Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-02-2007, 06:57 PM
|
#1
|
LQ Newbie
Registered: Nov 2005
Posts: 13
Rep:
|
Network Attack seems to ignore my iptables rules
Hi all,
one of my mail servers is currently under attack. I have set up a pretty decent iptables set (syn floods etc), but it seems that it cannot handle this particular one (although it looks like a SYN flood to me). In particular, as shown in the log, it manages to 'catch' it but for some reason it is unresponsive to its services (POP,IMAP,SMTP). I was wondering if someone could help me to deal with this situation. I hope I should be able to do something more than wait for it to finish.
Code:
May 3 01:46:00 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=64164 PROTO=TCP SPT=55774 DPT=56124 WINDOW=4096 RES=0x00 SYN URGP=0
May 3 01:46:02 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=25 ID=31025 PROTO=TCP SPT=55772 DPT=55118 WINDOW=2048 RES=0x00 SYN URGP=0
May 3 01:46:02 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=22646 PROTO=TCP SPT=55774 DPT=25786 WINDOW=4096 RES=0x00 SYN URGP=0
May 3 01:46:03 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=33630 PROTO=TCP SPT=55771 DPT=4154 WINDOW=4096 RES=0x00 SYN URGP=0
May 3 01:46:05 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=13090 PROTO=TCP SPT=55771 DPT=48393 WINDOW=3072 RES=0x00 SYN URGP=0
May 3 01:46:06 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=35 ID=60313 PROTO=TCP SPT=55774 DPT=17878 WINDOW=3072 RES=0x00 SYN URGP=0
May 3 01:46:08 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=36 ID=3242 PROTO=TCP SPT=55772 DPT=23571 WINDOW=1024 RES=0x00 SYN URGP=0
May 3 01:46:08 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=27 ID=23312 PROTO=TCP SPT=55774 DPT=35985 WINDOW=4096 RES=0x00 SYN URGP=0
May 3 01:46:10 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=26 ID=32949 PROTO=TCP SPT=55772 DPT=33707 WINDOW=3072 RES=0x00 SYN URGP=0
May 3 01:46:11 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=29 ID=48152 PROTO=TCP SPT=55770 DPT=1737 WINDOW=1024 RES=0x00 SYN URGP=0
May 3 01:46:11 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=4883 PROTO=TCP SPT=55772 DPT=65379 WINDOW=2048 RES=0x00 SYN URGP=0
May 3 01:46:12 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=35 ID=29322 PROTO=TCP SPT=55774 DPT=59015 WINDOW=4096 RES=0x00 SYN URGP=0
May 3 01:46:13 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=32 ID=10730 PROTO=TCP SPT=55771 DPT=10950 WINDOW=4096 RES=0x00 SYN URGP=0
May 3 01:46:14 srv kernel: Dropped by default:IN=eth0 OUT= MAC=00:0c:29:f4:ad:a0:00:0b:be:4d:e8:00:08:00 SRC=213.180.210.35 DST=1.2.3.4 LEN=44 TOS=0x00 PREC=0x00 TTL=19 ID=33847 PROTO=TCP SPT=55773 DPT=7563 WINDOW=3072 RES=0x00 SYN URGP=0
|
|
|
05-02-2007, 07:11 PM
|
#2
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
Have you done “sysctl net.ipv4.tcp_syncookies=1”?
|
|
|
05-02-2007, 07:49 PM
|
#3
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
I wonder if one of the web servers they host is compromised.
Code:
------------------------------------------------------
Points of contact for Yandex LLC Network Operations
------------------------------------------------------
Routing and peering issues: noc@yandex.net
SPAM issues: abuse@yandex.ru
Network security issues: abuse@yandex.ru
Mail issues: postmaster@yandex.ru
General information: info@yandex.ru
------------------------------------------------------
Although there main business is as a search engine.
|
|
|
05-03-2007, 12:38 AM
|
#4
|
LQ Newbie
Registered: Nov 2005
Posts: 13
Original Poster
Rep:
|
Quote:
Originally Posted by osor
Have you done “sysctl net.ipv4.tcp_syncookies=1”?
|
Yes,
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
No luck. Any more suggestions?
Btw, this is something I don't get. Iptables seem to give me the opposite result from what I would expect. The machine is still able to serve clients when iptables is off, but it stops doing so when it is on (most probably due to connection limits being enforced). So what's the point of using it if -IN PRACTICE- the result is the exact opposite of the desired one?
Last edited by grpprod; 05-03-2007 at 01:54 AM.
|
|
|
05-03-2007, 07:20 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
could we see the iptables rules you are using??
or at least the active config, like:
Last edited by win32sux; 05-03-2007 at 09:59 AM.
|
|
|
05-05-2007, 12:29 AM
|
#6
|
LQ Newbie
Registered: Nov 2005
Posts: 13
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
could we see the iptables rules you are using??
|
Okay, here are the rules I use to handle attacks:
Code:
# Spoofed local IPs
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
# SYN-floods
$IPTABLES -N SYNFLOOD
$IPTABLES -A INPUT -p tcp --syn -j SYNFLOOD
$IPTABLES -A SYNFLOOD -j LOG --log-level debug
$IPTABLES -A SYNFLOOD -p tcp -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SYNFLOOD -j DROP
# Allow only SYN packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# NULL TCP, XMASTREE etc.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN FIN -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s -j ACCEPT
# Corrupted packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
# Fragmented packets
$IPTABLES -A INPUT -f -j DROP
# Ping DoS
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
|
|
|
All times are GMT -5. The time now is 07:20 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|