LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Log, possibly attack? (https://www.linuxquestions.org/questions/linux-security-4/log-possibly-attack-90828/)

fabriciolb 09-09-2003 07:07 AM
Log, possibly attack?
 
In a usual check of my firewall I realized that one thing was gone wrong, the typing was slow and the postfix was started without my command.

I saw a lot of smtp services started on high ports and a lot of connections by strange ip in netstat.

This is the log:

Sep 1 06:25:11 zip syslogd 1.4.1#10: restart.
Sep 1 07:08:17 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=199.183.196.86 DST=10.0.0.139 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 PROTO=TCP SPT=5625 DPT=6588 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 1 07:11:38 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=213.65.106.93 DST=10.0.0.139 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=42619 DF PROTO=TCP SPT=3893 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 1 07:11:41 zip kernel: TCP Dropped IN=eth0 OUT= MAC=00:e0:7d:d8:08:b4:00:90:d0:1b:eb:32:08:00 SRC=213.65.106.93 DST=10.0.0.139 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=42706 DF PROTO=TCP SPT=3893 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
(..!!!!!!..)
Sep 1 08:10:17 zip init: Trying to re-exec init
Sep 1 08:11:17 zip postfix/postfix-script: fatal: the Postfix mail system is not running
Sep 1 08:11:41 zip lpd[15024]: restarted
Sep 1 08:11:42 zip rpc.statd[174]: Caught signal 15, un-registering and exiting.
Sep 1 08:11:43 zip rpc.statd[15044]: Version 1.0 Starting
Sep 1 08:12:04 zip postfix/postfix-script: starting the Postfix mail system
Sep 1 08:12:05 zip postfix/master[15201]: daemon started
Sep 1 08:12:05 zip postfix/pickup[15204]: warning: 479E68040: message has been queued for 142 days
Sep 1 08:12:05 zip postfix/pickup[15204]: 479E68040: uid=0 from=<root>
Sep 1 08:12:05 zip postfix/cleanup[15206]: 479E68040: message-id=<20030412092559.479E68040@zip.zip>
Sep 1 08:12:05 zip postfix/pickup[15204]: warning: 8FCA28042: message has been queued for 142 days
Sep 1 08:12:05 zip postfix/pickup[15204]: 8FCA28042: uid=0 from=<root>
(...and this queued messages repeat many times...)!!!!

Is this Could be an attack by rpc port?

Why my firewall don´t block the connections? The only open port is 3389 and that is foward to an Windows Box.

I use Iptables and Transparent Proxy Squid in this firewall.

Thanks, best regards.

Fabricio

unSpawn 09-10-2003 08:52 AM
Welcome to LQ.
I saw a lot of smtp services started on high ports and a lot of connections by strange ip in netstat.
I don't see a thing :-] Posting the output of netstat could have been helpful. Also you should start by checking whatever you need to run. It there's services you don't need yourself or don't need to provide, then stop and uninstall them. For instance to retrieve remote mail or send mail you don't need an SMTP daemon running. That is only necessary if you need other people to use your SMTP server. The services you need (to provide) you should configure well. In the case of an SMTP that means checking which address (ranges) you allow people to access the service from and other apply other anti-spam features. If you're not familiar with securing a box, please see the 1st sticky post in this forum.

Is this Could be an attack by rpc port?
Comparing your lines with some rpc exploit entries that may look
like something like this in the logs:
Sep 10 08:11:43 zip rpc.statd[904]: gethostbyname errr78y2d x8435yb495yxb249756xb2843cvahbx845bp5bpuybeiauwbXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
I'd guess it doesn't look like it, looks more like a restart to me. *Why* it restarted at that particular time I can't answer either.


Why my firewall don´t block the connections? The only open port is 3389 and that is foward to an Windows Box.
Post your firewall script?

fabriciolb 09-10-2003 02:14 PM
I don´t know how to express very well my problem because my english is poor.

