LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-26-2004, 10:08 AM   #1
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers.


I setup two RedHat Linux 9 DNS Servers with their default BIND 9.2.1-16. One is the master 64.234.123.2 and the other is the slave 64.234.123.3 (these are not the actual addresses). Everything works well except that my Microsoft ISA 2000 Firewall returns the warning below under Even Viewer, Application:

Event ID 15105

ISA Server detected an all port scan attack from Internet Protocol (IP) address 64.234.123.2. For more information about this event, see ISA Server Help.

The Linux DNS servers are stand-alone with no firewalling and they are not behind the ISA firewall. My ISA firewall is 64.234.123.4. These warning happen about every one to two hours. Why? Does BIND actually perform a port scan before zone transfers? Is this part of it's mechanism; port scans? Has anybody else experienced this? Please let me know.
 
Old 01-26-2004, 11:34 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Probably the ISA server is doing some kind of DNS lookups from your servers, and since the ISA server is making the request from a different high port (over 1023) every time, it gets responses back to many different ports. If, for example, you had a bunch of new connections open nearly simultaneously and the ISA server did reverse DNS lookup on all of them, then it would *appear* that your DNS server was making a "port scan" of a bunch of high ports on the ISA server (really just responding to requests).

That's the only thing I can think of. If that's the cause, then ISA server is even worse than I thought.
 
Old 01-26-2004, 11:43 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Might want to fire up tcpdump/ethereal on the Bind machine and see if you can figure out what the traffic is that illicits such a weird log message.
 
Old 01-26-2004, 12:03 PM   #4
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Original Poster
Rep: Reputation: 47
chort,

I think you detected my problem precisely. I looked at the resolv entries for the outside NIC on my ISA firewall and it points to the two DNS server addresses that the port scan warnings are complaining about.

I replaced two servers about weeks ago from Windows DNS to Linux BIND and then started getting these warnings in ISA.

What do you suggest I do?

Are there any entries I can make in ISA to ignore these port scans coming exclusively from these two addresses?

Should I just ignore these warnings?

Your professional advise is very appreciated. I admire that you are CISSP certified.

Thanks,

Ram
 
Old 01-26-2004, 11:09 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well probably the most complete solution would be to disable reverse DNS lookups on the ISA server. They are just waste time. If you really need to get the domain name associated with an IP, you can do it off-line (i.e. with a lookup tool not on the ISA server). That would eliminate the portscan issue, and probably boost the performance on your ISA server a little.

Other than that, you would have to find a way to exempt the DNS servers from ISAs port scan warnings, but you're on your own there. I've seen exactly one ISA server implementation and it looked every bit as scary as I had imagined.

By the way, your admiration is noted, but don't get carried away. It just means I took the time to be tested on things that a lot of other people know (but don't care to spend the time to certify).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reverse Firewall Port Scan wwnexc Linux - Networking 2 12-02-2005 09:52 AM
Bind with Microsoft DNS-doubt pls help!! mlu Linux - Networking 4 09-05-2005 10:05 AM
Firewall fails port scan test windz Linux - Security 3 08-01-2004 01:05 AM
how to install linux client for Microsoft ISA Server? AnnoD04 Linux - Software 1 02-17-2002 04:23 AM
BIND DNS and port 1038 sslee Linux - Networking 2 07-04-2001 05:25 PM


All times are GMT -5. The time now is 12:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration