LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-10-2006, 09:41 PM   #1
ninjaz
Member
 
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82

Rep: Reputation: 15
Security through nat/pat


I have a Debian box that is sending out random ssh connections to my other linux box on my network, my whole network is being pat'd with the only port being forwarded into my network is 22 which goes to the redhat box that is not causing an issue. My RedHat box has DenyHosts installed and running to catch all the script kiddies out there that try and brute force their way in. Now my question is, is the Debian box just acting flaky cause I didn't configure something correctly since it has never seen the outside world or is in fact been hacked? It sends "Did not receive identification string from ::ffff:10.0.0.12" every five minutes exactly. One question I have on top of this though. I have OpenNMS installed on the Debian machine, is it probing to see if the ssh server is still running or should it still get this from SNMP?
 
Old 10-12-2006, 06:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
It sends "Did not receive identification string from ::ffff:10.0.0.12" every five minutes exactly. One question I have on top of this though. I have OpenNMS installed on the Debian machine, is it probing to see if the ssh server is still running or should it still get this from SNMP?
Looks like a good explanation, and I know I've seen similar with other tools like Nagios and Monit. Corellating timings between the NMS probe and the log entry should prove it.


or is in fact been hacked?
I strongly doubt that is the case (and even then *I* am not responsable for the box but you, so it's your call), but just in case you want to make certain the box is not cracked, start here:
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261
 
Old 10-12-2006, 05:05 PM   #3
ninjaz
Member
 
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82

Original Poster
Rep: Reputation: 15
Thanks for your reply, I'll check into those.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT and PAT rock69 Linux - Networking 2 10-03-2006 04:34 PM
iptables PAT/NAT mcardia Linux - Networking 1 07-14-2006 02:07 PM
nat vs linux distro router for security morphodone Linux - Security 11 02-09-2005 07:57 PM
NAT security issues ilumin8d Linux - Security 1 05-10-2002 12:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration