hi guys,

i check my logs from time to time in an attempt to find things that are suspicious, however sometimes i feel i do not know what i am looking and am not sure of the significance of particular entries, i have tripwire and snort operating correctly and i am slowly getting better at intrepreting threats from false alarms!

now to my question i have this entry in my "messages" log :

Jan 4 16:54:59 mykernel kernel: IN=ppp0 OUT= MAC= SRC=64.180.154.200 DST=myIP LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=8920 PROTO=TCP SPT=2071 DPT=1923 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 4 16:55:02 mykernel kernel: IN=ppp0 OUT= MAC= SRC=64.180.154.200 DST=myIP LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=8923 PROTO=TCP SPT=2071 DPT=1923 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 4 16:55:31 mykernel kernel: IN=ppp0 OUT= MAC= SRC=64.180.154.200 DST=myIP LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=8939 PROTO=TCP SPT=2071 DPT=1924 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 4 16:55:42 mykernel kernel: IN=ppp0 OUT= MAC= SRC=64.180.154.200 DST=myIP LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=8943 PROTO=TCP SPT=2071 DPT=1925 WINDOW=0 RES=0x00 ACK RST URGP=0


where "mykernel" is my sys and "myIP" is my IP address. I get a large number of these entries from various SRC's. Now i do little checking on some of the IP's and some come up unknown and some are valid IPs that i have requested or my ISP ones.

Can anyone enlighten my as to what this represents and also direct me to some good tutorials/sites/documents regarding the interpretion of logs?

thanks for ur time

Ed.

Looks like someone is port-scanning you...

SPT=2071 sounds like "Source Port"
DPT=1923 sounds like "Destination Port"

If so, somone is probing you hitting numerical sequential port numbers. 1923, 1924, 1925, etc... The fact that the source port is staying at 2071 every time is possibly indicative of a nefarious program.. Just an assumption.. Normally the source port increases on normal TCP connections but a lot of "go find me a remote server to hack" programs are written (badly?) to not change the source port on each subsequent connection attempt.

Just a guess... If you have no services enabled to the external internet interface that are insecure you don't have anything to worry about. If you do however...

Cuz of the ACK + RST flags and the lack of fluctuating parameters I thought it could be part of some connection teardown as well.
Say you have a connection with airsoft, and he wants to tear it down. Since you have a connection he'll be sending ACK + RST.

Let's see what the host looks like:
Seems cool to me.

IMO some basic fw links should include at least
FAQ: Firewall Forensics (What am I seeing?) and the Netfilter Iptabes/Ipchains Log Format (check the logparser).

hmmm.....interesting..

i also noticed some of the entries are coming from my ISP DNS server which are fine...but them other ones...grr

"services enabled to the external internet"

i feel i am fairly secure in that dept. this is my nmap out put anyway:

Port State Service
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
10000/tcp open snet-sensor-mgmt

also what is a "nefarious program"? a malicious program?.

thanks for those sites i will do some research into it now.

dont suppose u know of what i can add (if possible) to my firewall script to drop these scans, would i just use an entry to drop packets from the particular port?

anyway thanks again or ur help!

Ed.

hey that netfilter log analyzer is pretty cool!!!!

i also noticed some of the entries are coming from my ISP DNS server which are fine...but them other ones...grr
Ok, show some of them other entries and we can try to analyze it.

also what is a "nefarious program"? a malicious program?
Yeah.

thanks for those sites i will do some research into it now.
Np, here's the rest :-]

Netfilter+Iptables HOWTO:
LQ search: iptables+howto,
Linuxguruz.org,
Netfilter.org Packetfiltering HOWTO,
Linuxsecurity.com Iptables tutorial,
Andreasson's Iptables tutorial,
Iptables Connection tracking.

Ipchains HOWTO:
TLDP Ipchains HOWTO,
Flounder.net Ipchains HOWTO.

Other resources/misc stuff:

Assigned ports > 1024,
Port designations,
FAQ: Firewall Forensics (What am I seeing?),
Linux Firewall and Security Site,
Auditing Your Firewall Setup (old, still usefull),
TLDP: Firewall Piercing mini-HOWTO"],
Something called the "Home PC Firewall Guide",
Vendor/Ethernet MAC Address Lookup,
Netfilter Iptabes/Ipchains Log Format,
Dshield (find out if IP was marked as used in attacks),
(Snort) Port search,
Neohapsis Port search,
(IPMasq) P2P ports,
Infosyssec's Firewall Security and the Internet (badly updated site).

dont suppose u know of what i can add (if possible) to my firewall script to drop these scans, would i just use an entry to drop packets from the particular port?
Wonder why don't u spose that?..
Anyway, scans could be detected (not all occasions) by looking at the packets src/dest addresses, protocols, flags, port range, rate and payload.

