LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-12-2002, 07:32 PM   #1
lhoff
Member
 
Registered: Jun 2001
Location: Chicago
Distribution: Mandrake 10.0 Official
Posts: 181

Rep: Reputation: 30
HTTP access_log: security breach?


I saw an entry in today's logs for a host that requested a GET http://192.168.x.x (i.e., a LAN IP address, though in the end not a working one). I hadn't seen anything like that before; usually I just see file requests. There was only one of these.

Is this a usual kind of request, or should I be concerned?

Seeing this prompted me to look for tcpd, but I couldn't find it. Strange. I had thought this was installed. I do have portsentry, though, and so put a new entry into my hosts.deny. I'm hoping portsentry refers to that file to make its decisions.

Advice welcome!
 
Old 02-13-2002, 01:13 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.

Portsentry has it's own allow/deny tables, but dumping an address to any other app like Tcpwrappers or fw is easy, the cmd is in the config. With a little bit of work you could make a shell script that would tally IP's, and beyond a certain treshold block just their offending /24, /16 or /8 :-]

Maybe unwanted advice, but Portsentry by now isn't considered very effective, using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.
 
Old 02-14-2002, 10:23 AM   #3
lhoff
Member
 
Registered: Jun 2001
Location: Chicago
Distribution: Mandrake 10.0 Official
Posts: 181

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by unSpawn
Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.
Where do I find this? I've configured a firewall using the Mandrake GUI. But, it's not that I don't trust it, it just leaves me uninformed as to what's going on. I need to start viewing the actual files for this stuff.

And re: Portsentry...

Quote:
using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.
Where can i find out more about Snort?

Tx.
 
Old 02-16-2002, 11:10 AM   #4
voodoochild7
LQ Newbie
 
Registered: Feb 2002
Distribution: red hat 7.2
Posts: 20

Rep: Reputation: 0
www.snort.org.

If you read the called the Honeynet project it explains alot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Breach in Sendmail Security? bper Linux - Security 2 08-02-2005 05:40 PM
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 01:02 AM
Network Security Breach nbjayme Linux - Security 0 03-17-2004 06:49 PM
Security breach? lhoff Linux - Security 5 02-15-2002 01:33 AM
Security Breach Traced to Hole in Head of Admin unSpawn General 3 05-30-2001 06:32 PM


All times are GMT -5. The time now is 05:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration