LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-27-2012, 06:35 PM   #1
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Rep: Reputation: 0
Unhappy Iptables firewall deny "P win 512"


Someone attacked my server. i view monitor network tcpdump

00:06:16.874866 IP ipdin185-69.tpa.net.br.45022 > some-hosting.com.42683: P win 512
00:06:16.874874 IP 215.219.132.159.45048 > some-hosting.com.42709: P win 512
00:06:16.874880 IP 210.158.215.155.45040 > some-hosting.com.42701: P win 512
00:06:16.874885 IP 166.232.136.206.44853 > some-hosting.com.42514: P win 512
00:06:16.874892 IP 96.240.221.192.45104 > some-hosting.com.42765: P win 512

is more more spoof ips...

i have idea block just "P win 512" but i don't know what command iptables...

i hope someone help me. Thanks you

Last edited by unSpawn; 09-27-2012 at 06:42 PM. Reason: //IP obfuscation
 
Old 09-27-2012, 07:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
The reason that you're seeing "P win 512" is that if you run tcpdump, dumpcap or tshark you should ensure you run them without any network name or port resolution. Also best capture packets to file and read them later on with any CLI tool you're comfortable with or Wireshark. That way you can select, filter and present information in a better way.

The ports shown are ephemeral on both sides and I'm wondering if this may be backscatter from some attack we're seeing?
There's a few things other that are unclear:
- what you've done yourself to cause this (taunt people perhaps?),
- what services your machine provides (web or games?),
- how long this has been going on.

What you could do is ensure your firewall drops invalid connections and rate-limits new ones.
* BTW you should note your servers IP address is listed as scanning or suspected in a couple of places so it would be wise to check the machine for malicious tools and activities.
 
Old 09-27-2012, 07:15 PM   #3
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
The reason that you're seeing "P win 512" is that if you run tcpdump, dumpcap or tshark you should ensure you run them without any network name or port resolution. Also best capture packets to file and read them later on with any CLI tool you're comfortable with or Wireshark. That way you can select, filter and present information in a better way.

The ports shown are ephemeral on both sides and I'm wondering if this may be backscatter from some attack we're seeing?
There's a few things other that are unclear:
- what you've done yourself to cause this (taunt people perhaps?),
- what services your machine provides (web or games?),
- how long this has been going on.

What you could do is ensure your firewall drops invalid connections and rate-limits new ones.
* BTW you should note your servers IP address is listed as scanning or suspected in a couple of places so it would be wise to check the machine for malicious tools and activities.
This network monitor tcpdump
I no have reason and i don't taunt people perhaps i know which reason he jealous for business chat room
This services machine "Camfrog Server"

sorry bad english
 
Old 09-27-2012, 07:49 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by 128 View Post
This services machine "Camfrog Server"
Apparently this "Camfrog Server" uses quite a few ports so this is what capping new connections to 10 per second would look like:
Code:
-I INPUT -m tcp -p tcp -m multiport --dports 5999,6000:6010 -m state --state NEW -m limit --limit 10/sec --limit-burst 4 -j ACCEPT
-I INPUT -m udp -p udp -m multiport --dports 5000:15000 -m state --state NEW -m limit --limit 10/sec --limit-burst 4 -j ACCEPT
but maybe it would be better if you first post the output (using [code]vBB tags[/code]) of running the 'iptables-save' command as root.
 
Old 09-27-2012, 08:01 PM   #5
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
Smile

Quote:
Originally Posted by unSpawn View Post
Apparently this "Camfrog Server" uses quite a few ports so this is what capping new connections to 10 per second would look like:
Code:
-I INPUT -m tcp -p tcp -m multiport --dports 5999,6000:6010 -m state --state NEW -m limit --limit 10/sec --limit-burst 4 -j ACCEPT
-I INPUT -m udp -p udp -m multiport --dports 5000:15000 -m state --state NEW -m limit --limit 10/sec --limit-burst 4 -j ACCEPT
but maybe it would be better if you first post the output (using [code]vBB tags[/code]) of running the 'iptables-save' command as root.
now i'm glad you saved me thanks you very much one best man for i registered 7 forums nothing. now this best linuxquestions.org ^^

again thanks for edit my threads "IP obfuscation"
 
Old 09-27-2012, 08:30 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Are you sure? We haven't fixed anything yet as far as I'm concerned...
 
Old 09-27-2012, 08:39 PM   #7
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
Thumbs up

Quote:
Originally Posted by unSpawn View Post
Are you sure? We haven't fixed anything yet as far as I'm concerned...
Maybe sure try i expect he again flood! if wont work i will announce you...
 
Old 09-28-2012, 12:44 PM   #8
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
I was put command iptables and save but nothing again attack my server

19:31:05.491110 IP some-hosting.com.21078 > 11.52.108.184.22936: R 0:0(0) ack 1153597534 win 0
19:31:05.491111 IP 70.60.253.107.22929 > some-hosting.com.21071: P win 512
19:31:05.491115 IP some-hosting.com.21071 > 70.60.253.107.22929: R 0:0(0) ack 1897640536 win 0
19:31:05.491117 IP 64.253.86.219.22826 > some-hosting.com.20968: P win 512
19:31:05.491121 IP some-hosting.com.20968 > 64.253.86.219.22826: R 0:0(0) ack 1949225725 win 0
19:31:05.491123 IP 216.38.11.246.22828 > some-hosting.com.20970: P win 512
19:31:05.491127 IP some-hosting.com.20970 > 216.38.11.246.22828: R 0:0(0) ack 1918127884 win 0
19:31:05.491128 IP 22.73.227.168.22995 > some-hosting.com.21137: P win 512

Help Me! :'(
 
Old 09-28-2012, 01:25 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Post the output (using [code]vBB tags[/code]) of running the 'iptables-save' command as root.
 
Old 09-28-2012, 01:27 PM   #10
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
Code:
19:31:05.491110 IP some-hosting.com.21078 > 11.52.108.184.22936: R 0:0(0) ack 1153597534 win 0
19:31:05.491111 IP 70.60.253.107.22929 > some-hosting.com.21071: P win 512
19:31:05.491115 IP some-hosting.com.21071 > 70.60.253.107.22929: R 0:0(0) ack 1897640536 win 0
19:31:05.491117 IP 64.253.86.219.22826 > some-hosting.com.20968: P win 512
19:31:05.491121 IP some-hosting.com.20968 > 64.253.86.219.22826: R 0:0(0) ack 1949225725 win 0
19:31:05.491123 IP 216.38.11.246.22828 > some-hosting.com.20970: P win 512
19:31:05.491127 IP some-hosting.com.20970 > 216.38.11.246.22828: R 0:0(0) ack 1918127884 win 0
19:31:05.491128 IP 22.73.227.168.22995 > some-hosting.com.21137: P win 512
 
Old 09-28-2012, 01:51 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
If you do not understand English then please read a translated version.
 
Old 09-28-2012, 02:00 PM   #12
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
i was put command iptables filter and save! but nothing is again attack
 
Old 09-28-2012, 02:49 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
I asked you to post the output of running 'iptables-save' but you did not do that.
Without knowing your firewall rules this thread will be of very, very limited use.
 
