Log, possibly attack?
In a usual check of my firewall I realized that one thing was gone wrong, the typing was slow and the postfix was started without my command.
I saw a lot of smtp services started on high ports and a lot of connections by strange ip in netstat. This is the log: Sep 1 06:25:11 zip syslogd 1.4.1#10: restart. Sep 1 07:08:17 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=199.183.196.86 DST=10.0.0.139 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 PROTO=TCP SPT=5625 DPT=6588 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 1 07:11:38 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=213.65.106.93 DST=10.0.0.139 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=42619 DF PROTO=TCP SPT=3893 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 1 07:11:41 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=213.65.106.93 DST=10.0.0.139 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=42706 DF PROTO=TCP SPT=3893 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 (..!!!!!!..) Sep 1 08:10:17 zip init: Trying to re-exec init Sep 1 08:11:17 zip postfix/postfix-script: fatal: the Postfix mail system is not running Sep 1 08:11:41 zip lpd[15024]: restarted Sep 1 08:11:42 zip rpc.statd[174]: Caught signal 15, un-registering and exiting. Sep 1 08:11:43 zip rpc.statd[15044]: Version 1.0 Starting Sep 1 08:12:04 zip postfix/postfix-script: starting the Postfix mail system Sep 1 08:12:05 zip postfix/master[15201]: daemon started Sep 1 08:12:05 zip postfix/pickup[15204]: warning: 479E68040: message has been queued for 142 days Sep 1 08:12:05 zip postfix/pickup[15204]: 479E68040: uid=0 from=<root> Sep 1 08:12:05 zip postfix/cleanup[15206]: 479E68040: message-id=<20030412092559.479E68040@zip.zip> Sep 1 08:12:05 zip postfix/pickup[15204]: warning: 8FCA28042: message has been queued for 142 days Sep 1 08:12:05 zip postfix/pickup[15204]: 8FCA28042: uid=0 from=<root> (...and this queued messages repeat many times...)!!!! Is this Could be an attack by rpc port? Why my firewall don´t block the connections? The only open port is 3389 and that is foward to an Windows Box. I use Iptables and Transparent Proxy Squid in this firewall. Thanks, best regards. Fabricio |
Welcome to LQ.
I saw a lot of smtp services started on high ports and a lot of connections by strange ip in netstat. I don't see a thing :-] Posting the output of netstat could have been helpful. Also you should start by checking whatever you need to run. It there's services you don't need yourself or don't need to provide, then stop and uninstall them. For instance to retrieve remote mail or send mail you don't need an SMTP daemon running. That is only necessary if you need other people to use your SMTP server. The services you need (to provide) you should configure well. In the case of an SMTP that means checking which address (ranges) you allow people to access the service from and other apply other anti-spam features. If you're not familiar with securing a box, please see the 1st sticky post in this forum. Is this Could be an attack by rpc port? Comparing your lines with some rpc exploit entries that may look like something like this in the logs: Sep 10 08:11:43 zip rpc.statd[904]: gethostbyname errr78y2d x8435yb495yxb249756xb2843cvahbx845bp5bpuybeiauwbXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX I'd guess it doesn't look like it, looks more like a restart to me. *Why* it restarted at that particular time I can't answer either. Why my firewall don´t block the connections? The only open port is 3389 and that is foward to an Windows Box. Post your firewall script? |
I don´t know how to express very well my problem because my english is poor.