Flags/addresses: default fw scripts usually have a section that drop packets with the wrong combination of flags, or those coming from private/multi/broadcast class addresses or inbound from apparently your own MAC/IP address.
Looking back at your 1st example for instance, you don't want to block those if they where part of a connection (and src port > 1024 and dest port > 1024), so there you would just drop the logging if you don't want to see those.

About payload and for ports you run servers on, I suggest running Snort to try and determine what's malicious or not. It can't catch every possible form of malicious activity but it can catch a lot. Use it with a 3rd part app like Guardian to block access.
Looking back at your 1st example Snort's builtin portscan preprocessor will also take care of the portrange and portrate thingie and will alert when the scan goes over the treshold.

Beyond that, dropping for closed ports depends on your default policy. If you've got a default ALLOW, you've got to add a lot of ports if you want to explicitly drop access to them, but you don't have to configure allowed in/fwd/outbound access.
If OTOH you've got a default paranoid policy of DENY then you don't have to add drop rules for every port you don't want ppl to have access to, but you'll have to explicitly configure allowed in/fwd/outbound access. Haven't seen scripts that explicitly exclude protocols, but scripts usually will define a port rate limit.
There's a 3rd possibility and that's just ignoring port access you don't run services on. It usually goes with a default policy of ALLOW.

One a final note there's something to be said about scan detectors.
Some ppl suggest running Portsentry as it's included in distro's.
My first argument against running Portsentry (in the most paranoid setting) is that it will trip on access to about EVERY PORT. While this is fine if someone sweeps a port range, you can do this with your fw script as well. Besides that you might suffer from log blindness in a while if you're in a spot that get's scanned a lot by those Roadrunner, @Home and other large cable ISP connected skiddies.
My second argument against running Portsentry is that it can't determine what's malicious and what's not. It just trips on ACCESS, not payload. Snort can, Snort will and Snort does make that distinction.

HTH somehow.

Wonder why don't u spose that?.. ,

well i just will!!! the reason i asked was 'cause my FW and iptables skills are not 100%

you want some more ones to analyze!! i can give u pages of them

this one on the ftp port

Jan 8 10:11:35 kernel: IN=ppp0 OUT= MAC= SRC=205.156.51.200 DST=10.0.132.178 LEN=118 TOS=0x10 PREC=0x00 TTL=37 ID=9285 PROTO=TCP SPT=21 DPT=37038 WINDOW=65500 RES=0x00 ACK PSH FIN URGP=0

this one ?


Jan 8 10:51:15 kernel: IN=ppp0 OUT= MAC= SRC=200.37.41.198 DST=10.0.132.178 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=18276 DF PROTO=TCP SPT=2447 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0

this one is ssh i think but from an unknown ip

Jan 8 11:42:53 kernel: IN=ppp0 OUT= MAC= SRC=68.82.13.219 DST=10.0.132.178 LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=5537 DF PROTO=TCP SPT=3240 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=64170

anyway those two sites u gave me are great for explaining exactly wot port does what and usually why ppl would access that port so straight away i can rule out ones like the ftp port one and ssh ones.



yes i am running snort, and have been for quite some time, it is a great program and my gratitude goes out to the guys who developed it.

one thing with snort is: it brings up alot of entries for my samba client access, which does not bother me too much.

there is one entry

**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.1.1: 6 targets 9 ports in 14 seconds [**]
12/20-23:54:07.323751 0:10:B5:3C:34:C4 -> 0:48:542:2A:67 type:0x800 len:0x3C
192.168.1.1:1259 -> 203.202.69.252:27015 UDP TTL:128 TOS:0x0 ID:6276 IpLen:20 DgmLen:37
Len: 17

which depicts a possible infection of the internal machine of the Infector.1.X trojan, after a good check of the windoze machine i am confident it is clean, so this ones got me a bit stumped but i am putting it down to something else maybe those online games and their anticheat software scanning !

anyway i appreciate ur lengthy and informative reply.

Ed.