Re: [newbie] Shorewall - OK to accept ICMP type 8 from all?
According to google, port 17300 might be used by the W32.Weird (Kuang2) to scan for infected machines. That does not mean your machine is infected (it's a Windows trojan), but that others are searching for an infected machine to activate the trojan. http://www.freelists.org/archives/techies-discuss/06-2003/msg0.html http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=10213 Just to name two. raffaele [EMAIL PROTECTED] wrote: On Thu, 04 Dec 2003 01:01, Raffaele Belardi wrote: Thanks Raffaele. Just checked the fwlog this morning after changing shorewall to allow pings last night and only being connected to the internet for one hour - and holy shite! MANY more hits than usual on ports 80 and 17300. Strange that so many hits on port 17300 all from different source IPs when I don't even know what that port is used for??? Its not listed in /etc/services and I haven't made any rules for that port myself. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Shorewall - OK to accept ICMP type 8 from all?
Hi All Can someone please tell me if accepting all ICMP type 8 packets from all (including internet) poses much of a security threat. I previously only allowed these to/from my local network but I was getting a bit peeved at the number of entries in the logs/email which amount to hundreds of lines every day. Any advice appreciated. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Shorewall - OK to accept ICMP type 8 from all?
Better not if your machine has a public static IP address. ICMP type 8 (ping) can be used to discover the IP address through ping 'storms', and then use it for attacks to higher level protocols. Also there is the ping of death attack that can crash your machine - although maybe newer TCP/IP implementations are immune. I'm sure there is a way to request IPtables not to log the rejected/dropped ping packets, but I wouldn't be able to tell you OTOH. Maybe somebody else already knows. raffaele [EMAIL PROTECTED] wrote: Hi All Can someone please tell me if accepting all ICMP type 8 packets from all (including internet) poses much of a security threat. I previously only allowed these to/from my local network but I was getting a bit peeved at the number of entries in the logs/email which amount to hundreds of lines every day. Any advice appreciated. Sharrea Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Shorewall - OK to accept ICMP type 8 from all?
On Wednesday 03 Dec 2003 11:43 am, Sharrea Day wrote: Hi All Can someone please tell me if accepting all ICMP type 8 packets from all (including internet) poses much of a security threat. I previously only allowed these to/from my local network but I was getting a bit peeved at the number of entries in the logs/email which amount to hundreds of lines every day. Any advice appreciated. Sharrea If your machine responds to a ping then it may attract the attention of someone who will make a determined attempt to break in. On the other hand there are gazillions of computers on the net that do respond to ping, so why should yours be any more likely to be attacked. As regards being annoyed by the log entries you could try putting an entry in /etc/shorewall/rules like :- DROP net fw icmp8 That should drop pings silently, and will override the default action in shorewall/policy which is to drop and log. I have not tested the above because I have just started using ulogd to put all my firewall hits into an SQL database (instead of syslog) which can then be interrogated by a neat application called Webfwlog. If you want to see what it looks like go here http://www.jennings.homelinux.net/webfwlog-0.81/webfwlog/webfwlog.php Before anyone asks how to do it. I am preparing a write up. Its a bit complicated. derek -- -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Shorewall - OK to accept ICMP type 8 from all?
On Thu, 04 Dec 2003 01:01, Raffaele Belardi wrote: Better not if your machine has a public static IP address. ICMP type 8 (ping) can be used to discover the IP address through ping 'storms', and then use it for attacks to higher level protocols. Also there is the ping of death attack that can crash your machine - although maybe newer TCP/IP implementations are immune. Thanks Raffaele. Just checked the fwlog this morning after changing shorewall to allow pings last night and only being connected to the internet for one hour - and holy shite! MANY more hits than usual on ports 80 and 17300. Strange that so many hits on port 17300 all from different source IPs when I don't even know what that port is used for??? Its not listed in /etc/services and I haven't made any rules for that port myself. I'm sure there is a way to request IPtables not to log the rejected/dropped ping packets, but I wouldn't be able to tell you OTOH. Maybe somebody else already knows. I'll try Derek's suggestion and see what happens. Thanks again for your input. I've been wondering about this for ages. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Shorewall - OK to accept ICMP type 8 from all?
On Thu, 04 Dec 2003 04:34, Derek Jennings wrote: On Wednesday 03 Dec 2003 11:43 am, Sharrea Day wrote: Can someone please tell me if accepting all ICMP type 8 packets from all (including internet) poses much of a security threat. I previously only allowed these to/from my local network but I was getting a bit peeved at the number of entries in the logs/email which amount to hundreds of lines every day. If your machine responds to a ping then it may attract the attention of someone who will make a determined attempt to break in. On the other hand there are gazillions of computers on the net that do respond to ping, so why should yours be any more likely to be attacked. That's what I thought so I changed the shorewall rules to allow all pings last night. After being only connected to the internet for one hour, there were MANY more hits than usual. As regards being annoyed by the log entries you could try putting an entry in /etc/shorewall/rules like :- DROPnet fw icmp8 That should drop pings silently, and will override the default action in shorewall/policy which is to drop and log. Just added that rule, stopped, cleared and started shorewall. Will see what my logs look like in an hour or two. I never thought to add the rule (duh!) because shorewall was already blocking it with the default net2all policy. I have not tested the above because I have just started using ulogd to put all my firewall hits into an SQL database (instead of syslog) which can then be interrogated by a neat application called Webfwlog. If you want to see what it looks like go here http://www.jennings.homelinux.net/webfwlog-0.81/webfwlog/webfwlog.php Looks great! Far more options than my fwlogwatch web report. And shorter System Check email messages ;) Before anyone asks how to do it. I am preparing a write up. Its a bit complicated. Eagerly awaiting your instructions. I'm definitely keen to try it. Thanks Derek for your advice. I have a hunch that the shorewall rule above will do the trick. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
