Hi!

I've been using Linux for almost a year now. I am using IPCop as my firewall. I've installed urlfilter, advproxy and zerina's vpn on the same box. I'm just wondering if it can cause some security holes. I frequently upgrade my IDS (Snort) though. Now here's my question, I always see my IP (Firewall server) on the IDS logs pointing to another IP. On weekends, I don't see it. I have the assumption that one of our units is being zombied and trying to hack other systems. Am I correct on this? Please note that only our servers are running Linux and most of the workstations are running Windows. Also, if I open etherape, I see few mac addresses pointing to other mac addresses. Why is it that etherape is mixed up with IP Addresses and Mac Addresses? If the unit is being zombied, how can I identify which unit? Thanks.

Could you post some examples of the traffic you are talking about?

What types of systems do you think are compromised, windows or linux?

Your last point is a bit confusing (MACs pointing to other MACs), do you mean IPs? Could you describe the issue in more detail? Including the IPs/MACs involved. Some relevent packet dumps captured in ethereal/tcpdump might be usefull too.

Okay. First of all, I looked at my IDS logs. I found out that my IP is pointing to the some IP (131.107.113.76:80). I issued the command and see to know who owns the IP. I found out its microsoft. The Action was "Bare byte Unicode Encoding". It means that I'm doing that action to Microsoft. Does this mean, my firewall was already been zombied by another user? The etherape used to have IP's pointing to each other. This is to know that they are connecting with each other via SMB, DOMAIN, etc. But for some reasons, there are few MAC address listed there without IP Address. I don't know how to identify them and know which computer are they on our network. I also got this from the IDS logs:

MyFirewallStaticIP:42744 > 131.107.113.76:80 (http_inspect) Bare Byte Unicode Encoding
MyFirewallStaticIP:41861 > 206.190.39.69:80 (http_inspect) Double Decoding Attack

I am clueless on what to do. I am thinking of installing a new IPCop and abandoning the current IPCop. However, I think I should solve this and know which units are doing this. Thank You.

I found out that my IP is pointing to the some IP (131.107.113.76:80). / MyFirewallStaticIP:42744 > 131.107.113.76:80 (http_inspect)
In general one would be only interested in inbound traffic I'd say. You probably have configured Snort to alert for both in and outbound. If you need to check for what local LAN boxen to Do Stuff to others, then that's fine. Snort also does show false positives, maybe the local box was just handing over all your license details to M$ or checking for updates or whatever. You need to find out which local boxen exhibit this behaviour and if it's at certain intervals. If not: investigate, if it is: make a custom or exception rule or disable the rule or disable checking that IP (range).

unSpawn,

It's nice to hear from you again. You've been helping me alot and I'm very much grateful. Well, first of all? What are the chances that IPCop will be hackable? Or can be used by someone? I do have snort, but I don't know if it is functioning well. Does this mean that if snort detected something, the packets was automatically blocked? I mean it seems that its just a tool letting you know what actions have been made outside and inside your network. How will I know if that action was permitted by IPCop or not? I've kinda new to networking security and all those stuff. I've just understand how to setup a simple network with the gateways and few knowledge on subnetting. I've done a lot of things in Linux and that's the reason why I love it so much. Setting up a server with DHCP, Squid, URLFilter, Named, VPN was never this easy I suppose. And it saves our company millions so to speak. However, I would like to grasp the knowldge on security. Though I know linux is less vulnerable than windows, I know there are still holes in the system. And I want to know how to prevent it. Is there a way for me to find out which unit is doing nasty things? Or a package will be much appreciated that will monitor/report what workstations on my LAN network is doing things not acknowledged by the user. Unspawn, if you can provide me good site to teach me on this I will be very thankful. Thanks again and nice to hear from you.

IMO everything is hackable

This makes me think you really didn't read up much on Snort before you installed it

And this proves my point.

There should be log files telling you this stuff

We've all gotta start somewhere. I'd suggest you take the suspected computer off the network to see if thats where the suspicious traffic is comming from

I'd also suggest you read up on snort and IPCop (check out their sites for white-papers on use and how to set them up).

www.antionline.com (the site's name is very misleading) has a lot of good people who are probably willing to answer your question(s) if take your time and ask in a coherent manner.

You've been helping me alot and I'm very much grateful.
Thanks. Can't remember though, sorry.


What are the chances that IPCop will be hackable? Or can be used by someone?
Theoretically speaking it depends on what's running and what's accessable such as services but also kernel flaws. Practically speaking a local service listing and scan with Nessus or nmap should show. Make sure you scan each interfaces from a box that is remote to the interface. I mean, if eth0 is connected to the LAN then you can scan eth0 from a LAN box, but if eth1 is connected to teh intarweb, then trying to scan eth1 from a LAN box that has it's traffic routed to eth1 through eth0 ain't no good.


I do have snort, but I don't know if it is functioning well. Does this mean that if snort detected something, the packets was automatically blocked? I mean it seems that its just a tool letting you know what actions have been made outside and inside your network.
Snort is devoted to detection alone and except for flexresp and -inline it doesn't deal with applying restrictions. For that you would need a third party application like Guardian. There's a Guardian addon for IPCOP.


How will I know if that action was permitted by IPCop or not?
IPCOP runs Iptables. Blocking depends on having blocking rules. Logging depends on having logging rules. Logging is done with the kernel facility so should end up in /var/log/messages, else check your /etc/syslog.conf.


I would like to grasp the knowldge on security. Though I know linux is less vulnerable than windows, I know there are still holes in the system. And I want to know how to prevent it.
Maybe you are already making the transition by adding a firewall to each and every connected LAN box, or by moving servers to the DMZ. There's really a lot more to do and read. Start with your distributions security documents or the LQ FAQ: Security references, port #1 the parts about securing and hardening. If you do try to pace it, don't try to read all at once.


Is there a way for me to find out which unit is doing nasty things? Or a package will be much appreciated that will monitor/report what workstations on my LAN network is doing things not acknowledged by the user.
You could run an instance of Snort on the interface that's connected to the zone the suspects are in. Then there's a lot of IPCOP addons and I'm not familiar with them. About anything that has terms like network and monitoring in the description should do.


@nonades:
IMO everything is hackable
If you mean hackable the right way: OK, but I don't think you do. Which makes your reply useless without explanation, a platitiude.


[site address removed]
With all due respect to them folks at AO I'm sure the combined knowledge of LQ can handle things quite well w/o needing to redirect fellow LQ members to fora that aren't problem nor product specific.