[newbie] kernel audit messages and weird httpd access_log entries
Hello all, I just set up a new LM8.1 machine to act as an internet connection masqerader for a small lan along with a web server. This was on Saturday morning. When I went by to check on it on Monday morning i noticed several unusual entries in /var/log/messages and /var/log/httpd/access_log. The message file entries are like the following and there were a ton of them, i just included a few as samples: Jan 12 17:16:08 router kernel: auditIN=ppp0 OUT= MAC= SRC=209.58.110.227 DST=204.116.24.143 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=64210 PROTO=TCP SPT=21 DPT=21 WINDOW=40 RES=0x00 SYN URGP=0 Jan 12 17:21:20 router kernel: auditIN=ppp0 OUT= MAC= SRC=212.194.119.109 DST=204.116.24.143 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=37628 DF PROTO=TCP SPT=1647 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 Jan 13 16:04:26 router kernel: auditIN=ppp0 OUT= MAC= SRC=203.69.167.151 DST=204.116.24.143 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=21029 DF PROTO=TCP SPT=4289 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0 In /var/log/httpd/access_log I found several entries like the following, again just a sample have been included: 148.246.25.158 - - [12/Jan/2002:22:19:02 -0500] GET /default.ida?%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 400 347 - - 141.238.17.66 - - [13/Jan/2002:11:25:35 -0500] GET /default.ida?N NN NN N%u9090%u6858%ucbd3%u7801%u909 u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% 31b%u53ff%u0078%u%u00=a HTTP/1.0 400 347 - - 66.82.52.10 - - [13/Jan/2002:16:03:32 -0500] GET /default.ida?NNN NN NN NNN%u9090%u6858%ucbd3%u7801%u9090% 858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 400 347 - - Does anyone have any idea what these entries represent? I know the entries from access_log are GET requests but is someone attempting to break into the system via the web server with them? Thanks, Ian K. Harrell [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [Re: [Re: [newbie] cant connect to apache, ssh, ftp or telnet from network]]
First of all, thanks a ton for all the suggestions, but I still cannot connect to apache, telnet, ftp or ssh. Heck I can't even ping the LM8.1 computer from another machine either over the internet (ppp0) or over the lan (eth0) but internet masquerading works just fine. All the appropriate services are up and running nothing can connect to them though unless I flush the iptables firewall rules and set all the policy defaults to allow. There are no entries at all in hosts.allow or hosts.deny and the services i want to allow connections to are all listed in the bastille-firewall.cfg file in the correct places. Everything can be connected to from the localhost as well, just not over the internet (for 21, 22, and 80) or over the ethernet (for 21, 22, 23, and 80). Anyone have any more suggestions? Ian K. Harrell [EMAIL PROTECTED] Grant Fraser [EMAIL PROTECTED] wrote: One more thing. Is ssh running? Try opening a console and log in as root. type service sshd start see if sshd is part of your boot up process. On Monday 24 December 2001 15:19, you wrote: Try this: In your bastille-firewall.cfg file add ssh to your INTERNAL_INTERFACES= part. Just keep re-reading the notes until you think you got it. In order to enable ssh and port 22 to be seen on the internet I added 22+ ssh+ to the trusted intefaces. There is a whole QA section at the bottom as well. TRUSTED_IFACES=lo PUBLIC_IFACES=eth+ ppp+ slip+ INTERNAL_IFACES=eth0+ ssh+ On Monday 24 December 2001 06:15, you wrote: Some further information on this problem. There are no entries in either the /etc/hosts.deny or hosts.allow files. So this isnt causing the problem. I can perform an iptables -F and then set all the default policies back to accept and everything works fine. Of course this leaves me with no firewall too. So it looks like it is some firewalling rule that is causing the problem. I attached a copy of my bastille-firewall.cfg file to see if anyone sees a problem with it. I don't see anything in there that could be causing this. Thanks, Ian K. Harrell [EMAIL PROTECTED] Dragon . [EMAIL PROTECTED] wrote: Try this, I couldn't connect with SSH from anywhere and I swore up and down that Bastille was setup correctly. Look in the hosts.deny file. I found an entry with ALL:ALL... I deleted that line and everything worked fine. I could still browse to FTP and HTTP when the line was there but I couldn't connect via SSH. Its another place to look. From: Ian K.Harrell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [newbie] cant connect to apache, ssh, ftp or telnet from network Date: 21 Dec 2001 09:42:11 EST Hi all, I installed 8.1 the other day. (3 disc