I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently using or listening on those ports. Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51) What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?
On 11-Feb-01 Kevin Creason wrote:
I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently using or listening on those ports.
Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51)
What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?
Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven
Apocalypse and Tiles. Refer to www.simovits.com for a list of well known
trojans and their preferred ports.
As these are windows trojans your nodes may not be affected if they all run
Linux/Unix, but you would be better off closing these and other ports by
implementing decent firewalling, say via the SuSE firewall or some other
useable scripts.
---
Boris Lorenz
I AM using SuSEFirewal 4.2 on SuSE 6.4
I ran the install... and configured it using YaST. Is there a better way?
While we're on the subject, YaST appears to have some problems displaying
text and descriptions.
I even ran ipchains with these arguments:
/sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
/sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
/sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
but apparently these scans are accepted before the new lines. I figured that
those lines would break something for sure.
What is the syntax to redirect a port-- like 80 to squid's incoming port?
----- Original Message -----
From: "Boris Lorenz"
On 11-Feb-01 Kevin Creason wrote:
I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently
using or
listening on those ports.
Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51)
What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?
Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven Apocalypse and Tiles. Refer to www.simovits.com for a list of well known trojans and their preferred ports.
As these are windows trojans your nodes may not be affected if they all run Linux/Unix, but you would be better off closing these and other ports by implementing decent firewalling, say via the SuSE firewall or some other useable scripts.
--- Boris Lorenz
System Security Admin *nix - *nux ---
Hi Kevin, On 12-Feb-01 Kevin Creason wrote:
I AM using SuSEFirewal 4.2 on SuSE 6.4 I ran the install... and configured it using YaST. Is there a better way? While we're on the subject, YaST appears to have some problems displaying text and descriptions.
I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY but apparently these scans are accepted before the new lines. I figured that those lines would break something for sure.
After booting, do a ipchains -n -L and list all your rules. You may see some input/forward/output chains. If you want to experiment with an empty ipchains ruleset, do ipchains -F, which flushes (deletes) all rules. Then, to achieve a total block, you could do ipchains -P input DENY ipchains -P forward DENY ipchains -P output DENY Likewise, if you want to open up everything, replace DENY with ACCEPT. Also make sure your firewall scripts (SuSE or other) are properly set up. It's best to deny everything and then only let through what is needed (www, ftp, telnet, ssh, etc.).
What is the syntax to redirect a port-- like 80 to squid's incoming port?
try this for transparent proxying:
ipchains -A input -p tcp -d 127.0.0.1/32 www -j ACCEPT
ipchains -A input -p tcp -d your.ip.sub.net/24 www -j ACCEPT
ipchains -A input -p tcp -d 0/0 www -j REDIRECT 3128
These lines redirect local and network traffic destined to www (80) to squid's
port. Don't forget to include transparent proxying in your kernel.
[...]
---
Boris Lorenz
* Kevin Creason wrote on Mon, Feb 12, 2001 at 17:22 -0600:
I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
That allows still a lot (all other IP protocols). Ports make no sense for ICMP. To drop anything you could use: /sbin/ipchains -A input -i ppp0 -l -j DENY But at least for ident/auth I would suggest to use REJECT to avoid long timeouts. You shouldn't block all IMCP types (at least some type 3 - dest unreach - should be allowed, at least if not fragmented).
but apparently these scans are accepted before the new lines. I figured that those lines would break something for sure.
If you're really paranoid you could use: /sbin/ipchains -A input $ALLOWED_OPTIONS -i ppp0 -l -j ACCEPT to log allowed packets too, but you will get a lot of logs.
What is the syntax to redirect a port-- like 80 to squid's incoming port?
use rindetd or: from man ipasqadm: ipchains -I input -p tcp -y -d yours.com/32 80 -m 1 ipmasqadm mfw -I -m 1 -r hostA 80 (untested) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi, not directly to what Steffen has written, but Steffen Dettmer:
* Kevin Creason wrote on Mon, Feb 12, 2001 at 17:22 -0600:
I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
If you 'A'ppend your rules to your ipchains, the short-circuiting will allow packet which matches any other rule with a lower ipchains number (ipchains -L -v --line-numbers) Try to 'I'nsert (rule number 1) them: (ipchains -I input 1 ...)
That allows still a lot (all other IP protocols). Ports make no sense for ICMP. To drop anything you could use:
/sbin/ipchains -A input -i ppp0 -l -j DENY
If you're really paranoid you could use: /sbin/ipchains -A input $ALLOWED_OPTIONS -i ppp0 -l -j ACCEPT to log allowed packets too, but you will get a lot of logs.
Same as above. You will not see any logentries for accepted packets. Peter Wiersig
* Peter Wiersig wrote on Tue, Feb 13, 2001 at 12:09 +0100:
If you 'A'ppend your rules to your ipchains, the short-circuiting will allow packet which matches any other rule with a lower ipchains number (ipchains -L -v --line-numbers)
Try to 'I'nsert (rule number 1) them: (ipchains -I input 1 ...)
Of course it's taken of context here. A setup script needs to remove unwanted entries of course. Insering rules from a script is not always the best, since the order is reversed by that.
/sbin/ipchains -A input $ALLOWED_OPTIONS -i ppp0 -l -j ACCEPT
Same as above. You will not see any logentries for accepted packets.
You mean: you will not see any logentries for packets accepted by a rule before that, ain't? Of course a rule does nothing if it get not hit :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Boris Lorenz
-
Kevin Creason
-
Peter Wiersig
-
Steffen Dettmer