I=10711 F=0x4000 T=120 SYN (#25) Dec 2 10:11:39 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.81.30:4181 216.136.89.118:80 L=44 S=0x00 I=35036 F=0x4000 T=121 SYN (#25) Dec 2 10:11:45 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.81.30:4595 216.136.89.124:80 L=44 S=0x00 I=9191 F=0x4000 T=121 SYN (#25) Dec 2 10:11:48 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.81.30:4595 216.136.89.124:80 L=44 S=0x00 I=31725 F=0x4000 T=121 SYN (#25) Dec 2 10:13:27 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1832 216.136.89.122:80 L=48 S=0x00 I=1362 F=0x4000 T=115 SYN (#25) Dec 2 10:13:30 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1832 216.136.89.122:80 L=48 S=0x00 I=2563 F=0x4000 T=116 SYN (#25) Dec 2 10:16:15 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.55.133.33:4520 216.136.89.112:80 L=48 S=0x00 I=21015 F=0x4000 T=108 SYN (#25) Dec 2 10:16:32 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.81.30:4645 216.136.89.100:80 L=44 S=0x00 I=3569 F=0x4000 T=120 SYN (#25) Dec 2 10:16:35 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.81.30:4645 216.136.89.100:80 L=44 S=0x00 I=59894 F=0x4000 T=121 SYN (#25) Dec 2 12:56:42 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1188 216.136.89.118:80 L=48 S=0x00 I=17741 F=0x4000 T=115 SYN (#25) Dec 2 12:56:45
Re: Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.
Leaf Leaf wrote: No, but In a very cursory look through my recent logs I have noticed one instance of about 100 packets from one address denied in a 30 sec period. I'm guessing it's a scan through my /27 block for some service on port 27374, sample: Nov 28 18:19:43 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2017 216.136.89.98:27374 L=48 S=0x00 I=41493 F=0x4000 T=111 SYN (#25) Nov 28 18:19:43 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2018 216.136.89.99:27374 L=48 S=0x00 I=42517 F=0x4000 T=111 SYN (#25) Nov 28 18:19:44 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2019 216.136.89.100:27374 L=48 S=0x00 I=43285 F=0x4000 T=111 SYN (#25) Nov 28 18:19:45 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2022 216.136.89.103:27374 L=48 S=0x00 I=45077 F=0x4000 T=111 SYN (#25) Nov 28 18:19:46 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2023 216.136.89.104:27374 L=48 S=0x00 I=45589 F=0x4000 T=109 SYN (#25) Nov 28 18:19:46 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.1.84.76:2024 216.136.89.105:27374 L=48 S=0x00 I=46869 F=0x4000 T=111 SYN (#25) Most of the time however, my logs show a stream of denials occurring at a round-the-clock average rate of roughly 3 per minute (occasionally a period of a few minutes with nothing) of packets from various ip addresses denied mostly by the 'forward' rule to primarily ports 80 and 21, and occasionally ports 111 113 137 and others I'm sure, directed to various ip's of my /27 block defined in my DMZ, but on which most have no services running. Would someone care to tell me what some of these are? And is this fairly typical of what goes on out there? Take a look at: http://www.dshield.org/topports.html and it all makes some sense. Look at the sequence of the ports originating from the one who is probing, 2017, 2018, 2019, etc. No use in trying to locate who, what is doing this, they're usually cracked boxes, anyway I know I should be concerned enough to learn how to identify whether any of this is any form of attack, or whether it is port scanning that may be hampering our network useage. In the mean time, does anyone care to look through the following and let me know if you see anything of concern? My network is 216.136.89.96/27, isp router, my networks gateway: .97, Dachstein eth0: .101, eth2 DMZ: .102 Thanks. Samples from today: Dec 2 10:09:00 firewall kernel: Packet log: forward DENY eth2 PROTO=6 216.136.86.206:1412 216.136.89.107:80 L=48 S=0x00 I=24134 F=0x4000 T=116 SYN (#25) Nimda is a real pain... -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user