I have been monitering my /var/log/message file and came across an entry that reads localhost portmap[9415]: connect from 63.237.56.1 to dump(): request from unauthorized host. Does this mean that some one has gotten into my system? I am running red hat 6.1 using ipchains and portsentry as a firewall. Any insight would be great. Derik Whittaker derik@graudo.com
I have been monitering my /var/log/message file and came across an entry that reads localhost portmap[9415]: connect from 63.237.56.1 to dump(): request from unauthorized host.
Does this mean that some one has gotten into my system?
No, it means that your tcp-wrapper rejected this connection attempt. The authorized hosts with the services they are allowed to connect to are listed in /etc/hosts.allow These kind of messages simply tell you who tried to connect to your box. I get approx. 1-5 of these kind of messages per day. So this is nothing to worry about. You should start worrying if you find entries of this kind repeated for many times with the same IP. Bye, Armin ------------------------------------------------------------------------ Armin Schöch at the office: Institut für Atmosphärenphysik Ziolkowskistr. 10 / 63 Schlossstraße 6 D-18059 Rostock D-18225 Kühlungsborn Tel. +49-(0)381-4005781 Tel. +49-(0)38293-68-102
On Mon, 7 May 2001, Armin Schöch wrote: [Re denied port access by the firewall]
These kind of messages simply tell you who tried to connect to your box. I get approx. 1-5 of these kind of messages per day. So this is nothing to worry about. You should start worrying if you find entries of this kind repeated for many times with the same IP.
I have two questions: 1. what would you do if you find one address scanning all your ports, block it in your firewall?? 2. how do I know that there is not one attacker behind the slur of IPs that probe me? Even more so for IPs like: nslookup 202.101.165.9 *** .. can't find 209.15.60.12.8: Non-existent host/domain I get attempts from similar `non-existent' IPs all the time (2-6 a day). Dirk
Those IP's exist, they just don't have in-addr-arpa properly setup (i.e. number to name resolution). As for scans I generally ignore them. Here's my typical setup: allow various ports like 25, 80, etc. block tcp and udp from 1 to 20480 (yes, 20480). and then in the network startup script: echo 60000 65000 > /proc/sys/net/ipv4/ip_local_port_range and voila. Very very few services use ports >20480, apart from some RPC based ones (which you should disable anyways). Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
[snip]
and then in the network startup script: echo 60000 65000 > /proc/sys/net/ipv4/ip_local_port_range
[snip] I'm asking myself whether this has any impact on masquerading, because the masq ports are 61000 - 65095. I'm sure some of you know :-) - Martin --- And you all know, security Is mortals' chiefest enemy. (Shakespeare, Macbeth)
I'm asking myself whether this has any impact on masquerading, because the masq ports are 61000 - 65095.
nope, I mean in theory if your masq box was REALLY busy it might be an issue (i.e. ip masq'ed ports +ports from system in use >4096) but I can't see to many people running into it (and if their system is that heavily loaded they will need to be tuning ipmasq like crazy).
I'm sure some of you know :-)
ports are ports. linux will grab the first one that's free. which pisses me off BTW, makes attacks like this possible: http://www.securityportal.com/closet/closet20010418.html
- Martin
-Kurt
On Tue, 8 May 2001 11:47:41 -0600, Kurt Seifried wrote:
I'm asking myself whether this has any impact on masquerading, because the masq ports are 61000 - 65095.
nope, I mean in theory if your masq box was REALLY busy it might be an issue (i.e. ip masq'ed ports +ports from system in use >4096) but I can't see to many people running into it (and if their system is that heavily loaded they will need to be tuning ipmasq like crazy).
Well, I guess it's better to use another port range for local connections on a firewall box because having them in the range of 60000 up to 65000 might interfer with those firewall rules that control the masq connections. Or are there any reasons for not using a range like 55000-60000 for local ports? It might just make defining filter rules easy, doesn't it? Just curious :-) - Martin --- And you all know, security Is mortals' chiefest enemy. (Shakespeare, Macbeth)
nope, I mean in theory if your masq box was REALLY busy it might be an issue (i.e. ip masq'ed ports +ports from system in use >4096) but I can't see to many people running into it (and if their system is that heavily loaded they will need to be tuning ipmasq like crazy).
Well, I guess it's better to use another port range for local connections on a firewall box because having them in the range of 60000 up to 65000 might interfer with those firewall rules that control the masq connections. Or are there any reasons for not using a range like 55000-60000 for local ports? It might just make defining filter rules easy, doesn't it?
No, they don't interfer.
Just curious :-)
- Martin
Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
* Martin Brecher wrote on Wed, May 09, 2001 at 01:29 +0200:
Well, I guess it's better to use another port range for local connections on a firewall box because having them in the range of 60000 up to 65000 might interfer with those firewall rules that control the masq connections.
I agree, this would remove to possibilty for an packet filter to distinguish between masqueraded and local connections.
Or are there any reasons for not using a range like 55000-60000 for local ports? It might just make defining filter rules easy, doesn't it?
I phad the idea to grab out the values from /proc, but of course this was a silly idea, since the firewall may be configured different as other non-masqueraded hosts. But in a very simple environment: a single firewall-router which masqurades anything (i.e. on dialup lines) this would work. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Wednesday 09 May 2001 02:23, Kurt Seifried wrote:
Well, I guess it's better to use another port range for local connections on a firewall box because having them in the range of 60000 up to 65000 might interfer with those firewall rules that control the masq connections.
No, they don't interfer.
IMHO a packet filter like ipchains can only decide what to do with a packet by looking at this very packet. So if you get a packet without SYN Flag set from somewhere to , say, port 61500, how can ipchains know if it's a response to a masqueraded request or a response to a request from al local app using this port ? Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
IMHO a packet filter like ipchains can only decide what to do with a packet by looking at this very packet. So if you get a packet without SYN Flag set from somewhere to , say, port 61500, how can ipchains know if it's a response to a masqueraded request or a response to a request from al local app using this port ? It is not decided by ipchains, but the kernel. The kernel knows the masqueraded connections, and can differ between local and masqueraded connections therefore.
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Those IP's exist, they just don't have in-addr-arpa properly setup (i.e. number to name resolution). As for scans I generally ignore them. Here's my typical setup: allow various ports like 25, 80, etc. block tcp and udp from 1 to 20480 (yes, 20480). and then in the network startup script: echo 60000 65000 > /proc/sys/net/ipv4/ip_local_port_range and voila. Very very few services use ports >20480, apart from some RPC based ones (which you should disable anyways). Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
participants (8)
-
Andreas Bätz -
Armin Schöch -
Derik Whittaker -
dirk janssen -
Kurt Seifried -
Markus Gaugusch -
Martin Brecher -
Steffen Dettmer