set from cheapbytes). Then use Interactive Bastille to configure firewalling, internet masquerading and basic system security. The problem is that while i can connect to the machine locally (http://localhost) noone can connect to it over the lan with either telnet, ssh, ftp or http. These servers are running and I told Bastille to leave these ports open to the internal network. On the public network i left ssh and 80 open so i could connect in over the web from home and so we could host a small company web site. Still noone can connect to them from the internet BUT i went to www.grc.com and ran the port probe and it showed the ports as being open. This makes me wonder if it is a firewall rule that Bastille put in there or is there something else going on? Right now the only thing that is working over the lan is internet masquerading. Any ideas? Ian K. Harrell [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. - Attachment: message.footer MIME Type: text/plain - Content-Type: text/plain; charset=us-ascii; name=bastille-firewall.cfg Content-Transfer-Encoding: 7bit Content-Description: Content-Type: text/x-c; charset=us-ascii; name=config Content-Transfer-Encoding: 7bit Content-Description: Content-Type: text/x-c; charset=us-ascii; name=config Content-Transfer-Encoding: 7bit Content-Description: Content-Type: text
Re: [Re: [newbie] cant connect to apache, ssh, ftp or telnet from network]
Some further information on this problem. There are no entries in either the /etc/hosts.deny or hosts.allow files. So this isnt causing the problem. I can perform an iptables -F and then set all the default policies back to accept and everything works fine. Of course this leaves me with no firewall too. So it looks like it is some firewalling rule that is causing the problem. I attached a copy of my bastille-firewall.cfg file to see if anyone sees a problem with it. I don't see anything in there that could be causing this. Thanks, Ian K. Harrell [EMAIL PROTECTED] Dragon . [EMAIL PROTECTED] wrote: Try this, I couldn't connect with SSH from anywhere and I swore up and down that Bastille was setup correctly. Look in the hosts.deny file. I found an entry with ALL:ALL... I deleted that line and everything worked fine. I could still browse to FTP and HTTP when the line was there but I couldn't connect via SSH. Its another place to look. From: Ian K.Harrell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [newbie] cant connect to apache, ssh, ftp or telnet from network Date: 21 Dec 2001 09:42:11 EST Hi all, I installed 8.1 the other day. (3 disc set from cheapbytes). Then use Interactive Bastille to configure firewalling, internet masquerading and basic system security. The problem is that while i can connect to the machine locally (http://localhost) noone can connect to it over the lan with either telnet, ssh, ftp or http. These servers are running and I told Bastille to leave these ports open to the internal network. On the public network i left ssh and 80 open so i could connect in over the web from home and so we could host a small company web site. Still noone can connect to them from the internet BUT i went to www.grc.com and ran the port probe and it showed the ports as being open. This makes me wonder if it is a firewall rule that Bastille put in there or is there something else going on? Right now the only thing that is working over the lan is internet masquerading. Any ideas? Ian K. Harrell [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. - Attachment: message.footer MIME Type: text/plain - # # /etc/bastille-firewall.cfg # # Configuration fiel for both 2.2/ipchains and 2.4/netfilter scripts # # version 0.99-beta1 # Copyright (C) 1999-2001 Peter Watkins # #This program is distributed in the hope that it will be useful, #but WITHOUT ANY WARRANTY; without even the implied warranty of #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #GNU General Public License for more details. # #You should have received a copy of the GNU General Public License #along with this program; if not, write to the Free Software #Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Thanks to David Ranch, Brad A, Don G, and others for their suggestions # the configuration values should be whitespace-delimited lists of # appropriate values, e.g. # TCP_PUBLIC_SERVICES=80 smtp ssh # lists Web (port 80), SMTP mail, and Secure Shell ports # # This script is suitable for workstations or simple NAT firewalls; # you may want to add more output restrictions for serious servers # 0) DNS servers. You must list your DNS servers here so that # the firewall will allow them to service your lookup requests # # List of DNS servers/networks to allow domain responses from # This _could_ be nameservers as a list of ip-address/32 entries #DNS_SERVERS=a.b.c.d/32 e.f.g.h/32 # If you are running a caching nameserver, you'll need to allow from # 0.0.0.0/0 so named can query any arbitrary nameserver # (To enable a caching nameserver, you will also probably need to # add domain to the TCP and UDP public service lists.) #DNS_SERVERS=0.0.0.0/0 # # To have the DNS servers parsed from /etc/resolv.conf at runtime, # as normal workstations will want, make this variable empty #DNS_SERVERS= # # Please make sure variable assignments are on single lines; do NOT # use the \ continuation character (so Bastille can change the # values if it is run more than once) DNS_SERVERS=0.0.0.0/0 # 1) define your interfaces # Note a + acts as a wildcard, e.g. ppp+ would match any PPP # interface # # list internal/trusted interfaces # traffic from these interfaces will be allowed # through the firewall, no restrictions #TRUSTED_IFACES=lo# MINIMAL/SAFEST # # list external/untrusted interfaces #PUBLIC_IFACES=eth+ ppp+ slip+# SAFEST # # list internal/partially-trusted interfaces # e.g. if this acts as a NAT/IP
[newbie] cant connect to apache, ssh, ftp or telnet from network
Hi all, I installed 8.1 the other day. (3 disc set from cheapbytes). Then use Interactive Bastille to configure firewalling, internet masquerading and basic system security. The problem is that while i can connect to the machine locally (http://localhost) noone can connect to it over the lan with either telnet, ssh, ftp or http. These servers are running and I told Bastille to leave these ports open to the internal network. On the public network i left ssh and 80 open so i could connect in over the web from home and so we could host a small company web site. Still noone can connect to them from the internet BUT i went to www.grc.com and ran the port probe and it showed the ports as being open. This makes me wonder if it is a firewall rule that Bastille put in there or is there something else going on? Right now the only thing that is working over the lan is internet masquerading. Any ideas? Ian K. Harrell [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] users controlling ppp dialup scripts
Greetings, I need to know hoe to configure my ppp dialup scripts so that a regular user can control internet access. I tried using netconf to setup the dial up network scripts and it breaks them. Also, this is for a console only machine so kppp wont work. All suggerstions appreciated! Thanks, Ian K. Harrell [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [[newbie] problem with netconfig for ppp on LM8.0]
In a follow up to this problem... Formatted and started all over again and am still running into the same problem except it is even worse now. If i use netconf to do any thing with the ppp0 scripts pppd begins to fail with error #17. (Thank god again for backups!) Also, any pppX scripts that i make with netconf fail with the same error message. Right now the only ppp dial up script that can be used is the one i generate during installation and if i use netconf to make any changes to it it begins to fail and keeps failing even when i go back in netconf and undo the changes i made. The only way i can get the ppp0 script to work after using netconf is to restore the backup i made of the network scripts directory. Am i missing some part of netconf or a library or something? I installed from a CD I burned after downloading the ISO image right after 8.0 came out and i know that the burner didnt burn tin correctly, could it have messed up burning something else? if so what? Or am i going about this all wrong and should not be using netconf to generate ppp dial up scripts? On an aside, netconf seems to work flawlessly when configuring LAN nics. On another aside, I found an answer to the automount question i had. Thanks again, Ian K. Harrell [EMAIL PROTECTED] Ian K.Harrell [EMAIL PROTECTED] wrote: Greetings, I installed LM8.0 on a computer at work and ran into a problem. During installation i configured a dialup (ppp0) account to our ISP using a 3com external modem on ttys0 After rebooting and loading into linux for the first time i made sure that the dialup account worked by logging in as root and running /sbin/ifup ppp0. This part went fine. I made a few backups (thank god!) and went into netconf to change ppp0 so that it could be controlled by any user. This was the only change made and netconf did not report any errors but now when anyone, root or a regular user, tries to run /sbin/ifup ppp0 the pppd daemon exits with either error #6 unable to lock the serial port, error #8 connection script failed, or error #17 which is serial loopback detection. The most common is error #17. The other 2 show up about 1 time in 10. After tring /sbin/ifup