LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-10-2013, 11:10 AM   #1
knodami
LQ Newbie
 
Registered: Jan 2013
Distribution: Mint 12 (Lisa)
Posts: 2

Rep: Reputation: Disabled
Exclamation Firestarter Events


Sat down to find Firestarter's tray icon red. I'm a Linux newbie and by no means a security expert. I lean towards slightly paranoid when it comes to my system. I know Linux is a far superior OS for security, but I'm concerned about the Source being clamav-mirror.co.ru.

#FIRESTARTER EVENTS#
Time:May 10 09:15:11 Direction: Unknown In:eth0 Out: Port:36608 Source: clamav-mirror.co.ru Destination:192.168.1.3 Length:1500 TOS:0x00 Protocol:TCP Service:Unknown
Time:May 10 11:41:36 Direction: Unknown In:eth0 Out: Port:34961 Source: hosted-by.leaseweb.com Destination:192.168.1.3 Length:485 TOS:0x00 Protocol:TCP Service:Unknown

Thank you in advance for any help and guidance.

-ⒹⒶⓂⓄⓃ
 
Old 05-11-2013, 09:32 PM   #2
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 7,627

Rep: Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442
clamav-mirror.co.ru appears to be a legitimate ClamAV mirror.


Is Port 36608 open for incoming traffic in your Firestarter policies? If not, this would likely be a routine port scan.

Port scans happen all the time. Getting upset by random port scans is like getting upset by rain hitting your roof: as long as the rain doesn't get in, your roof is working.

What matters is what gets in the ports.

Here's the dig and whois on the clamav domain. Note that dig, whois, and other internet tools are generally included in Linux so you can use them yourself.

Code:
~$ dig clamav-mirror.co.ru

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> clamav-mirror.co.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9589
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;clamav-mirror.co.ru.		IN	A

;; ANSWER SECTION:
clamav-mirror.co.ru.	43200	IN	A	194.186.47.19

;; AUTHORITY SECTION:
co.ru.			2043	IN	NS	ns1.gldn.net.
co.ru.			2043	IN	NS	ns3.gldn.net.
co.ru.			2043	IN	NS	ns2.gldn.net.

;; ADDITIONAL SECTION:
ns1.gldn.net.		131148	IN	A	194.67.2.108
ns2.gldn.net.		44749	IN	A	194.67.2.109
ns3.gldn.net.		44749	IN	A	194.67.7.1

;; Query time: 293 msec
;; SERVER: 68.105.29.11#53(68.105.29.11)
;; WHEN: Fri May 10 21:41:33 2013
;; MSG SIZE  rcvd: 163

~$ whois 194.186.47.19
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '194.186.47.0 - 194.186.47.255'

% Abuse contact for '194.186.47.0 - 194.186.47.255' is 'abuse@b2b.beeline.ru'

inetnum:        194.186.47.0 - 194.186.47.255
netname:        GLDN-IT-hosts
descr:          Golden telecom IT hosting
descr:          Moscow, Russia
country:        RU
admin-c:        TELE1-RIPE
tech-c:         TELE1-RIPE
status:         ASSIGNED PA
mnt-by:         AS3216-MNT
source:         RIPE # Filtered

role:           Teleross NOC
address:        Krasnokazarmennaja, 12
address:        Moscow, Russia
phone:          +7 495 7871001
fax-no:         +7 495 7871010
org:            ORG-ES15-RIPE
admin-c:        IS13
tech-c:         DBF3-RIPE
tech-c:         MAK18-RIPE
tech-c:         is13
tech-c:         rj631-ripe
nic-hdl:        TELE1-RIPE
abuse-mailbox:  abuse@gldn.net
mnt-by:         AS3216-MNT
remarks:        formely Sovam Teleport NOC
source:         RIPE # Filtered

% Information related to '194.186.0.0/16AS3216'

route:          194.186.0.0/16
descr:          SOVAM DELEGATED BLOCK-2
origin:         AS3216
mnt-by:         AS3216-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.60.2 (WHOIS1)
A dig and whois on hosted-by-lease.com, though, was less informative, but it does not seem to have a very good reputation:

http://www.mywot.com/en/scorecard/ho...y.leaseweb.com

http://www.martinsecurity.net/2008/1...ness-leaseweb/

Update:

I just saw this in Synaptic on Debian 7:

Quote:
Firestarter is no longer developed and is missing some critical features such as IPv6 support, so users may be advised to look into more modern alternatives such as gufw.
I removed FS (I've used it for years) and installed gufw. It's as easy to configure as FS, if not easier.

Last edited by frankbell; 05-11-2013 at 10:03 PM.
 
Old 05-12-2013, 07:41 PM   #3
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Rep: Reputation: 16
I used Firestarter for awhile. I found it impossible to tightly align open ports with my various applications and services. Things were red or notifying me of problems all the time. So I ultimately just ignored them.

I've since switched to Firewall Builder...but that is a problem too. It puts warnings in /var/log/syslog really often. All these systems cry wolf all the time. You really need to fully understand a multitude of different net protocol issues (UDP vs TCP, stateful packet filtering and ...) to create good firewalls that stay silent until something really "interesting" happens. Half the time they just keep innocent services from working. And if you want to understand things, start with M.Sci courses in network protocols and security and how to break into systems (so you know the bad guys' toolboxes.)

Oh, one more thing. The guys writing Firewall Builder are moving on to sunnier skies (see their website) so support there is not good either. (It DOES handle ipv6.) I had to build Firewall from source for my new Debian Squeeze system. Couldn't just d/l it.

BEST ADVICE: Read some simple books, like O'Reilly's "LINUX Security Cookbook" for starters. That seemed like "security for dummies" to me (I mean no offense. I learned a lot! I still use it! that reminds me: I gotta look up some stuff)
 
  


Reply

Tags
firestarter, firewall, linux, mint, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding and editing Firestarter events log noranthon Linux - Security 4 08-19-2010 02:32 AM
Firestarter monitoring firewall events w/o interfering with rules? JackieJ Linux - Software 0 05-17-2009 06:53 AM
Keyboard events interrupting mouse events. miner49er Linux - Hardware 3 11-04-2008 04:16 AM
Hang on triggering udev events- is there a buildup of events? sonichedgehog Slackware 20 07-11-2008 02:49 AM
Capturing X Events phrontist Linux - Software 1 10-28-2004 08:56 AM


All times are GMT -5. The time now is 01:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration