rjwohlfar@bigfoot.com wrote:
I am trying to figure out if these log entries are an attack. Or if the Squid proxy is causing them. I'd appreciate any suggestions on their cause...
These entries have been appearing for over a month. And they consistently appear every time I dial in (it's a dial-up ISP). The source address is always 222.22.22.22:53 or 222.22.22.25:53.
The IP address 222.22.22.22 and 222.22.22.25 represent my ISP's DNS servers. I changed their real addresses to "222.22.22.22/25". But the log entries always come from the same two IP addresses.
This is a dial-up ISP. So my IP address changes everytime. I understand that these packets are coming from port 53 (DNS). They always come from port 53. But The target port will change every time I dial in. For example, tomorrow the target address may be 222.22.22.44:111.
Is Squid nmaking some request, and the firewall blocks the response? Thanks, in advance.
-- Robert Wohlfarth
------ Forwarded message ------ Dec 9 01:31:27 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=121 S=0x00 I=23121 F=0x0000 T=125 (#27) Dec 9 01:31:32 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.25:53 222.22.22.11:1187 L=121 S=0x00 I=27106 F=0x0000 T=126 (#27) Dec 9 01:31:37 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=77 S=0x00 I=46417 F=0x0000 T=126 (#27) Dec 9 01:31:40 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.25:53 222.22.22.11:1187 L=77 S=0x00 I=16874 F=0x0000 T=126 (#27) Dec 9 01:31:43 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=77 S=0x00 I=49233 F=0x0000 T=126 (#27) Dec 9 01:31:49 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.25:53 222.22.22.11:1187 L=77 S=0x00 I=15348 F=0x0000 T=126 (#27) Dec 9 01:31:55 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=77 S=0x00 I=59473 F=0x0000 T=126 (#27)
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, The log entries indicate that your firewall is silently dropping (DENY) UDP packets (PROTO=17) from the DNS port (:53) of the given source IP address. If the source IP addresses match those of your DNS servers at your favorite ISP, this is probably not what you want. In this case your "rc.firewall" script appears to be faulty. Assuming your Linux box does DNS lookups as a client using your ISP DNS servers, your "rc.firewall" script should contain entries similar to the following (one for each 'N'): # # Snippets from the "rc.firewall" script which is run automatically by # virtue of the symbolic link: # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # This is done immediately after "pppd" brings IPCP up (see man "pppd"). # Our external interface's IP address is made available to us via the 4th # parameter on the command-line. # #-- EXTERNAL_INTERFACE="$1" # Tell the script we use PPP. TTY_DEVICE="$2" # The serial device used. MODEM_SPEED="$3" # Speed of connection. IPADDR="$4" # Our IP address this time around. REMOTE_IP="$5" # Other end of the PPP link. UNPRIVPORTS="1024:65535" # Unprivileged port range. #-- NAMESERVER_N="aaa.bbb.ccc.ddd" # IP address of DNS server 'N' ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_N 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_N 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_N 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_N 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT Presumably, you already have "output" rules in place which permit DNS requests from your Linux client to traverse the firewall. The "input" rules above will permit your DNS client to receive the DNS responses from the servers which are currently being blocked. Hope this helps - Les Catterall