LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-03-2001, 10:34 AM   #1
Bubba
LQ Newbie
 
Registered: Feb 2001
Posts: 5

Rep: Reputation: 0
Question


I have a RH 6.2 linux box acting as a firewall and squid proxy server for an NT network. It forwards email to the Exchange server on the private Lan. The linux box is the only thing that has a "real" ip address.

Firstly, I am pretty new to linux, although I'm getting better every day.

We have gotten 2 calls now from other companies saying that our Exchange server is attacking their network, or port-scanning their network. They're talking about the linux box. But I don't know where to look to stop whatever service is causing this confusion. I'm not trying to attack anybody's network. Anyone have any ideas? Thanks in advance.

Joe
 
Old 04-03-2001, 11:08 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Joe,

If your simply doing a sendmail relay on to an exchange server using your firewall as the companies emails MX pointer and it was fine up until now, then you may have someone in your firewall box portscanning.

I would suggest you look in your logs first.
Start by looking for failed login attempts.

cat /var/logs/messages* | grep 'authentication'
look for anything that says "authentication failure" or accepted when you know you didn't login.

Then check the wtmp file with the command "last" check the time of the reported scan with who was logined in.

I would also download something like "ethereal" to start sniffing the network. "could also use ngrep"

I suspect from past experience it's someone internal to your company who has a login on the system and is bored.
No demons on the system should scan for ports as part of the systems standard working.

Remember you can do any standard SYN/ACK portscan without having to have suid 0 with something like nmap.

You need some IDS software and Tripwire on that firewall to help you.

/Raz
 
Old 04-03-2001, 04:09 PM   #3
Bubba
LQ Newbie
 
Registered: Feb 2001
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks for the response Raz, but the linux machine has no function other than a firewall gateway. It is not running sendmail. It simply forwards anything going to the Exchange server from the internet using ipmasqadm and ipchains. Also there are no other user accounts on the machine that someone could log into. I will check the logs as you suggested just to make sure.

 
Old 04-04-2001, 02:20 AM   #4
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
I stumbled accross this site today:
http://www.chkrootkit.org/
Might help you to determine if someone has a rootkit on your linux-box
 
Old 04-04-2001, 04:17 AM   #5
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Talking

Bubba,

What exactly did the other companies say ?
Ask them to send you the logs of the scan attempts.

Are the companies that are reporting the scans anything to do with your own site, or a competitor site.

You know its very easy for someone to change a tcp packets header, so it has a different source address thus faking where the probe came from. "an example is the decoy option in nmap"

Also if your FTP demon is incorrectly installed or old and has anonymous IP access, then someone can also do a FTP bounce scan. "i.e get your system to scan someone on their behalf"

If it helps send me an email to roldbury@newmail.net with your FW's IP address and I'll start some penertation testing to see how secure your firewall is. Also I can give you some IDS software which will check your logs every 15 minutes for any DENY and other interesting messages and email them to you. (1 shell scrips, 1 perl script and an entry in the cron tab)

I suggest you DENY input access on any ports below 1024 while you look into this.
i.e

Turn some ICMP types off to make your system more invisible.
Note: some ICMP types have to be ACCEPT or packets can't fragment correctly.

ipchains -A input -p icmp --icmp-type echo-reply -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type destination-unreachable -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type source-quench -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type time-exceeded -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type parameter-problem -d 195.217.142.0/24 -j ACCEPT
ipchains -A input -p icmp --icmp-type echo-request -j DENY -l
ipchains -A input -p icmp --icmp-type 5 -j DENY -l
ipchains -A input -p icmp --icmp-type 15 -j DENY -l
ipchains -A input -p udp -d (you_fws_ip_address_here) -s 0/0 33434:33600 -j DENY -l "stops a traceroute request"

Also make sure you have these set correctly or people can play havoc with your RH system. 8-)

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
port scans - iptables epoo Linux - Security 9 07-19-2015 12:44 PM
unwanted port scans andy753421 Linux - Networking 1 09-28-2004 05:55 PM
Multiple Port Scans of 3943 alerola Linux - Security 3 08-08-2004 05:02 PM
Port scans!!! tarballedtux Linux - Security 4 10-29-2002 07:18 AM
Port scans KevStA Linux - Networking 2 05-27-2002 05:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration