i'm in the process of learning how to watch connections on my computer, as i am acutely paranoid about being hacked (they know!). ok, that aside, i had noticed that i would pretty regularly get my syslog full of logged ICMP type 8 packets (echo requests) that i'd drop, so i stopped logging (but still drop) the type 8 ICMP's to clean up my syslog.

i've been leaving tcpdump on and watching the output periodically (i haven't learned how to automate these things yet), and i notice many of the type 8 ICMP's again. they all seem to come from addresses that are similar to mine, which leads me to suspect its from other ppl on my ADSL ISP (using PPPOE). it could also be some sort of pinging to keep track of my connection, but i just don't know. i've listed one of these tcpdump outputs below (my address is changed):

16:37:44.429510 66.74.35.20 > 66.73.168.27: icmp: echo request

should i interpret these echo attempts as someone trying to find my computer for malicious purposes, or should i just relax?

oh, a second and somewhat unrelated question is:

if i'm running sshd (not the latest version, the one that came w/ slack 9) and access to it is restricted via iptables (i match interface, source address and MAC) and tcpwrappers (have explicit allows for local addresses in hosts.allow) should i be worried about remote exploits? in this case is it really important to upgrade to the newest version of ssh?

thx for reading,
y-p

I wouldn't really be concerned about isolated pings. They're a pretty normal thing to see. Now if they're a part of a more concerted probe, like a ping followed by scanning of a few ports and exploit attempts against services, that's something to be a little more concerned about. The only thing I would recommend with regards to pings is that you limit the burst rate and that you turn off "reply to broadcast icmp echo requests", as both of these can be used in DOS attacks. If you start trying to track down everyone on the internet who pings you, you're going to be pretty damn busy. Also ISPs have a habit of pinging you every so often to see if you're still up.

Some of the older versions of SSH are exploitable, so I would definitely install the errata on any linux distro you are running. It's also wise to edit sshd.conf so that you are only using protocol 2, instead of allowing protocols 1&2 (protocol 1 is vulnerable to key discovery). It does sound like you have you're slack box locked down pretty well. But technically you could still exploit ssh even with your set up (MAC addresses are trivial to spoof, and you can spoof ip addresses easily when running a buffer overflow or other technique that doesn't require a three-way handshake). If you've gone through the effort of setting up your security that well, you might as well go all the way. My two cents anyway.

good point, i think i'll get the latest sshd/ssh source. you mentioned that it's trivial to spoof the MAC and IP, as i would expect, but can one get around the interface matching? i ask this b/c i have wireless connection to the 2 other computers here and i only want to allow ssh access to those computers. the rule in my iptables is (changed MAC)

# allow ssh in from horatio
$IPTABLES -A INPUT -p TCP -i wlan0 --dport 22 -m mac --mac-source 00:06:5d:68:f3:7c -j ACCEPT

IF someone were to try to get through this matching with a wireless connection, say in my building, how would they get the right MAC if they didn't know it ahead of time? it's not feasible to try all the available MACs, is it? and i did enable only protocol 2 for ssh already, so the only way in would be acquiring a password for my router/firewall. could that be acquired via someone monitoring my wireless connection?

thx for the repsonse,
y-p

Assuming you're talking about 802.11 wireless, it is actually easier to sniff MAC addresses off a wireless network than an ethernet connection because the MAC addresses are in plaintext in the wireless packets. Sitting in my home office now, if I fireup a wireless sniffer (like kismet or whatever) on my Zaurus I can see the MAC addresses of all the wireless AccessPoints and clients within about 150-200ft without doing any decryption or wireless key cracking, as soon as they transmit a single packet. So as far as restricting by MAC addresses, it is horrifyingly easy to spoof on a wireless network.

So just assume that anyone within a couple of hundred feet will potentially at least be able to see your MAC and spoof it at will. Don't worry though, this isn't any less secure than having sshd running as a public service on the internet (Actually it's safer because access will be limited to those within you're reception radius). So just make sure that you have installed any sshd errata packages, restrict sshd to protocol 2, and you should be fine.

The good news is that if you do catch someone trying to crack your box via the wlan, you can just go door-to-door with a bat until you find the culprit.

omg, that bat comment was good. i don't think it would fly w/ my fellow buildingmates, though.

thx a bunch,
y-p

This is tangently related to this thread. Capt_Caveman mentions the use of a Zaurus and Kismet. I have been running Kismet on my 5500 with the Sharp distro.
Kismet will work well for a few minutes and then the NIC (Linksys WCF12) shuts off. Any tips on what needs to be configured to keep the card active and in a promiscuous mode?

yocompia, in relation to your first question, I have noticed a massive increase in type 8 icmp packets being dropped by my firewall over the last two or three weeks. They appear to be coming from within my isp's ip range, but I believe they are spoofed as the ip address is constantly changing. Actually I recently stopped thinking about it as I now have dsl and I invested in a router with a harware firewall, so I dont see them anymore, but I have seen similar stuff on friends computers.
Has anyone else seen this type of behaviour?
It appeared to start roughly about the time msblaster hit the scene, although I have no reason to suppose the two are related.

Tobyl:

I think that's a side effect of the welchia worm that was written to go around and effectively fix machines that were infected by MsBlaster (Good idea, bad implementation). Unfortunately the welchia worm pings around for live hosts before it checks to see if they're vulnerable, so effectively it generates a load of ICMP traffic. I'm not an expert on welchia, but I would guess that it scans ip addresses that are on a related subnet (code red does the same thing, scanning nearby ip addresses then working outwards).

rocote:

First configure Zaurus to have an adhoc setting under the networking setup:
Under the Config tab, type ANY into the ESS-ID box and select 802.11 Ad-Hoc.
Under the TCP/IP tab, give it an internal ip like 10.10.10.2
Put in internal ip's for the gateway and DNS (again like 10.10.10.1).

Check /etc/pcmcia/wlan-ng.opts file to see which scheme is your "war-walking mode". The Z will assign a name like qpewlanX to each of your configurations (where X will be some number). Look at the file and findout which is the one you just created.

Now make this shell script:
#! /bin/sh
cardctl scheme CardResume
cardctl scheme <your_scheme_name_here>
/usr/bin/kismet_server
cardctl scheme default

chmod 755 the file so that it's executable. Now you can run the file as root doing ./kismetscript or whatever you named it. That should keep your connection from crapping out every few minutes. Just do <ctl>-C do kill the Kismet server.

If you want to be extra high fallutin' you can edit the tab settings so that the kismet_qt icon points to your script. Then have your script launch the GUI as well like this:

#! /bin/sh
cardctl scheme CardResume
cardctl scheme <your_scheme_name_here>
/usr/bin/kismet_server &
/usr/bin/kismet_qt
cardctl scheme default
killall kismet_server

Then you should just be able to click the kismet_qt icon and everything should launch (might have to hit the restart button in kismet_qt to start capturing packets). Then when you close the GUI, everything should exit gracefully.
HTH

ok, thanks Capt_Caveman.
looks like theres a lot of unprotected XP users out there...

Considering that the average person on the 'net nowadays has the brainpower of a fruit cup, that would not surprise me much. In fact, it's been getting so bad over the last couple of weeks that some ISPs have simply resorted to blocking ICMP traffic altogether.

Capt_caveman's advice for the Zaurus was perfect. Thanks!

Cool, but if I catch you in Pittsburgh hacking my AP I'm going to be really pissed. Just kidding, glad you got it working racote.