LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-09-2003, 07:07 AM   #1
fabriciolb
LQ Newbie
 
Registered: Sep 2003
Posts: 3

Rep: Reputation: 0
Question Log, possibly attack?


In a usual check of my firewall I realized that one thing was gone wrong, the typing was slow and the postfix was started without my command.

I saw a lot of smtp services started on high ports and a lot of connections by strange ip in netstat.

This is the log:

Sep 1 06:25:11 zip syslogd 1.4.1#10: restart.
Sep 1 07:08:17 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=199.183.196.86 DST=10.0.0.139 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 PROTO=TCP SPT=5625 DPT=6588 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 1 07:11:38 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=213.65.106.93 DST=10.0.0.139 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=42619 DF PROTO=TCP SPT=3893 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 1 07:11:41 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=213.65.106.93 DST=10.0.0.139 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=42706 DF PROTO=TCP SPT=3893 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
(..!!!!!!..)
Sep 1 08:10:17 zip init: Trying to re-exec init
Sep 1 08:11:17 zip postfix/postfix-script: fatal: the Postfix mail system is not running
Sep 1 08:11:41 zip lpd[15024]: restarted
Sep 1 08:11:42 zip rpc.statd[174]: Caught signal 15, un-registering and exiting.
Sep 1 08:11:43 zip rpc.statd[15044]: Version 1.0 Starting
Sep 1 08:12:04 zip postfix/postfix-script: starting the Postfix mail system
Sep 1 08:12:05 zip postfix/master[15201]: daemon started
Sep 1 08:12:05 zip postfix/pickup[15204]: warning: 479E68040: message has been queued for 142 days
Sep 1 08:12:05 zip postfix/pickup[15204]: 479E68040: uid=0 from=<root>
Sep 1 08:12:05 zip postfix/cleanup[15206]: 479E68040: message-id=<20030412092559.479E68040@zip.zip>
Sep 1 08:12:05 zip postfix/pickup[15204]: warning: 8FCA28042: message has been queued for 142 days
Sep 1 08:12:05 zip postfix/pickup[15204]: 8FCA28042: uid=0 from=<root>
(...and this queued messages repeat many times...)!!!!

Is this Could be an attack by rpc port?

Why my firewall don´t block the connections? The only open port is 3389 and that is foward to an Windows Box.

I use Iptables and Transparent Proxy Squid in this firewall.

Thanks, best regards.

Fabricio
 
Old 09-10-2003, 08:52 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Welcome to LQ.
I saw a lot of smtp services started on high ports and a lot of connections by strange ip in netstat.
I don't see a thing :-] Posting the output of netstat could have been helpful. Also you should start by checking whatever you need to run. It there's services you don't need yourself or don't need to provide, then stop and uninstall them. For instance to retrieve remote mail or send mail you don't need an SMTP daemon running. That is only necessary if you need other people to use your SMTP server. The services you need (to provide) you should configure well. In the case of an SMTP that means checking which address (ranges) you allow people to access the service from and other apply other anti-spam features. If you're not familiar with securing a box, please see the 1st sticky post in this forum.

Is this Could be an attack by rpc port?
Comparing your lines with some rpc exploit entries that may look
like something like this in the logs:
Sep 10 08:11:43 zip rpc.statd[904]: gethostbyname errr78y2d x8435yb495yxb249756xb2843cvahbx845bp5bpuybeiauwbXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX

I'd guess it doesn't look like it, looks more like a restart to me. *Why* it restarted at that particular time I can't answer either.


Why my firewall don´t block the connections? The only open port is 3389 and that is foward to an Windows Box.
Post your firewall script?
 
Old 09-10-2003, 02:14 PM   #3
fabriciolb
LQ Newbie
 
Registered: Sep 2003
Posts: 3

Original Poster
Rep: Reputation: 0
I don´t know how to express very well my problem because my english is poor.

