Port attacks from linuxquestions.org, wikipedia, yahoo, youtube, etc. etc.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Port attacks from linuxquestions.org, wikipedia, yahoo, youtube, etc. etc.
My firestarter firewall is blocking port attacks from respectable sites such as lq, wikipedia, youtube, yahoo etc.
The attacks are in the 30000 range. And they change with each attempt.
Also they are not just tcp, but also 'unknown' etc.
The result is, of course, that these sites have been blocked from accessing them - in order to post this I have had to switch off my firewall!
Changing firestarter to accept from trusted sites access on those ports does not seem to help because then the attacks try using a different service, hence if I allow access for tcp, the attacks start using 'unknown' service, udp etc.
It seems as if the attacks intend to force me to turn off my firewall.
A sort of denial of services, so to speak, in reverse.
I am using slackware 10.1 and I am connected via cable.
Since this is clearly not a wide spread problem - iow I do not think that the problem originates from the sites being accessed, I suppose that it may be related to my ISP or that I am specifically being targeted (which I doubt).
The only other strange thing that I can report is that my cable modem seems to re-train very often - even when idle.
I would be most grateful if anybody can throw some light on this matter.
I'm going to make some assumptions and ask some questions and rely on you to confirm, deny or provide answers:
1. With the blocked traffic, was or is there established connections? For instance, is the LQ traffic initiated by you by a browser session? The reason I'm asking is that its quite possible that your firewall rules may be misconfigured. The reason why I'm leaning toward that is that when reading FW logs, I sometimes see inversed traffic that may look bad until I realize that the traffic is actually the return part of bidirectional traffic. Remember, this is an assumption based on the fact that I need more info...
2. When did you notice this traffic?
3. Did you recently alter your FW policy?
4. Can you post your FW rules?
One observation is that in the last few weeks, I've noticed spam hitting my home network (on port 25) from wikipedia.org (although its remotely possible that the spam is spoofed). While I doubt that LQ may be running an open relay, I've seen stranger things.
EDIT: oh yeah...that Service:Unknown bit irks me. Your firewall is doing service resolution? Something is not right. Looking at your logs, it appears that LQ is port scanning you, but I seriously doubt that. Those ports may be ephemeral, which would mean that the destination port (which we don't see) may be key in determining what's happening here. I can't believe that your firewall is trying to associate services with ephemeral ports, either...
1. With the blocked traffic, was or is there established connections?
Yes - I was trying to contact the site and the site was responding - but blocked by the firewall. I first noticed the problem because the browser would time out the connection.
Quote:
2. When did you notice this traffic?
I first noticed it about 2 months ago with wikipedia - and thought, of course it was wikipedia's problem. Then it occurred with youtube, then with lq and now with yahoo - I can't get my mail.
NB - it seems to be getting worse - and I can say with almost certainty that it did not occur for all sites at the same time.
However - please note that I am not monitoring my fw log all the time, because thee is always activity from strange sites - I assume that it is normal, pls tell me if this is not the case. I have only posted an extract which refers exclusively to lq.
Quote:
3. Did you recently alter your FW policy?
No - in fact I never changed the policy until after these problems occurred - I tried to allow the specific IP's to access those ports - but then their activity changed eg, using icmp instead of tcp - I gave up trying to give them specific access.
The only policy I can see on firestarter now is to allow incoming traffic from localhost.
Quote:
4. Can you post your FW rules?
yes. Here is the output from iptables -L
I've had to anonymise some addresses since they are so similar to my own.
That includes the DNS servers which I have defined in my resolv.conf.
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- dns.myISP.dom anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- dns.myISP.dom anywhere
ACCEPT tcp -- host-xxx-xx-xxx-xxx.myISP.dom anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- host-xxx-xx-xxx-xxx.myISP.dom anywhere
ACCEPT all -- anywhere anywhere
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
NR all -- !host-xxx-xx-xxx-0.myISP.dom/24 anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere host-xxx-xx-xxx-255.myISP.dom
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Man you need to seriously rethink those log rules. There's very little point in complicating things by adding a bunch of explicit deny rules for traffic that's already going to get caught by the global drop policy--all it does is add more visual noise that makes it hard to troubleshoot things. Only make rules for the traffic you want to allow. Everything else should be dropped by default.
"Service unknown" probably just means that there is no corresponding label in /etc/services for the port, which would be the case for high ports. Looks like you are running an over-zelous firewall that is missing a few accept Established,Related and/or state/conntrack rules and is logging normal network traffic (in this case, probably you interacting with the LQ site) as attacks.
I'd try running the firewall without firestarter, with a simple set of rules. I've never manually created such a beefy policy, so I agree with jayjwa on this one...firestarter appears to be rather overzealous.
1. Below is an example. You should already have an idea of what you want to allow/disallow.
2. You can use the below example as a template and convert your existing ruleset to something a bit more simple.
I'm hoping I'm not moving so quickly that I've forgotten something, but here goes.
OK, I've a host that is internal to my network that runs Slackware 12.0 but doesn't run a firewall script. It normally doesn't serve content but I needed a box to experiment with (I'm more proficient with PF, although once you know one FW, you pretty much know them all).
I created rc.firewall and placed it in /etc/rc.d (this is where Slackware keeps it's init scripts...your distro may vary). Then I added the following to rc.firewall:
Code:
#!/bin/sh
# This is a very basic LAN NAT script, allowing only SSH to the firewall from
# the external interface, allowing all outbound LAN traffic, and allowing only
# established/related traffic back into the LAN.
#
# eth1 = external NIC (ISP)
# eth0 = internal NIC (LAN)
#
# allows connections to port 443 for web services
# allows connections to port 22 for ssh access
ipt=/usr/sbin/iptables
extip=99.99.99.99 # replace with your EXTERNAL IP - eth1
lan=10.10.10.0/24 # your LAN CIDR range - eth0
# start firewall
start_firewall() {
echo "Enabling IP forwarding."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabling iptables firewall."
# default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
# NAT
$ipt -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $extip
# INPUT chain
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i eth0 -s $lan -j ACCEPT
$ipt -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -p tcp --destination-port 443 -j ACCEPT
$ipt -A INPUT -p tcp --destination-port 22 -j ACCEPT
# FORWARD chain
$ipt -A FORWARD -i eth0 -s $lan -j ACCEPT
$ipt -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
# stop firewall
stop_firewall() {
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
# allow internal traffic
$ipt -A INPUT -i eth0 -j ACCEPT
$ipt -A OUTPUT -o eth0 -j ACCEPT
}
# flushing, removing and zeroing tables
reset_firewall() {
chains=`cat /proc/net/ip_tables_names`
for i in $chains; do
$debug $ipt -t $i -F
$debug $ipt -t $i -X
$debug $ipt -t $i -Z
done
}
case "$1" in
start|restart|reload)
reset_firewall
start_firewall
;;
stop)
reset_firewall
stop_firewall
;;
*)
echo "Usage: $0 {start|stop|restart|reload}";
exit 1
;;
esac
This is a script but you can actually see the breakdown of the chains. You can experiment with this script to add what you want to any chain.
iptables has an extensive manual. There are also extensive tutorials/howtos/FAQs that can be located via google. For expediency-sake, I grabbed the above from slackwiki.org/security and edited it just to see how quickly I get a bare-bones FW ruleset implemented. Took me like 10 minutes max. Tuning this script to your environment/host should be pretty easy.
I'll leave you now, to experiment. You'll find that managing your rules manually isn't difficult and is probably more efficient than relying on a GUI (unless you've a ton of firewalls to manage), though YMMV.
Last edited by unixfool; 03-19-2008 at 06:31 AM.
Reason: added a paragraph at the beginning to explain the fact that the example is just an example :)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.