Comments follow:
> -----Original Message-----
> From: Ralph Slooten [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, December 15, 2000 1:41 PM
> To: Leonard den Ottolander; Burke, Thomas G.
> Subject: Firewall problem....some answers.
>
> Ok guys, just gonna send this message to you both personally, as I don't
> know what the consequesnces are of just openly disgussing my firewall /
> setup on the list :-)
[Burke, Thomas G.] I understand that, every time I post my script to the
list, I get at least 3 attempts from people to try to break in... You'd
think they'd look at the script 1st, & realize that their scripts won't work
as copied... *sheesh!*
> Ok, to start off, I have a fixed IP (212.127.150.141), and use a cable
> modem (3COM) connected through an Ethernet card (eth0). You probably find
> that my firewall could be 50 times better, however I simply used as I said
> before Firestarter to create the rules, which 'till now seems to work
> great. The changes in the connection I had were not related to any
> firewall
> change. The rules are the same as they have been for about a year I guess.
> I have attached both an extract of my messages file (the whole thing is
> now
> about 12 MB's since yesterday!) and my IPchains rules file (maybe I
> shouldn't, but hey, somebody's gotta know more about what I may be doing
> wrong).
>
[Burke, Thomas G.] The address that most of these seem to be sent
to is 255.255.255.255... This is a broadcast address, so anything on the
same network as the guy who is doing this will try to respond. For an
example of this, you can type "ping (-b) 255.255.255.255" and every machine
on the network will reply, giving you all the machines which are there (in
case you don't already know): An example I just did on another network:
...
64 bytes from sun170e18.engr.siu.edu (131.230.191.78): icmp_seq=6.
time=13. ms
64 bytes from cmos.engr.siu.edu (131.230.191.22): icmp_seq=6.
time=13. ms
64 bytes from sun170e09.engr.siu.edu (131.230.191.69): icmp_seq=6.
time=13. ms
64 bytes from omega.engr.siu.edu (131.230.191.32): icmp_seq=6.
time=14. ms
64 bytes from sun170e12.engr.siu.edu (131.230.191.72): icmp_seq=6.
time=14. ms
64 bytes from sun440e24.engr.siu.edu (131.230.191.84): icmp_seq=6.
time=14. ms
64 bytes from sun170e06.engr.siu.edu (131.230.191.66): icmp_seq=6.
time=15. ms
64 bytes from sun170e15.engr.siu.edu (131.230.191.75): icmp_seq=6.
time=15. ms
64 bytes from 255.255.255.255: icmp_seq=6. time=20. ms
^C
----255.255.255.255 PING Statistics----
7 packets transmitted, 237 packets received, 33.86 times
amplification
round-trip (ms) min/avg/max = 0/17/788
So, my WAG is that someone has hacked a couple of machines on the
same networ as you & is running a server that is talking to those machines.
Rather than talking to those individual machines, it is broadcasting to them
all to do stuff. I dunno who 90.0.0.1 is, but it is the one causing the
trouble - I would report this to my ISP - actually, 90.0.0.1 isn't a real
address from your network, but must be spoofed (as it is in a set of
reserved numbers) - sorry, I'm on a Windoze box which is running short on
memory (got a memory leak in Outlook, I think) so I can't bring up my tools
right now :(
Machine 212.127.152.219 is probably a machine that is misconfigured,
as it's going about looking for port 520 (RIP) from anybody who'll talk to
it... I'd advise my ISP about him, too, as they'd like to have him not clog
their pipes, I'm sure...
[Burke, Thomas G.] 192.168.0.2 (someone has configured a machine
with a non-routable address on the network) is broadcasting for port 1015
(Dunno what it is)
192.168.0.1 (another non-routable address) is doing something from
port 2461...
My take on all these numbers is that someone is up to no good at
each of them & your ISP needs to put a packet sniffer on the line to come up
with the MAC addresses of these machines. These 3 machines MUST (maybe not
the 90.0.0.1 machine) be coming from inside their local loop, since they are
not routable. Since these are cable modems, they can probably find out who
owns which MAC address & figure out who's causing these problems.
> About the Quicknet thing, well, my computer is called
> "rotterdam.quicknet.nl", so I guess it (the program I used to sumarise the
> log file and give statistics {flogwatch] reads it as "quicknet", as
> written
> in the log) That is me therefore, however the connections made to this
> computer (the thousands and thousands aren't me).
>
[Burke, Thomas G.] The rule which is causing this log is the 20th
rule in your set:
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
This rule says "take any packet that is coming from anywhere (-s
0.0.0.0/0.0.0.0 to anywhere (-d 0.0.0.0), and deny it. Oh, and while you're
at it, log it (-l)"
You can get rid of the full logs by getting rid of the "-l" at the
end of your script....
>
> My ISP is Quicknet.nl (may show upon scans as Sonera, or Sonera
> Quicknet..... name change about a year back)
>
> >Could it be you are running routed or gated? No need for that on a single
> >machine network :). By the way, these are connection attempts (in so far
> you >can speak of connections using udp), not connects.
>
> Hmmm, can't help you there. I'm not a network expert. I have been using
> Linux since about 1,5 years ago, and everything I knnow I basica;lly
> taught
> myself (with help from the Redhat mailing lists).
>
>
> >I have recently been looking for port lists. Can't find any reference to
> port >39312/39213 in them, on port 1015 a trojan called "Doly Trojan"
> could
> be >listening. Not sure if this is tcp or udp. See
> http://www.simovits.com/
> and >click "Article archive" for details. Or try www.sans.org (they seem
> to
> be down >right now).
>
> Yeah, I see it. I have Blackice running under my windows computer, but it
> detects nothing from thses connection attempts. Not saying that Blackice
> is
> 100% good, but as commercial software, I presume that they would have suck
> things covered. In Windows too the modem light burns almost constantly, so
> the connection / connection attemps are there too, just it doesn't react.
> 39312/39213 I can't locate either. I have a huge list which I found on an
> internet site yesterday, but it doesn't mention those at all! Doesn't even
> mention 1015.
>
> I don't seem to have ANY restrictions connection to the outside world
> (which suits me fine). The only users that use this computer are me and my
> girlfriend. I didn't want any restrictions there either. Just incomming
> attempts.
>
> I would really appreciate any advise / observations or suggestions you
> both
> may have, as I hope to solve this problem in a normal way. I am almost at
> the point of sending an E-mail with complaints to my ISP, however if this
> is my fault, I don't want to cause any unneccesary problems :-)
>
> I am running an HTTP server at the moment too, as you may or may not
> realise from the ipchains.rules file :-)
>
> Thanks for any help,
>
> Ralph
>
> --
> ----------------------------------------
> | ICQ: 25543458 |
> | Email: [EMAIL PROTECTED] |
> | Homepage: http://www.axllent.cjb.net |
> ----------------------------------------
> << File: >> << File: >>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