My script firewall is:

#!/bin/sh
#---------------------------------
# Configuração Básica
#---------------------------------
IPTABLES=`which iptables`
PERMITIR_TCP="22 80 3389"
PERMITIR_UDP="53"
INET_INT="eth0"
LAN_INT="eth1"
INTERNAL_LAN="10.0.0.0/24 200.x.x.x 200.x.x.x"
MASQ_LAN="10.0.0.0/24"
#---------------------------------
# DROP: com log colocar "LDROP"
#---------------------------------
#DROP="TREJECT"
DROP="LDROP"
#---------------------------------
# Tcp Forward: Pserv:Pestacao>Ip
#---------------------------------
TCPFORWARD="3389:3389>10.0.0.152"
UDPFORWARD=""
#---------------------------------
# Criando as Regras
#---------------------------------
REGRAS="ENTRADANET SAIDANET TCPPERMITIDO LDROP TREJECT"
#---------------------------------
# Habilitando o Masquerade
#---------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------
# Habilitando TCP Syncookies
#---------------------------------
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#---------------------------------
# Limpando as Regras Antigas
#---------------------------------
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
for chain in ${REGRAS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
done
${IPTABLES} -t filter -P INPUT ACCEPT
${IPTABLES} -t filter -P OUTPUT ACCEPT
${IPTABLES} -t filter -P FORWARD DROP
#---------------------------------
# Trafego Local
#---------------------------------
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#---------------------------------
# Habilitando NAT
#---------------------------------
if [ "$MASQ_LAN" != "" ] ; then
for subnet in ${MASQ_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_INT} -j MASQUERADE
done
fi
#---------------------------------
# TCP Forward
#---------------------------------
if [ "$TCPFORWARD" != "" ] ; then
for rule in ${TCPFORWARD} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport ${destport} -j ACCEPT
}
done
fi
#---------------------------------
# UDP Forward
#---------------------------------
if [ "$UDPFORWARD" != "" ] ; then
for rule in ${UDPFORWARD} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport ${destport} -j ACCEPT
}
done
fi
#---------------------------------
# Terminado configuraçao de regras
#---------------------------------
${IPTABLES} -t filter -A INPUT -i ${INET_INT} -j ENTRADANET
${IPTABLES} -t filter -A OUTPUT -o ${INET_INT} -j SAIDANET
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -j REJECT
#---------------------------------
# Protegendo contra TCP SYN Flood
#---------------------------------
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp --syn -m limit --limit 4/s -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp ! --syn -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCP"
${IPTABLES} -t filter -A TCPPERMITIDO -j ${DROP}
#---------------------------------
# Pacotes com flag invalidas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state INVALID -j ${DROP}
#---------------------------------
# Descartando Ping flood
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type ! echo-request -j ACCEPT
#---------------------------------
# Portas TCP a serem abertas
#---------------------------------
if [ "$PERMITIR_TCP" != "" ] ; then
for port in ${PERMITIR_TCP} ; do
${IPTABLES} -t filter -A ENTRADANET -p tcp --dport ${port} -j TCPPERMITIDO
done
fi
#--------------------------------
#Teste com UDP ports
#--------------------------------
if [ "$PERMITIR_UDP" != "" ] ; then
for port in ${PERMITIR_UDP} ; do
${IPTABLES} -t filter -A ENTRADANET -p udp --dport ${port} -j ACCEPT
done
fi
#---------------------------------
# Pacotes com flags validas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state ESTABLISHED -j ACCEPT
#---------------------------------
# TOS
#---------------------------------
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 0x02
#---------------------------------
# Regras padrao
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -j ${DROP}
${IPTABLES} -t filter -A SAIDANET -j ACCEPT
#route add -host 200.x.x.x gw 10.0.0.152
ifconfig eth0:1 200.x.x.x netmask 255.255.255.255
#${IPTABLES} -A PREROUTING -t nat -d 200.x.x.x -j DNAT --to 10.0.0.152
#${IPTABLES} -A POSTROUTING -t nat -s 10.0.0.152 -j SNAT --to 200.x.x.x
route add -host 200.x.x.x gw 200.x.x.x
route add -host 200.x.x.x gw 200.x.x.x

is this a good strong security script?

Many Thanks

Fabricio
Curitiba- Brasil
 
Old 09-11-2003, 06:37 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Looks good to me, except you're allowing telnet and I don't see the "drop bad flags" rules. Check out the first thread in this forum, look for the firewall post, the linuxguruz site. Good some damn good examples there. Of course you can also search LQ, we got some good examples as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sysklogd fails possibly kern.log after upgrading to 686 kernel in ubuntu towsonu2003 Linux - Newbie 0 10-30-2005 10:35 PM
recent attack via phpBB, log files deleted? accessed file system outside /home/ enzo250gto Linux - Security 8 12-17-2004 01:51 PM
BSOD and some bastards possibly attack me BajaNick General 1 06-30-2004 02:48 AM
cups error log: possible DoS attack busbarn Linux - Security 1 04-30-2003 11:30 AM
Any attack? vcheah Linux - Security 1 12-07-2001 01:26 AM


All times are GMT -5. The time now is 08:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration