Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm costantly under DOS bombing on netbios ports from windows pcs in my isps network .I tought running a software like labrea but some of his options still look obscure to me !I would like to hear from people using it for advices !
Thanks !
If you run labrea, you could very well make the problem worse if it's a real DoS attack (from the info in your other thread it's not). LaBrea will help to slow the progress of a worm when moving through a network, but it puts more load on the Tarpit system itself because it has to maintain the open connections with the worm infected host.
Plus, if I remember correctly from your other thread, you have a Netgear SOHO router that is between the linux box and the internet. So the linux box is not likely even seeing the worm scan on ports 135/445. You'd need to forward the worm traffic into your LAN in order for the Tarpit to work (otherwise the router simply blocks the requests). IMHO forwarding malicious traffic into the LAN is probably an even worse idea in terms of security and the Netgear router would now have to maintain the NATed tarpitted connections.
Logs are coming from both the router and portsentry on the gateway system :
Quote:
May 3 21:36:28 argo portsentry[2437]: attackalert: Host 87.7.30.249 has been blocked via dropped route using command: "/sbin/route add -host 87.7.30.249 gw 192.168.0.3"
May 3 21:47:24 argo portsentry[2437]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to TCP port: 139
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:24 argo portsentry[2437]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to TCP port: 139
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:24 argo portsentry[2437]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:25 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:25 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via wrappers with string: "ALL: 80.218.134.76 : DENY"
May 3 21:47:25 argo portsentry[2441]: attackalert: Host 80.218.134.76 has been blocked via dropped route using command: "/sbin/route add -host 80.218.134.76 gw 192.168.0.3"
May 3 21:47:27 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:27 argo portsentry[2441]: attackalert: Host: 80.218.134.76 is already blocked. Ignoring
May 3 21:47:27 argo portsentry[2441]: attackalert: Connect from host: 80.218.134.76/80.218.134.76 to UDP port: 137
May 3 21:47:27 argo portsentry[2441]: attackalert: Host: 80.218.134.76 is already blocked. Ignoring
May 3 21:48:28 argo portsentry[2437]: attackalert: Connect from host: 87.7.193.124/87.7.193.124 to TCP port: 139
May 3 21:48:28 argo portsentry[2437]: attackalert: Host 87.7.193.124 has been blocked via wrappers with string: "ALL: 87.7.193.124 : DENY"
May 3 21:48:28 argo portsentry[2437]: attackalert: Host 87.7.193.124 has been blocked via dropped route using command: "/sbin/route add -host 87.7.193.124 gw 192.168.0.3"
May 3 21:48:28 argo portsentry[2437]: attackalert: Connect from host: 87.7.193.124/87.7.193.124 to TCP port: 139
I know i can tarpit this systems even with a proper tcp window size set to 0 with iptables do you know how i can best do this ??
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344
Rep:
If Capt_Caveman says that using Tarpit to solve you problem is a "bad idea" then I would trust him because in your case its a "bad idea".
It is a "bad idea" why? Because if you trap ALL the DDoS requests with a tarpit...you are going to eat up your own bandwidth and hasten the success of the attack against you.
What you should do is create an IPtable rule that drops/denies all requests on the attacked port.
Or you could call your ISP and ask them if they are seeing an unusual amount of traffic from the offending IP addresses.
I'm stopping the entire class A of each address , i have logs full of 87.10 87.1 87.9 151.40 151.6 i nmaped "some of them" and many of them have the 1234 netbus port open but most 135,137,139,445 all -O Microsoft-XP Windows2000Nt ... they switch my router off and mynetwork goes down !!!
What do you have the KILL_ROUTE variable set to in portsentry.conf ? What hosts do you have in your portsentry.ignore file?
You might want to add some type of threshold on the number of packets that will match the LOG rules you posted above. Worms can do some heavy-duty scanning, which would rapidly fill your logs with alot of noise and potentially bog it down.
Also, could you describe how your network is structured? Does it look like this:
Internet---Linux_Gateway----Router----Linux box
Last edited by Capt_Caveman; 05-18-2006 at 08:08 PM.
192.168.0.4 is the laptop it's not always on before there was microsoft.it but never tested out the effect ,how would it be?a simple redirection ... ?
For the logs yu are right i have my router sending to syslogd + portsentry logs + gateway ULOG + iptables' kernel logs it's sh... lots of logs ...
Do you have some interesting scripts to use "against" tell me about the ack reply window size set to 0!Something to sort of slow down their scans ... or make their admins aware ... !
If there is a :
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
could they get "bombed" by tcp-reset messages ?If insted use tcp flags match like ALL NONE (?) could i slow them .... make them shout !!!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.