Hi,

I'm running Slackware 9.1 which I only installed this week, so I'm not experianced at all. I am up to date in my patches, I run no unnecessary services, and I have a basic firewall up. Here is my firewall script:

# Drop everything

iptables -P INPUT DROP

iptables -P FORWARD DROP

# Allow established connections and programs that use loopback

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Allow ssh to connect

iptables -A INPUT -p tcp --dport 22 -i ppp0 -j ACCEPT

#end script

Now... I'm being attacked, right now, as I type this. I'm not getting much beyond port scans but I have friends (who use the same ISP) who are also being scanned, and taking more serious attacks (All Windows users behind Sygate). The attacks are all coming from the same IP#

So my main question is, can anybody see any serious problems with my security that I should worry about? And, what is the best way to react in a situation like this? Is there any way I can trace them and report them to their ISP?

Any help you can give me would be appreciated. This is a bit much for a newbie such as I.

http://home.earthlink.net/~milk4unme/

d/l and read the 2 pdf files here

I'll do that, thanks.

But for now, I scanned them right back and found masses of open ports. I also found that they are from the French ISP Wanadoo. Tomorrow I'll call my ISP and tell them about it, maybe they can notify these Wanadoo people and some action can be taken. At least since I scanned them, their own attacks seem to have stopped.

What a piss off...

Again, thanks for the help, I'll be sure to read over those.

I'm not getting much beyond port scans
...which you can ignore if you're not interested. Else install an IDS like Snort. It's reporting will be much more verbose compared to firewall rules, in some cases it'll name the tool, any (possibly) malicious activity in a way you could determine the threat level.

(...)taking more serious attacks (All Windows users behind Sygate). The attacks are all coming from the same IP[/i]
What is serious in your opinion?
Post the IP?


So my main question is, can anybody see any serious problems with my security that I should worry about? And, what is the best way to react in a situation like this? Is there any way I can trace them and report them to their ISP?
No, i see nothing worrying in this picture. If you're not running services and don't harass ppl on the 'net, then the amount of scannage done IMHO largely depends on if you're on a "popular" network range (lotsa innocent sheep with insecure boxen, ranges for worms to scan, etc etc), if the previous user of the IP (ppp, right?) did stuff ranging from waging war on IRC to ghosting P2P connections (which can be mistaken for scans). Of course there are other options, but without a tool like Snort it will be much harder for you to assess what exactly comes across the ocean...

If it persists, notifying their ISP would be SOP, but that usually doesn't get you nowhere. Blocking and not logging is your alternative. Since you scanned them, is it a Wintendo box?

If you want a comprehensive overview of security measures and such, please check out the LQ FAQ: Security references.


//moderator.note:
320mb: d/l and read the 2 pdf files here
320mb, I want you to stop spamming we should D/L these PDF's. In the first place they're just conversions of the Linux Administrators Guide and the Network Administrators Guide, second offering PDF's doesn't constitute an answer at LQ. If you can't offer an answer to a security question, please have the general netiquette to move on to a question you're willing to put some effort answering in. If you disagree, please take it up with me by email. TIA.

Hello,

I hope I'm not intruding in this conversation unwanted. I had a few related questions and after reading about excessive postings I thought I would just try and jump into this one instead of creating a new post.

How can I shutdown this X11 service? What is it exactly? I'm running RH 9 by the way.

(The 65534 ports scanned but not shown below are in state: closed)
Port State Service
6000/tcp open X11

Thank you.

Hello unSpawn,

The more serious attacks I mentioned are pretty vague. In my friends words, his fire wall "went nuts" and he was disconnected. He dialed back in and the same happened again not long later.

The scans are still happening every few minutes even today, but now most of them come from IP addresses owned by my ISP (in Australia.) Maybe from compromised computers?

I'm just guessing, I really know nothing about security beyond what I have learned in the past week.

A couple of IP's that have come up more than once today are 203.221.244.149 and 203.220.216.53

I'm reading up on snort now, but it looks like I'm just going to have to wait this out. If nothing else it has motivated me to learn more about my systems security.

Thank you for all your help, its very much appreciated.

Scans happen every hour. The attacker is looking for a misconfiguration of a service. The most famous scan pattern is the proxy service (tcp/1080).

So, if you have to install a new service you must careful at the configuration time because it may be proven fatal!

install portsentry(block scan and ip address), installe snort, configure your firewall too well, use a gui if necessary, and add "--no-listen tcp" option to X server startup(port 6000) or your startx command(if you start X from console).

shorewall is easier than "direct iptables rules"

test your firewall at sygate site
nmap your ip adress

unSpawn: Don't you think that instead of spoon feeding him the answer, it would be better to point him in the right direction and let him find the answer himself. In doing so, he will also learn alot more about Linux security. Also, what is wrong with posting a few e-books, as I allready said, it will help him get the answer, and in the process he will learn alot of useful info.

Thanks, Nick

unSpawn: Don't you think that instead of spoon feeding him the answer, it would be better to point him in the right direction and let him find the answer himself.
First of all I usually don't talk much about approaches to solving problems here. Most of the time people do not want an elaborate explanation, background information let alone know about structurising troubleshooting and whatnot, but just want an answer. If that constitutes spoonfeeding ppl info, then I'm as guilty as hell all of my life and everywhere I've been.

Define "better". What is the "best" approach? What's the "best" way to tell a security expert, a forensics expert, a colo admin, a DBA, a manager, a student, a newbie? How do you assess, except by reading between the lines, how much effort ppl want to put in it?


In doing so, he will also learn alot more about Linux security.
I agree, but partially. Solving one problem doesn't make ppl knowledgable, unless you know what and where to look for. This isn't a newbie thing tho. A lot of professionals struggle with it too. Myself, I'm still learning, and there's A LOT I know zilch about.


Also, what is wrong with posting a few e-books,
Well, the deeper significance of this is that it's not even the "official" URI for those. NAG, SAG or whatever they're called have official URI's where they're (sposed to be) updated. My problem with posting these URI's is twofold really: they do not constitute an answer themselves (you could as well say RTM) unless you point to the relevant chapter and secondly 320 has been posting the PDF's URI twice w/o adding anything of himself, which to me means as much as being unhelpful (the NG or mailinglist way). At LQ, we gotta do more than just post URI's. As moderator I operate under the same rules. I do regularly point ppl to the LQ FAQ: Security references, but you'll usually see that in conjunction with an answer or at least me pointing to the relevant part.



*1. Nick, if you're willing, add the answer like I should have given it to him. Don't worry about completeness or failing etc, etc, it's the effort that counts IMHO. Hopefully I can learn something there too.

*2. If you've got more meta questions or want to constructively discuss spreading the nfo, you're invited to take this up with me by email. Hopefully I can learn something from you.