LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firestarter Events (http://www.linuxquestions.org/questions/linux-security-4/firestarter-events-4175461449/)

knodami 05-10-2013 11:10 AM

Firestarter Events
 
Sat down to find Firestarter's tray icon red. I'm a Linux newbie and by no means a security expert. I lean towards slightly paranoid when it comes to my system. I know Linux is a far superior OS for security, but I'm concerned about the Source being clamav-mirror.co.ru.

#FIRESTARTER EVENTS#
Time:May 10 09:15:11 Direction: Unknown In:eth0 Out: Port:36608 Source: clamav-mirror.co.ru Destination:192.168.1.3 Length:1500 TOS:0x00 Protocol:TCP Service:Unknown
Time:May 10 11:41:36 Direction: Unknown In:eth0 Out: Port:34961 Source: hosted-by.leaseweb.com Destination:192.168.1.3 Length:485 TOS:0x00 Protocol:TCP Service:Unknown

Thank you in advance for any help and guidance.

-ⒹⒶⓂⓄⓃ

frankbell 05-11-2013 09:32 PM

clamav-mirror.co.ru appears to be a legitimate ClamAV mirror.


Is Port 36608 open for incoming traffic in your Firestarter policies? If not, this would likely be a routine port scan.

Port scans happen all the time. Getting upset by random port scans is like getting upset by rain hitting your roof: as long as the rain doesn't get in, your roof is working.

What matters is what gets in the ports.

Here's the dig and whois on the clamav domain. Note that dig, whois, and other internet tools are generally included in Linux so you can use them yourself.

Code:

~$ dig clamav-mirror.co.ru

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> clamav-mirror.co.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9589
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;clamav-mirror.co.ru.                IN        A

;; ANSWER SECTION:
clamav-mirror.co.ru.        43200        IN        A        194.186.47.19

;; AUTHORITY SECTION:
co.ru.                        2043        IN        NS        ns1.gldn.net.
co.ru.                        2043        IN        NS        ns3.gldn.net.
co.ru.                        2043        IN        NS        ns2.gldn.net.

;; ADDITIONAL SECTION:
ns1.gldn.net.                131148        IN        A        194.67.2.108
ns2.gldn.net.                44749        IN        A        194.67.2.109
ns3.gldn.net.                44749        IN        A        194.67.7.1

;; Query time: 293 msec
;; SERVER: 68.105.29.11#53(68.105.29.11)
;; WHEN: Fri May 10 21:41:33 2013
;; MSG SIZE  rcvd: 163

~$ whois 194.186.47.19
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%      To receive output for a database update, use the "-B" flag.

% Information related to '194.186.47.0 - 194.186.47.255'

% Abuse contact for '194.186.47.0 - 194.186.47.255' is 'abuse@b2b.beeline.ru'

inetnum:        194.186.47.0 - 194.186.47.255
netname:        GLDN-IT-hosts
descr:          Golden telecom IT hosting
descr:          Moscow, Russia
country:        RU
admin-c:        TELE1-RIPE
tech-c:        TELE1-RIPE
status:        ASSIGNED PA
mnt-by:        AS3216-MNT
source:        RIPE # Filtered

role:          Teleross NOC
address:        Krasnokazarmennaja, 12
address:        Moscow, Russia
phone:          +7 495 7871001
fax-no:        +7 495 7871010
org:            ORG-ES15-RIPE
admin-c:        IS13
tech-c:        DBF3-RIPE
tech-c:        MAK18-RIPE
tech-c:        is13
tech-c:        rj631-ripe
nic-hdl:        TELE1-RIPE
abuse-mailbox:  abuse@gldn.net
mnt-by:        AS3216-MNT
remarks:        formely Sovam Teleport NOC
source:        RIPE # Filtered

% Information related to '194.186.0.0/16AS3216'

route:          194.186.0.0/16
descr:          SOVAM DELEGATED BLOCK-2
origin:        AS3216
mnt-by:        AS3216-MNT
source:        RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.60.2 (WHOIS1)

A dig and whois on hosted-by-lease.com, though, was less informative, but it does not seem to have a very good reputation:

http://www.mywot.com/en/scorecard/ho...y.leaseweb.com

http://www.martinsecurity.net/2008/1...ness-leaseweb/

Update:

I just saw this in Synaptic on Debian 7:

Quote:

Firestarter is no longer developed and is missing some critical features such as IPv6 support, so users may be advised to look into more modern alternatives such as gufw.
I removed FS (I've used it for years) and installed gufw. It's as easy to configure as FS, if not easier.

linuxStudent11 05-12-2013 07:41 PM

I used Firestarter for awhile. I found it impossible to tightly align open ports with my various applications and services. Things were red or notifying me of problems all the time. So I ultimately just ignored them.

I've since switched to Firewall Builder...but that is a problem too. It puts warnings in /var/log/syslog really often. All these systems cry wolf all the time. You really need to fully understand a multitude of different net protocol issues (UDP vs TCP, stateful packet filtering and ...) to create good firewalls that stay silent until something really "interesting" happens. Half the time they just keep innocent services from working. And if you want to understand things, start with M.Sci courses in network protocols and security and how to break into systems (so you know the bad guys' toolboxes.)

Oh, one more thing. The guys writing Firewall Builder are moving on to sunnier skies (see their website) so support there is not good either. (It DOES handle ipv6.) I had to build Firewall from source for my new Debian Squeeze system. Couldn't just d/l it.

BEST ADVICE: Read some simple books, like O'Reilly's "LINUX Security Cookbook" for starters. That seemed like "security for dummies" to me (I mean no offense. I learned a lot! I still use it! that reminds me: I gotta look up some stuff)


All times are GMT -5. The time now is 06:35 AM.