LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Linux Port Scans or Attacks ? (https://www.linuxquestions.org/questions/linux-security-4/linux-port-scans-or-attacks-1630/)

Bubba 04-03-2001 10:34 AM
I have a RH 6.2 linux box acting as a firewall and squid proxy server for an NT network. It forwards email to the Exchange server on the private Lan. The linux box is the only thing that has a "real" ip address.

Firstly, I am pretty new to linux, although I'm getting better every day.

We have gotten 2 calls now from other companies saying that our Exchange server is attacking their network, or port-scanning their network. They're talking about the linux box. But I don't know where to look to stop whatever service is causing this confusion. I'm not trying to attack anybody's network. Anyone have any ideas? Thanks in advance.

Joe

raz 04-03-2001 11:08 AM
Joe,

If your simply doing a sendmail relay on to an exchange server using your firewall as the companies emails MX pointer and it was fine up until now, then you may have someone in your firewall box portscanning.

I would suggest you look in your logs first.
Start by looking for failed login attempts.

cat /var/logs/messages* | grep 'authentication'
look for anything that says "authentication failure" or accepted when you know you didn't login.

Then check the wtmp file with the command "last" check the time of the reported scan with who was logined in.

I would also download something like "ethereal" to start sniffing the network. "could also use ngrep"

I suspect from past experience it's someone internal to your company who has a login on the system and is bored.
No demons on the system should scan for ports as part of the systems standard working.

Remember you can do any standard SYN/ACK portscan without having to have suid 0 with something like nmap.

You need some IDS software and Tripwire on that firewall to help you.

/Raz

Bubba 04-03-2001 04:09 PM
Thanks for the response Raz, but the linux machine has no function other than a firewall gateway. It is not running sendmail. It simply forwards anything going to the Exchange server from the internet using ipmasqadm and ipchains. Also there are no other user accounts on the machine that someone could log into. I will check the logs as you suggested just to make sure.

ugge 04-04-2001 02:20 AM
I stumbled accross this site today:
http://www.chkrootkit.org/
Might help you to determine if someone has a rootkit on your linux-box

raz 04-04-2001 04:17 AM
Bubba,

What exactly did the other companies say ?
Ask them to send you the logs of the scan attempts.

Are the companies that are reporting the scans anything to do with your own site, or a competitor site.

You know its very easy for someone to change a tcp packets header, so it has a different source address thus faking where the probe came from. "an example is the decoy option in nmap"

Also if your FTP demon is incorrectly installed or old and has anonymous IP access, then someone can also do a FTP bounce scan. "i.e get your system to scan someone on their behalf"

If it helps send me an email to roldbury@newmail.net with your FW's IP address and I'll start some penertation testing to see how secure your firewall is. Also I can give you some IDS software which will check your logs every 15 minutes for any DENY and other interesting messages and email them to you. (1 shell scrips, 1 perl script and an entry in the cron tab)

I suggest you DENY input access on any ports below 1024 while you look into this.
i.e

Turn some ICMP types off to make your system more invisible.
Note: some ICMP types have to be ACCEPT or packets can't fragment correctly.

ipchains -A input -p icmp --icmp-type echo-reply -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type destination-unreachable -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type source-quench -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type time-exceeded -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type parameter-problem -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type echo-request -j DENY -l
ipchains -A input -p icmp --icmp-type 5 -j DENY -l
ipchains -A input -p icmp --icmp-type 15 -j DENY -l
ipchains -A input -p udp -d (you_fws_ip_address_here) -s 0/0 33434:33600 -j DENY -l "stops a traceroute request"

Also make sure you have these set correctly or people can play havoc with your RH system. 8-)

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


/Raz


All times are GMT -5. The time now is 04:16 AM.