My script firewall is:

#!/bin/sh
#---------------------------------
# Configuração Básica
#---------------------------------
IPTABLES=`which iptables`
PERMITIR_TCP="22 80 3389"
PERMITIR_UDP="53"
INET_INT="eth0"
LAN_INT="eth1"
INTERNAL_LAN="10.0.0.0/24 200.x.x.x 200.x.x.x"
MASQ_LAN="10.0.0.0/24"
#---------------------------------
# DROP: com log colocar "LDROP"
#---------------------------------
#DROP="TREJECT"
DROP="LDROP"
#---------------------------------
# Tcp Forward: Pserv:Pestacao>Ip
#---------------------------------
TCPFORWARD="3389:3389>10.0.0.152"
UDPFORWARD=""
#---------------------------------
# Criando as Regras
#---------------------------------
REGRAS="ENTRADANET SAIDANET TCPPERMITIDO LDROP TREJECT"
#---------------------------------
# Habilitando o Masquerade
#---------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------
# Habilitando TCP Syncookies
#---------------------------------
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#---------------------------------
# Limpando as Regras Antigas
#---------------------------------
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
for chain in ${REGRAS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
done
${IPTABLES} -t filter -P INPUT ACCEPT
${IPTABLES} -t filter -P OUTPUT ACCEPT
${IPTABLES} -t filter -P FORWARD DROP
#---------------------------------
# Trafego Local
#---------------------------------
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#---------------------------------
# Habilitando NAT
#---------------------------------
if [ "$MASQ_LAN" != "" ] ; then
for subnet in ${MASQ_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_INT} -j MASQUERADE
done
fi
#---------------------------------
# TCP Forward
#---------------------------------
if [ "$TCPFORWARD" != "" ] ; then
for rule in ${TCPFORWARD} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport ${destport} -j ACCEPT
}
done
fi
#---------------------------------
# UDP Forward
#---------------------------------
if [ "$UDPFORWARD" != "" ] ; then
for rule in ${UDPFORWARD} ; do
echo "$rule" | {
IFS=':>' read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport ${destport} -j ACCEPT
}
done
fi
#---------------------------------
# Terminado configuraçao de regras
#---------------------------------
${IPTABLES} -t filter -A INPUT -i ${INET_INT} -j ENTRADANET
${IPTABLES} -t filter -A OUTPUT -o ${INET_INT} -j SAIDANET
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -j REJECT
#---------------------------------
# Protegendo contra TCP SYN Flood
#---------------------------------
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp --syn -m limit --limit 4/s -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp ! --syn -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCP"
${IPTABLES} -t filter -A TCPPERMITIDO -j ${DROP}
#---------------------------------
# Pacotes com flag invalidas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state INVALID -j ${DROP}
#---------------------------------
# Descartando Ping flood
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type ! echo-request -j ACCEPT
#---------------------------------
# Portas TCP a serem abertas
#---------------------------------
if [ "$PERMITIR_TCP" != "" ] ; then
for port in ${PERMITIR_TCP} ; do
${IPTABLES} -t filter -A ENTRADANET -p tcp --dport ${port} -j TCPPERMITIDO
done
fi
#--------------------------------
#Teste com UDP ports
#--------------------------------
if [ "$PERMITIR_UDP" != "" ] ; then
for port in ${PERMITIR_UDP} ; do
${IPTABLES} -t filter -A ENTRADANET -p udp --dport ${port} -j ACCEPT
done
fi
#---------------------------------
# Pacotes com flags validas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state ESTABLISHED -j ACCEPT
#---------------------------------
# TOS
#---------------------------------
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 0x02
#---------------------------------
# Regras padrao
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -j ${DROP}
${IPTABLES} -t filter -A SAIDANET -j ACCEPT
#route add -host 200.x.x.x gw 10.0.0.152
ifconfig eth0:1 200.x.x.x netmask 255.255.255.255
#${IPTABLES} -A PREROUTING -t nat -d 200.x.x.x -j DNAT --to 10.0.0.152
#${IPTABLES} -A POSTROUTING -t nat -s 10.0.0.152 -j SNAT --to 200.x.x.x
route add -host 200.x.x.x gw 200.x.x.x
route add -host 200.x.x.x gw 200.x.x.x

is this a good strong security script?

Many Thanks

Fabricio
Curitiba- Brasil

unSpawn 09-11-2003 06:37 PM
Looks good to me, except you're allowing telnet and I don't see the "drop bad flags" rules. Check out the first thread in this forum, look for the firewall post, the linuxguruz site. Good some damn good examples there. Of course you can also search LQ, we got some good examples as well.


All times are GMT -5. The time now is 10:27 AM.