Old 09-28-2012, 05:10 PM   #14
128
LQ Newbie
 
Registered: Sep 2012
Posts: 22

Original Poster
Rep: Reputation: 0
Code:
[root@sd214666 ~]# iptables-save
# Generated by iptables-save v1.3.5 on Sat Sep 29 00:09:14 2012
*raw
:PREROUTING ACCEPT [150608065:49381265616]
:OUTPUT ACCEPT [318301503:171187280191]
-A PREROUTING -p udp -m length --length 43 -j DROP
-A PREROUTING -p udp -m udp --sport 53 --dport 25345 -j DROP
-A PREROUTING -p udp -m udp --sport 6010 -j DROP
-A PREROUTING -p udp -m udp --sport 666 -j DROP
-A PREROUTING -p udp -m length --length 28 -j DROP
-A PREROUTING -p ggp -j DROP
-A PREROUTING -p icmp -j DROP
COMMIT
# Completed on Sat Sep 29 00:09:14 2012
# Generated by iptables-save v1.3.5 on Sat Sep 29 00:09:14 2012
*nat
:PREROUTING ACCEPT [3663519:329536133]
:INPUT ACCEPT [43287:2043215]
:OUTPUT ACCEPT [34203:2554620]
:POSTROUTING ACCEPT [34203:2554620]
COMMIT
# Completed on Sat Sep 29 00:09:14 2012
# Generated by iptables-save v1.3.5 on Sat Sep 29 00:09:14 2012
*mangle
:PREROUTING ACCEPT [150608065:49381265616]
:INPUT ACCEPT [150363289:49370471570]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [318301512:171187281579]
:POSTROUTING ACCEPT [318301512:171187281579]
COMMIT
# Completed on Sat Sep 29 00:09:14 2012
# Generated by iptables-save v1.3.5 on Sat Sep 29 00:09:14 2012
*filter
:INPUT ACCEPT [146719535:49042870049]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [318301512:171187281579]
-A INPUT -p udp -m udp -m multiport --dports 5000:15000 -m state --state NEW -m l                  imit --limit 10/sec --limit-burst 4 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 5999,6000:6010 -m state --state NEW                   -m limit --limit 10/sec --limit-burst 4 -j ACCEPT
-A INPUT -s 78.251.65.219 -j DROP
-A INPUT -s 88.174.24.50 -j DROP
-A INPUT -s 78.233.74.26 -j DROP
-A INPUT -s 62.147.179.12 -j DROP
-A INPUT -s 78.236.32.175 -j DROP
-A INPUT -s 31.37.44.184 -j DROP
-A INPUT -s 78.251.88.12 -j DROP
-A INPUT -s 115.67.161.43 -j DROP
-A INPUT -s 184.107.176.82 -j DROP
-A INPUT -s 94.229.70.218 -j DROP
-A INPUT -s 149.210.36.38 -j DROP
-A INPUT -s 217.21.230.68 -j DROP
-A INPUT -s 37.238.1.145 -j DROP
-A INPUT -s 90.15.56.227 -j DROP
-A INPUT -s 84.156.237.24 -j DROP
-A INPUT -s 62.201.210.175 -j DROP
-A INPUT -s 89.189.94.72 -j DROP
-A INPUT -s 119.154.153.196 -j DROP
-A INPUT -s 119.154.245.29 -j DROP
-A INPUT -s 79.141.160.21 -j DROP
-A INPUT -s 173.193.248.104 -j DROP
-A INPUT -s 62.212.89.67 -j DROP
-A INPUT -d 95.211.15.4 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 94.75.228.24 -j DROP
-A INPUT -d 95.211.15.4 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.4 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.4 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.4 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.43 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.44 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.45 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 95.211.15.4 -j DROP
-A INPUT -d 95.211.15.43 -j DROP
-A INPUT -d 95.211.15.44 -j DROP
-A INPUT -d 95.211.15.45 -j DROP
-A INPUT -d 95.211.15.4 -j DROP
-A INPUT -s 95.211.138.229 -j DROP
-A INPUT -s 78.251.93.97 -j DROP
-A INPUT -s 94.75.228.24 -j DROP
-A INPUT -s 95.211.146.37 -j DROP
-A INPUT -s 78.251.71.21 -j DROP
-A INPUT -s 37.4.210.200 -j DROP
-A INPUT -s 78.251.71.169 -j DROP
-A INPUT -s 202.152.28.114 -j DROP
-A INPUT -s 79.42.251.79 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --l                  imit-burst 1 -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j                   DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --l                  imit-burst 1 -j ACCEPT
-A INPUT -s 91.187.125.62 -j DROP
COMMIT
# Completed on Sat Sep 29 00:09:14 2012
 
Old 09-29-2012, 05:54 AM   #15
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
As a sanity check, you have implemented a rate limit with the options "--limit 10/sec --limit-burst 4". Here is an explanation of these commands:
Quote:
–limit
followed by a number; specifies the maximum average number of matches to allow per second. The number can specify units explicitly, using `/second’, `/minute’, `/hour’ or `/day’, or parts of them (so `5/second’ is the same as `5/s’).
–limit-burst
followed by a number, indicating the maximum burst before the above limit kicks in.
This means that the connections won't be completely blocked and you will still see them in your logs. However, they will be blocked after a certain number of occurrences, 14 according to your settings. Your sample output where you claim the filter is not working only shows 8. Please double check your logs and confirm that these connections aren't in fact being blocked after the appropriate limits kick in.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPTABLES DNAT for packets originated within the "firewall" matiasar Linux - Networking 1 09-01-2010 08:03 AM
[SOLVED] Is RHEL "Firewall" during install the same as IPTables? rjo98 Linux - Newbie 4 09-16-2009 09:03 AM
IPTABLES: interface on "192.168.1.0/24" won't route clients from "10.65.0.0" zivota Linux - Networking 2 06-09-2008 01:35 PM
Backups across firewall "doable" w/iptables? landev Linux - Security 9 10-17-2006 05:17 PM
boot record backup "dd if=/dev/hda1 bs=512 count=1 of=myfile" csDraco_ Slackware 4 04-20-2003 01:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration