Hello, the organisation I work for has a new gateway to the Internet. There is a leased line (Telekom) over a Cisco 1003 which I cannot configure (because the Telekom doesn't allow it. after that there is a DMZ and a Firwall built with the tools that are coming with Suse-Linux 6.2. The organisation is not small and there are severall workstations with Win95 and NT containing ISDN-Cards with a connection to the Internet. In addition to that there are serveral AVM-MPR's running, connecting the network (Novell, Linux NT) to different Cities. The Problem occured on an internal Linux machine (behind the Firewall and DMZ). Here is an excerpt of the log: "Nov 10 13:58:06 bone portmap[4177]: connect from 169.254.118.212 to getport(nfs): request from unauthorized host Nov 10 14:20:33 bone portmap[4265]: connect from 169.254.216.71 to getport(nfs): request from unauthorized host" I could not see anything logged on my firewall and the DMZ, so I think that this is coming over a workstation. Am I true or is it possible to come through the firewall without a trace? Could anyone help me to identify the ip-addresses listed above? I would be very happy if anyone could help me! regards Rainer Frohne
the organisation I work for has a new gateway to the Internet. There is a leased line (Telekom) over a Cisco 1003 which I cannot configure (because the Telekom doesn't allow it.
This shouldn't be a problem, if you have a dual-homed DMZ router behind the cisco, where you can define your firewall rules, ain't?
after that there is a DMZ and a Firwall built with the tools that are coming with Suse-Linux 6.2.
The organisation is not small and there are severall workstations with Win95 and NT containing ISDN-Cards with a connection to the Internet.
horrible. Do you have a firewall between Win-LAN and your important networks?
In addition to that there are serveral AVM-MPR's running, connecting the network (Novell, Linux NT) to different Cities.
But this router don't route non-private traffic, I mean, they route to the LANs only, ain't? I hope you are not useing OSPF or similar, in this case you may get Internet traffic from your facilities, too (AFAIK AVM MPR hasn't a packed filter, has it? Did you configured it?)
The Problem occured on an internal Linux machine (behind the Firewall and DMZ).
"Nov 10 13:58:06 bone portmap[4177]: connect from 169.254.118.212 to getport(nfs): request from unauthorized host Nov 10 14:20:33 bone portmap[4265]: connect from 169.254.216.71 to getport(nfs): request from unauthorized host"
I could not see anything logged on my firewall and the DMZ, so I think that this is coming over a workstation. Am I true or is it possible to come through the firewall without a trace?
Are you sure that you firewall prohibits portmapper (or logs) packets? In any case, do a traceroute from the "bone" host. To get a connect for a service, it's nessasary to do a tree way handshake, usually the incoming and outgoing route shouldn't differ (USUALLY. You could configure anything!). You may get a hint for the leak (if you have one!). You should take a shell on a host outside you networks, and try a rpcinfo -p bone.your.net. If you don't have a shell account outside your network, contact me with PM (@t-online suggests german language, use it, if possible).
Could anyone help me to identify the ip-addresses listed above?
I would be very happy if anyone could help me!
... they aren't in DNS (in-addr.arpa), they aren't in RIPE database... Sorry, I don't have access to the american net info, don't know a server name... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
At 21.11 14/11/1999 +0100, Steffen Dettmer wrote:
Could anyone help me to identify the ip-addresses listed above?
I would be very happy if anyone could help me!
... they aren't in DNS (in-addr.arpa), they aren't in RIPE database... Sorry, I don't have access to the american net info, don't know a server name...
after many intrusion attempts into my server, I learned a couple of tricks .. the main whois servers to look for IP address are: whois.arin.net, whois.apnic.net, whois.ripe.net => whois 169.254.216.71@whois.arin.net [whois.arin.net] Internet Assigned Numbers Authority (IANA) (NETBLK-LINKLOCAL) For use with Link Local Networks Information Sciences Institute University of Southern California 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6695 Netname: LINKLOCAL Netblock: 169.254.0.0 - 169.254.255.255 Coordinator: Internet Assigned Numbers Authority (IANA-ARIN) iana@IANA.ORG (310) 823-9358 Fax- (310) 823-8649 Domain System inverse mapping provided by: BLACKHOLE.ISI.EDU 128.9.64.26 Record last updated on 14-Oct-1999. Database last updated on 15-Nov-1999 03:50:44 EDT. --------------------------------------- Massimo Ferrario Inforeti snc via Pellizzo, 39 - 35100 Padova (Italy) http://www.inforeti.it
Hello,
the organisation I work for has a new gateway to the Internet. There is a leased line (Telekom) over a Cisco 1003 which I cannot configure (because the Telekom doesn't allow it. after that there is a DMZ and a Firwall built with the tools that are coming with Suse-Linux 6.2.
The organisation is not small and there are severall workstations with Win95 and NT containing ISDN-Cards with a connection to the Internet. In addition to that there are serveral AVM-MPR's running, connecting the network (Novell, Linux NT) to different Cities.
The Problem occured on an internal Linux machine (behind the Firewall and DMZ).
Here is an excerpt of the log:
"Nov 10 13:58:06 bone portmap[4177]: connect from 169.254.118.212 to getport(nfs): request from unauthorized host Nov 10 14:20:33 bone portmap[4265]: connect from 169.254.216.71 to getport(nfs): request from unauthorized host"
I could not see anything logged on my firewall and the DMZ, so I think
You may find that the problem is a machine set to DHCP . Under MS
implementation of DHCP, if their is not a response from a DHCP server within
a set amount of time, it will assign itself a unique address, from the range
that shows in your log. Check you local machines and verify that none are
set to obtain IP address automatically.
Shawn Fox
fox@lords.com
----- Original Message -----
From: Edeltraud und Rainer Frohne
this is coming over a workstation. Am I true or is it possible to come through the firewall without a trace?
Could anyone help me to identify the ip-addresses listed above?
I would be very happy if anyone could help me!
regards
Rainer Frohne
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (4)
-
E_u_R_Frohne@t-online.de -
Massimo Ferrario -
S. Fox -
Steffen Dettmer