My script firewall is: #!/bin/sh #--------------------------------- # Configuração Básica #--------------------------------- IPTABLES=`which iptables` PERMITIR_TCP="22 80 3389" PERMITIR_UDP="53" INET_INT="eth0" LAN_INT="eth1" INTERNAL_LAN="10.0.0.0/24 200.x.x.x 200.x.x.x" MASQ_LAN="10.0.0.0/24" #--------------------------------- # DROP: com log colocar "LDROP" #--------------------------------- #DROP="TREJECT" DROP="LDROP" #--------------------------------- # Tcp Forward: Pserv:Pestacao>Ip #--------------------------------- TCPFORWARD="3389:3389>10.0.0.152" UDPFORWARD="" #--------------------------------- # Criando as Regras #--------------------------------- REGRAS="ENTRADANET SAIDANET TCPPERMITIDO LDROP TREJECT" #--------------------------------- # Habilitando o Masquerade #--------------------------------- echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------- # Habilitando TCP Syncookies #--------------------------------- if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi #--------------------------------- # Limpando as Regras Antigas #--------------------------------- ${IPTABLES} -t filter -F INPUT ${IPTABLES} -t filter -F OUTPUT ${IPTABLES} -t filter -F FORWARD ${IPTABLES} -t nat -F PREROUTING ${IPTABLES} -t nat -F OUTPUT ${IPTABLES} -t nat -F POSTROUTING ${IPTABLES} -t mangle -F PREROUTING ${IPTABLES} -t mangle -F OUTPUT for chain in ${REGRAS} ; do ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -N ${chain} done ${IPTABLES} -t filter -P INPUT ACCEPT ${IPTABLES} -t filter -P OUTPUT ACCEPT ${IPTABLES} -t filter -P FORWARD DROP #--------------------------------- # Trafego Local #--------------------------------- for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT ${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT done #--------------------------------- # Habilitando NAT #--------------------------------- if [ "$MASQ_LAN" != "" ] ; then for subnet in ${MASQ_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_INT} -j MASQUERADE done fi #--------------------------------- # TCP Forward #--------------------------------- if [ "$TCPFORWARD" != "" ] ; then for rule in ${TCPFORWARD} ; do echo "$rule" | { IFS=':>' read srcport destport host ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport} ${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport ${destport} -j ACCEPT } done fi #--------------------------------- # UDP Forward #--------------------------------- if [ "$UDPFORWARD" != "" ] ; then for rule in ${UDPFORWARD} ; do echo "$rule" | { IFS=':>' read srcport destport host ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport} ${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport ${destport} -j ACCEPT } done fi #--------------------------------- # Terminado configuraçao de regras #--------------------------------- ${IPTABLES} -t filter -A INPUT -i ${INET_INT} -j ENTRADANET ${IPTABLES} -t filter -A OUTPUT -o ${INET_INT} -j SAIDANET ${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level info --log-prefix "TCP Dropped " ${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level info --log-prefix "UDP Dropped " ${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j LOG --log-level info --log-prefix "ICMP Dropped " ${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped " ${IPTABLES} -t filter -A LDROP -j DROP ${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset ${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable ${IPTABLES} -t filter -A TREJECT -j REJECT #--------------------------------- # Protegendo contra TCP SYN Flood #--------------------------------- ${IPTABLES} -t filter -A TCPPERMITIDO -p tcp --syn -m limit --limit 4/s -j ACCEPT ${IPTABLES} -t filter -A TCPPERMITIDO -p tcp ! --syn -j ACCEPT ${IPTABLES} -t filter -A TCPPERMITIDO -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCP" ${IPTABLES} -t filter -A TCPPERMITIDO -j ${DROP} #--------------------------------- # Pacotes com flag invalidas #--------------------------------- ${IPTABLES} -t filter -A ENTRADANET -m state --state INVALID -j ${DROP} #--------------------------------- # Descartando Ping flood #--------------------------------- ${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT ${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type ! echo-request -j ACCEPT #--------------------------------- # Portas TCP a serem abertas #--------------------------------- if [ "$PERMITIR_TCP" != "" ] ; then for port in ${PERMITIR_TCP} ; do ${IPTABLES} -t filter -A ENTRADANET -p tcp --dport ${port} -j TCPPERMITIDO done fi #-------------------------------- #Teste com UDP ports #-------------------------------- if [ "$PERMITIR_UDP" != "" ] ; then for port in ${PERMITIR_UDP} ; do ${IPTABLES} -t filter -A ENTRADANET -p udp --dport ${port} -j ACCEPT done fi #--------------------------------- # Pacotes com flags validas #--------------------------------- ${IPTABLES} -t filter -A ENTRADANET -m state --state ESTABLISHED -j ACCEPT #--------------------------------- # TOS #--------------------------------- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 0x10 ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 0x10 ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 0x10 ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 0x02 #--------------------------------- # Regras padrao #--------------------------------- ${IPTABLES} -t filter -A ENTRADANET -j ${DROP} ${IPTABLES} -t filter -A SAIDANET -j ACCEPT #route add -host 200.x.x.x gw 10.0.0.152 ifconfig eth0:1 200.x.x.x netmask 255.255.255.255 #${IPTABLES} -A PREROUTING -t nat -d 200.x.x.x -j DNAT --to 10.0.0.152 #${IPTABLES} -A POSTROUTING -t nat -s 10.0.0.152 -j SNAT --to 200.x.x.x route add -host 200.x.x.x gw 200.x.x.x route add -host 200.x.x.x gw 200.x.x.x is this a good strong security script? Many Thanks Fabricio Curitiba- Brasil |
Looks good to me, except you're allowing telnet and I don't see the "drop bad flags" rules. Check out the first thread in this forum, look for the firewall post, the linuxguruz site. Good some damn good examples there. Of course you can also search LQ, we got some good examples as well.
|
All times are GMT -5. The time now is 10:27 AM. |