LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Guarddog logs in syslog (http://www.linuxquestions.org/questions/linux-security-4/guarddog-logs-in-syslog-273569/)

short101 01-04-2005 01:45 AM

Guarddog logs in syslog
 
Hi all. Just been looking through my syslog and found all these entries that I figure that guarddog ( my firewall ) has put in there. Heres a sample

Jan 4 17:34:02 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=32890 DF PROTO=TCP SPT=4686 DPT=445 SEQ=2149212009 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jan 4 17:34:02 localhost xinetd[4013]: warning: /etc/hosts.allow, line 14: missing newline or line too long
Jan 4 17:34:04 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=33038 DF PROTO=TCP SPT=4568 DPT=445 SEQ=2147803377 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jan 4 17:34:05 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=33091 DF PROTO=TCP SPT=4686 DPT=445 SEQ=2149212009 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jan 4 17:34:15 localhost kernel: ABORTED IN=ppp0 OUT= MAC= SRC=65.54.183.192 DST=203.220.189.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=49357 DF PROTO=TCP SPT=80 DPT=1488 SEQ=2127918413 ACK=4186446535 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 4 17:34:20 localhost kernel: ABORTED IN=ppp0 OUT= MAC= SRC=64.4.53.253 DST=203.220.189.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=7936 DF PROTO=TCP SPT=80 DPT=1490 SEQ=1104106496 ACK=4187549355 WINDOW=0 RES=0x00 ACK RST URGP=0

There is quite a few of these and it seems as though I'm getting pinged?, probed?, try to connect to me every couple of minutes. I'm on dial-up so it must be a bit of a random attack (if thats what it is) or probes. Dunno. Can anyone shed a bit of light on this, is it usual activity or what? It looks like each machine tries a couple of times and then gives up, but there are a couple of ip's that seem to persist.

Capt_Caveman 01-05-2005 11:39 PM

Re: Guarddog logs in syslog
 
Jan 4 17:34:02 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=32890 DF PROTO=TCP SPT=4686 DPT=445 SEQ=2149212009 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
This is an attempt to access SMB service (windows file sharing/Samba). There is extremely heavy scanning of this port due to sasser as well as other recent MS vulnerabilities.

Jan 4 17:34:02 localhost xinetd[4013]: warning: /etc/hosts.allow, line 14: missing newline or line too long
Looks like some kind of syntax error in your /etc/hosts.allow file. Do cat -n /etc/hosts.allow to find line 14 with error

Jan 4 17:34:04 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=33038 DF PROTO=TCP SPT=4568 DPT=445 SEQ=2147803377 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jan 4 17:34:05 localhost kernel: DROPPED IN=ppp0 OUT= MAC= SRC=203.220.185.93 DST=203.220.189.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=33091 DF PROTO=TCP SPT=4686 DPT=445 SEQ=2149212009 ACK=0 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)

Same as first entry. Timestamps indicate these to entries as well as first one occur in very close proximity, so likely all part of the same scan.

Jan 4 17:34:15 localhost kernel: ABORTED IN=ppp0 OUT= MAC= SRC=65.54.183.192 DST=203.220.189.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=49357 DF PROTO=TCP SPT=80 DPT=1488 SEQ=2127918413 ACK=4186446535 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 4 17:34:20 localhost kernel: ABORTED IN=ppp0 OUT= MAC= SRC=64.4.53.253 DST=203.220.189.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=7936 DF PROTO=TCP SPT=80 DPT=1490 SEQ=1104106496 ACK=4187549355 WINDOW=0 RES=0x00 ACK RST URGP=0

Not 100% sure about these (I don't use guarddog), but I believe guarddog logs half-open scans as "ABORTED", so basically this a attempt to stealth scan port 80 (http). Scans are a pretty common occurance on the internet nowadays, most of which are automated (like a scanning tool or worm) but can indicate someone manually attempting to profile your system for further attack. Depending on your level of paranoia, you can choose to block that IP address entirely using guarddog. But if your webserver is fully updated, then you should be alright.

There is quite a few of these and it seems as though I'm getting pinged?, probed?, try to connect to me every couple of minutes. I'm on dial-up so it must be a bit of a random attack (if thats what it is) or probes. Dunno. Can anyone shed a bit of light on this, is it usual activity or what? It looks like each machine tries a couple of times and then gives up, but there are a couple of ip's that seem to persist.
Welcome to the internet. Most people have no clue what it's really like, so it can be disconcerting to see the continous stream of probes and scans. For persistent abusers, you can block them with guarddog and send a polite email to the ISP that is responsible for that IP (you can usually find an administrative or abuse@ email address by doing a whois query on that IP).

short101 01-06-2005 12:41 AM

I've got windows on this machine as well, with NIS. If I'm on the net a lot, then I might get maybe one intrusion detection a day. How come the difference? Is it the type of scan being attempted that makes the intrusion detection go off? By the way the line in /etc/hosts is uncommented? I've had that warning with fstab before and just scrolled to the end of the last line and hit enter a couple of times and then saved it and it went away. This line is'nt at the end though and is part of the original file, not what I have done? Just been looking through syslog again and the DPT (which I'm assuming is the port that is targeted) is 445 on probably 98% of the logs.

Capt_Caveman 01-06-2005 01:31 AM

I've got windows on this machine as well, with NIS. If I'm on the net a lot, then I might get maybe one intrusion detection a day. How come the difference?
Probably just a difference in logging sensitivity. The major firewall utilities can vary in what they log as an intrusion attempt. Default logging in windows is virtually nil while linux defaults are only slightly better, guarddog/firestarter are fairly reasonable, while windows Zone Alarm is crackhead logging. For an accurate view, use packet sniffer like ethereal/tcpdump and watch raw traffic off the wire for awhile to see how many unsolicited packets and scans you'll receive.

By the way the line in /etc/hosts is uncommented? I've had that warning with fstab before and just scrolled to the end of the last line and hit enter a couple of times and then saved it and it went away. This line is'nt at the end though and is part of the original file, not what I have done?
Not sure. Edit the file again and go the end of line 14 and hit return to introduce a new line. If that doesn't help, then post the contents of the file (remove any public IPs).

Just been looking through syslog again and the DPT (which I'm assuming is the port that is targeted) is 445 on probably 98% of the logs.
According to dshield it is currently THE most heavily scanned port, so it's not that surprising. Not sure guarddog can selectively log according to destination port (DST), but you might have some luck using rate limiting so that your logs don't get flooded with garbage. Also, make sure that none of the log entries are coming from your internal windows machine.


All times are GMT -5. The time now is 10:54 PM.