ppp0 about 100 times and double checking everything over and over again I finally gave up for the day and went back into netconf and changed it so that regular users could not control the device. Then went back and tried /sbin/ifup ppp0 and it started exiting with the same errors. Being totally frustrated i restored the backup i had made of /etc and then tried /sbin/ifup ppp0. It worked flawlessly. I then went home and ate turkey, mashed potatoes with gravy and washed it all down with a few cold ones while watching football. Man what a way to alleviate stress. :) Came back in this morning and performed a format and complete reinstall only to run through the same problems all over again. Anyone have any ideas on what is wrong and how to fix it? On another note, I was considering installing LM8.1 but has read somewhere on this list previously that Mandrake had broken the automount. Is there a patch out yet that corrects this? Thanks in advance, Ian K. Harrell [EMAIL PROTECTED] - Attachment: message.footer MIME Type: text/plain - Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] problem with netconfig for ppp on LM8.0
Greetings, I installed LM8.0 on a computer at work and ran into a problem. During installation i configured a dialup (ppp0) account to our ISP using a 3com external modem on ttys0 After rebooting and loading into linux for the first time i made sure that the dialup account worked by logging in as root and running /sbin/ifup ppp0. This part went fine. I made a few backups (thank god!) and went into netconf to change ppp0 so that it could be controlled by any user. This was the only change made and netconf did not report any errors but now when anyone, root or a regular user, tries to run /sbin/ifup ppp0 the pppd daemon exits with either error #6 unable to lock the serial port, error #8 connection script failed, or error #17 which is serial loopback detection. The most common is error #17. The other 2 show up about 1 time in 10. After tring /sbin/ifup ppp0 about 100 times and double checking everything over and over again I finally gave up for the day and went back into netconf and changed it so that regular users could not control the device. Then went back and tried /sbin/ifup ppp0 and it started exiting with the same errors. Being totally frustrated i restored the backup i had made of /etc and then tried /sbin/ifup ppp0. It worked flawlessly. I then went home and ate turkey, mashed potatoes with gravy and washed it all down with a few cold ones while watching football. Man what a way to alleviate stress. :) Came back in this morning and performed a format and complete reinstall only to run through the same problems all over again. Anyone have any ideas on what is wrong and how to fix it? On another note, I was considering installing LM8.1 but has read somewhere on this list previously that Mandrake had broken the automount. Is there a patch out yet that corrects this? Thanks in advance, Ian K. Harrell [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] help with diald and/or alternatives
I have a small lan setup currently (5 computers, 4 running windows 98 and 1 running Mandrake 7.1) and I have been trying to set them all up to use some form of on demand dialing to my local ISP. All the computers talk to each other and everything with the local lan works fine (so far). I run into problems when i try to use DialD to perform the on demand dialing though. Currently i can log in from any of the computers and use '/sbin/ifup ppp0' to start my ppp link to my ISP and then everything works fine with masquerading, etc. I cannot get diald setup to detect when one of the computers calls for a connection to the ISP though. I know there is something with diald that requires it to be setup with a series of ipchains so that the computers are not masq'd to begin with so diald can get the message that it needs to call the ISP and then it starts the ipchains rules for masq'ing. I havent gotten this part figured out and would greatly appreciate it if anyone could offer any advice on this. One other thing that i am having some problems with is the usage of pppd in the examples i have managed to find for setting up diald so far. I have yet to be able to get pppd to connect to my ISP and have always used the '/sbin/ifup ppp0' line i mentioned above with no problems. I am sure this is something that i am probably overlooking but have no idea what exactly it is. If anyone knows of an alternative for diald that is easier to setup and use or can give me some fairly simple instructions for setting up diald i would greatly appreciate hearing it. Thanks in advance, Ian K. Harrell [EMAIL PROTECTED] Get free email and a permanent address at http://www.netaddress.com/?N=1