LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-24-2005, 04:37 PM   #1
dx0r515t
Member
 
Registered: Jan 2005
Location: USA
Distribution: Slackware 10.2 & 11.0
Posts: 155

Rep: Reputation: 30
Disable syst command in FTP?


Hi, I run my own ftp server with vsftpd with slackware 10.0. Anyways I am currently having problems with users using the syst command to find out which OS I am running. The output of the syst command is:
Quote:
215 UNIX Type: L8
Can someone please tell me how I can disable the syst command in slackware 10.0? so users who connect to my ftp server cannot use this command?
thanks in advance


Heres a log from my packet sniffer, as you can see someone is really hammering my machine....anyone have any ideas what this person is trying to do exactly:
Quote:
Win=5840 [CHECKSUM INCORRECT] Len=1460
1.503734 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=52560 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.538662 83.102.151.131 -> 192.168.2.50 TCP 2119 > 53363 [ACK] Seq=0 Ack=48180 Win=65535 Len=0
1.538778 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=54020 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.538799 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=55480 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.599263 83.102.151.131 -> 192.168.2.50 TCP 2119 > 53363 [ACK] Seq=0 Ack=51100 Win=65535 Len=0
1.599366 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=56940 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.599383 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=58400 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.606277 84.130.242.240 -> 192.168.2.50 TCP 2487 > ftp [SYN] Seq=0 Ack=0 Win=32767 Len=0 MSS=1440 WS=0
1.606447 192.168.2.50 -> 84.130.242.240 TCP ftp > 2487 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0
1.674364 83.102.151.131 -> 192.168.2.50 TCP 2119 > 53363 [ACK] Seq=0 Ack=54020 Win=65535 Len=0
1.674489 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=59860 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.674511 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=61320 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.730440 83.102.151.131 -> 192.168.2.50 TCP 2119 > 53363 [ACK] Seq=0 Ack=56940 Win=65535 Len=0
1.730544 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=62780 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.730561 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=64240 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.837060 83.102.151.131 -> 192.168.2.50 TCP 2119 > 53363 [ACK] Seq=0 Ack=58400 Win=65535 Len=0 SLE=3123591051 SRE=3123592511
1.837156 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=65700 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.837171 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=67160 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.863623 83.102.151.131 -> 192.168.2.50 TCP [TCP Dup ACK 79#1] 2119 > 53363 [ACK] Seq=0 Ack=58400 Win=65535 Len=0 SLE=3123591051 SRE=3123593971
1.863702 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=68620 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.894654 83.102.151.131 -> 192.168.2.50 TCP [TCP Dup ACK 79#2] 2119 > 53363 [ACK] Seq=0 Ack=58400 Win=65535 Len=0 SLE=3123591051 SRE=3123595431
1.894779 192.168.2.50 -> 83.102.151.131 TCP [TCP Retransmission] 53363 > 2119 [ACK] Seq=58400 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
1.919206 83.102.151.131 -> 192.168.2.50 TCP [TCP Dup ACK 79#3] 2119 > 53363 [ACK] Seq=0 Ack=58400 Win=65535 Len=0 SLE=3123591051 SRE=3123596891
1.999309 83.102.151.131 -> 192.168.2.50 TCP [TCP Dup ACK 79#4] 2119 > 53363 [ACK] Seq=0 Ack=58400 Win=65535 Len=0 SLE=3123591051 SRE=3123598351
1.999435 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [PSH, ACK] Seq=70080 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460
2.007805 83.102.151.131 -> 192.168.2.50 TCP [TCP Dup ACK 79#5] 2119 > 53363 [ACK] Seq=0 Ack=58400 Win=65535 Len=0 SLE=3123591051 SRE=3123599811
2.059896 83.102.151.131 -> 192.168.2.50 TCP 2119 > 53363 [ACK] Seq=0 Ack=68620 Win=65535 Len=0
2.060036 192.168.2.50 -> 83.102.151.131 TCP 53363 > 2119 [ACK] Seq=71540 Ack=0 Win=5840 [CHECKSUM INCORRECT] Len=1460

and it goes on..........

Last edited by dx0r515t; 05-24-2005 at 05:40 PM.
 
Old 05-24-2005, 05:38 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

There's a commands allowed option which goes in vsftpd.conf.

Mine reads:
cmds_allowed=QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,SYST,PWD,SIZE

I seem to remember that disabling SYST breaks some FTP clients, though.

Dave
 
Old 05-24-2005, 05:44 PM   #3
dx0r515t
Member
 
Registered: Jan 2005
Location: USA
Distribution: Slackware 10.2 & 11.0
Posts: 155

Original Poster
Rep: Reputation: 30
ok then in that case I won't disable syst if it hurts some ftp clients... but what do you guys think about my log above? I tried blocking the IP in /etc/hosts.deny but he's still hammering me....
thanks for helping me by the way

how can I stop 83.102.151.131 from abusing the server(as you can see in my log above) any ideas?
I've disabled ssh and have a firewall im really interested to know what this "CHECKSUM INCORRECT" means
I guess i'm paranoid this guy is trying to hack me(and I think he is) this is all going on right now as I type this

Last edited by dx0r515t; 05-24-2005 at 05:52 PM.
 
Old 05-24-2005, 06:00 PM   #4
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi again. It appears it you can disable SYST. I've just had a play around with my own server, and my commands config now reads:
cmds_allowed=QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,PORT,NLST

The previous one broke Internet Explorer and the Windows ftp client. Oops.

As for your log, it appears to be your machine which is generating broken packets, not the remote machine.

Dave
 
Old 05-24-2005, 06:24 PM   #5
dx0r515t
Member
 
Registered: Jan 2005
Location: USA
Distribution: Slackware 10.2 & 11.0
Posts: 155

Original Poster
Rep: Reputation: 30
Thanks ilikejam for your help

Quote:
264.105683 195.72.224.234 -> 192.168.2.50 FTP Request: PASS IEUser@
264.107078 192.168.2.50 -> 195.72.224.234 FTP Response: 230 Login successful.
265.034987 195.72.224.234 -> 192.168.2.50 FTP Request: opts utf8 on
265.035996 192.168.2.50 -> 195.72.224.234 FTP Response: 501 Option not understoo d.
265.970292 195.72.224.234 -> 192.168.2.50 FTP Request: syst
265.971073 192.168.2.50 -> 195.72.224.234 FTP Response: 215 UNIX Type: L8
266.870026 195.72.224.234 -> 192.168.2.50 FTP Request: site help
266.871030 192.168.2.50 -> 195.72.224.234 FTP Response: 550 Permission denied.
267.757791 195.72.224.234 -> 192.168.2.50 FTP Request: PWD
267.758963 192.168.2.50 -> 195.72.224.234 FTP Response: 257 "/"
268.645026 195.72.224.234 -> 192.168.2.50 FTP Request: CWD /music/
268.646281 192.168.2.50 -> 195.72.224.234 FTP Response: 550 Failed to change dir ectory.
269.658436 195.72.224.234 -> 192.168.2.50 TCP 3498 > ftp [ACK] Seq=80 Ack=199 Wi n=8562 Len=0
269.682459 195.72.224.234 -> 192.168.2.50 FTP Request: noop
269.683453 192.168.2.50 -> 195.72.224.234 FTP Response: 200 NOOP ok.
270.620794 195.72.224.234 -> 192.168.2.50 FTP Request: CWD /music/
270.621736 192.168.2.50 -> 195.72.224.234 FTP Response: 550 Failed to change dir ectory.
271.542074 195.72.224.234 -> 192.168.2.50 FTP Request: noop
271.543073 192.168.2.50 -> 195.72.224.234 FTP Response: 200 NOOP ok.
272.462878 195.72.224.234 -> 192.168.2.50 FTP Request: CWD /music/classic and mo dern rock/
272.463969 192.168.2.50 -> 195.72.224.234 FTP Response: 550 Failed to change dir ectory.
273.452749 195.72.224.234 -> 192.168.2.50 FTP Request: noop
273.453829 192.168.2.50 -> 195.72.224.234 FTP Response: 200 NOOP ok.
274.485248 195.72.224.234 -> 192.168.2.50 FTP Request: CWD /music/classic and mo dern rock/
274.486299 192.168.2.50 -> 195.72.224.234 FTP Response: 550 Failed to change dir ectory.
275.545652 195.72.224.234 -> 192.168.2.50 TCP 3498 > ftp [ACK] Seq=185 Ack=340 W in=8421 Len=0
317.917998 195.72.224.234 -> 192.168.2.50 TCP 3498 > ftp [FIN, ACK] Seq=185 Ack= 340 Win=8421 Len=0
317.918857 192.168.2.50 -> 195.72.224.234 FTP Response: 500 OOPS:
317.918918 192.168.2.50 -> 195.72.224.234 FTP Response: vsf_sysutil_recv_peek: n o data
317.919241 192.168.2.50 -> 195.72.224.234 FTP Response:
318.835276 195.72.224.234 -> 192.168.2.50 TCP 3498 > ftp [RST] Seq=186 Ack=340 W in=0 Len=0
318.842250 195.72.224.234 -> 192.168.2.50 TCP 3498 > ftp [RST] Seq=186 Ack=47902 7623 Win=0 Len=0
318.847764 195.72.224.234 -> 192.168.2.50 TCP 3498 > ftp [RST] Seq=186 Ack=47902 7623 Win=0 Len=0
does that look normal?.... should I be worried?
vsftpd.conf:
Quote:
UW PICO(tm) 4.7 File: /etc/vsftpd.conf

# Standalone mode
listen=YES
ftpd_banner=Welcome to the server
max_clients=15
max_per_ip=1
# Access rights
anonymous_enable=YES
local_enable=NO
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
cmds_allowed=QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,PORT,NLST
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
# You may fully customise the login banner string:
ftpd_banner=Welcome to the server.
async_abor_enable=YES
# Performance
one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=300
connect_timeout=300
anon_max_rate=40000
thanks for any comments

Last edited by dx0r515t; 05-24-2005 at 06:37 PM.
 
Old 05-24-2005, 07:24 PM   #6
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
That looks OK (assuming you are running an anonymous only FTP server).

Exactly why the client in that log is trying to change directory into directories that don't exist is a bit of a mystery.

Dave
 
Old 05-24-2005, 07:45 PM   #7
dx0r515t
Member
 
Registered: Jan 2005
Location: USA
Distribution: Slackware 10.2 & 11.0
Posts: 155

Original Poster
Rep: Reputation: 30
Yes this is a anonymous only FTP server. I recently had to take all my mp3 files of my FTP due to certain reason's.... actually I did so just today. So thats probably why he's changing to directorys that don't exist. Glad to hear I don't have to worry but at the same time this experience has made me up my firewall policies and my awareness which I guess is a good thing. I guess im just paranoid thanks again ilikejam
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is different with Ftp From browser and Ftp from command line zahra79 Linux - Networking 2 06-22-2005 03:26 AM
How to disable beep in command line Backstander Linux - General 6 09-12-2004 02:11 PM
How to make modules to stay in the memory till syst shutdown?? paonethestar Linux - Software 2 10-29-2003 09:31 AM
disable ftp user from going outside their home dir dsgdevil Linux - General 3 02-11-2003 08:50 PM
How to disable ftp user's ability to delete files BrianG Linux - General 2 01-15-2002 04:40 AM


All times are GMT -5. The time now is 09:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration