I have a RH 6.2 linux box acting as a firewall and squid proxy server for an NT network. It forwards email to the Exchange server on the private Lan. The linux box is the only thing that has a "real" ip address.
Firstly, I am pretty new to linux, although I'm getting better every day. We have gotten 2 calls now from other companies saying that our Exchange server is attacking their network, or port-scanning their network. They're talking about the linux box. But I don't know where to look to stop whatever service is causing this confusion. I'm not trying to attack anybody's network. Anyone have any ideas? Thanks in advance. Joe |
Joe,
If your simply doing a sendmail relay on to an exchange server using your firewall as the companies emails MX pointer and it was fine up until now, then you may have someone in your firewall box portscanning. I would suggest you look in your logs first. Start by looking for failed login attempts. cat /var/logs/messages* | grep 'authentication' look for anything that says "authentication failure" or accepted when you know you didn't login. Then check the wtmp file with the command "last" check the time of the reported scan with who was logined in. I would also download something like "ethereal" to start sniffing the network. "could also use ngrep" I suspect from past experience it's someone internal to your company who has a login on the system and is bored. No demons on the system should scan for ports as part of the systems standard working. Remember you can do any standard SYN/ACK portscan without having to have suid 0 with something like nmap. You need some IDS software and Tripwire on that firewall to help you. /Raz |
Thanks for the response Raz, but the linux machine has no function other than a firewall gateway. It is not running sendmail. It simply forwards anything going to the Exchange server from the internet using ipmasqadm and ipchains. Also there are no other user accounts on the machine that someone could log into. I will check the logs as you suggested just to make sure.
|
I stumbled accross this site today:
http://www.chkrootkit.org/ Might help you to determine if someone has a rootkit on your linux-box |
Bubba,
What exactly did the other companies say ? Ask them to send you the logs of the scan attempts. Are the companies that are reporting the scans anything to do with your own site, or a competitor site. You know its very easy for someone to change a tcp packets header, so it has a different source address thus faking where the probe came from. "an example is the decoy option in nmap" Also if your FTP demon is incorrectly installed or old and has anonymous IP access, then someone can also do a FTP bounce scan. "i.e get your system to scan someone on their behalf" If it helps send me an email to roldbury@newmail.net with your FW's IP address and I'll start some penertation testing to see how secure your firewall is. Also I can give you some IDS software which will check your logs every 15 minutes for any DENY and other interesting messages and email them to you. (1 shell scrips, 1 perl script and an entry in the cron tab) I suggest you DENY input access on any ports below 1024 while you look into this. i.e Turn some ICMP types off to make your system more invisible. Note: some ICMP types have to be ACCEPT or packets can't fragment correctly. ipchains -A input -p icmp --icmp-type echo-reply -d 195.217.142.0/24 -j ACCEPT ipchains -A input -p icmp --icmp-type destination-unreachable -d 195.217.142.0/24 -j ACCEPT ipchains -A input -p icmp --icmp-type source-quench -d 195.217.142.0/24 -j ACCEPT ipchains -A input -p icmp --icmp-type time-exceeded -d 195.217.142.0/24 -j ACCEPT ipchains -A input -p icmp --icmp-type parameter-problem -d 195.217.142.0/24 -j ACCEPT ipchains -A input -p icmp --icmp-type echo-request -j DENY -l ipchains -A input -p icmp --icmp-type 5 -j DENY -l ipchains -A input -p icmp --icmp-type 15 -j DENY -l ipchains -A input -p udp -d (you_fws_ip_address_here) -s 0/0 33434:33600 -j DENY -l "stops a traceroute request" Also make sure you have these set correctly or people can play havoc with your RH system. 8-) echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route /Raz |
All times are GMT -5. The time now is 04:16 AM. |