Hello all I have a strange problem, I keep watch on a network belonging to a non-profit org at which there are one hardware firewall (linksys) that is a embedded linux (i think). The computers where logged off yet i saw that three of the computers made a tcp connection to the net. How is it possible to make this connection if the computers are logged off? is this a fault with the firewall or is it possible for a logged off computer to make an outgoing connection? Any suggestion's will be greatfully received Yours...Ben :D -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tuesday 28 September 2004 06:40 pm, Ben wrote:
Hello all I have a strange problem, I keep watch on a network belonging to a non-profit org at which there are one hardware firewall (linksys) that is a embedded linux (i think). The computers where logged off yet i saw that three of the computers made a tcp connection to the net. How is it possible to make this connection if the computers are logged off? is this a fault with the firewall or is it possible for a logged off computer to make an outgoing connection? Any suggestion's will be greatfully received
Logged off, or Turned off? Makes a big difference. Many nics nowdays are always hot, so that you can use wake-on-lan. But they should not make an outgoing connection. -- _____________________________________ John Andersen
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:40 pm, Ben wrote:
Hello all I have a strange problem, I keep watch on a network belonging to a non-profit org at which there are one hardware firewall (linksys) that is a embedded linux (i think). The computers where logged off yet i saw that three of the computers made a tcp connection to the net. How is it possible to make this connection if the computers are logged off? is this a fault with the firewall or is it possible for a logged off computer to make an outgoing connection? Any suggestion's will be greatfully received
Logged off, or Turned off? Makes a big difference.
Many nics nowdays are always hot, so that you can use wake-on-lan. But they should not make an outgoing connection.
Um, Logged off, Can they do that while logged off? Thankyou for your reply -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
Logged off, or Turned off? Makes a big difference.
Many nics nowdays are always hot, so that you can use wake-on-lan. But they should not make an outgoing connection.
Um, Logged off, Can they do that while logged off? Thankyou for your reply
I've seen many MS windows machines make outgoing connections even when logged off especially if they have spyware or some kind of malware installed on them. For a unix/linux machine, there are many possibilities including scheduled cron/ AT jobs, daemons listening in the background that need some kind of connectivity etc... Noah.
On Tue, 28 Sep 2004 10:59:30 +0300 (EAT), Noah Sematimba <sematin@mtn.co.ug> wrote:
Logged off, or Turned off? Makes a big difference.
Many nics nowdays are always hot, so that you can use wake-on-lan. But they should not make an outgoing connection.
Um, Logged off, Can they do that while logged off? Thankyou for your reply
I've seen many MS windows machines make outgoing connections even when logged off especially if they have spyware or some kind of malware installed on them.
For a unix/linux machine, there are many possibilities including scheduled cron/ AT jobs, daemons listening in the background that need some kind of connectivity etc...
Noah.
Thankyou for your reply. Yes i know that is true with linux but it seems that it is MS that is causing the offending here, I know this is suse-security but is there anything you could suggest to find out why this is happening, I will be changing over to suse but to be able to show my boss how MS is the cause would help in the move over to suse. Also i seem to not be able to use suse at home as a firewall/router I have two suse 9.1 and i want to use suse(box 1) eth0=cable modem to eth1=(suse2) but i caint seem to share inet access? Is there ICS for suse? i caint find even a setting for it? could you help me with this? thankyou if you can + thankyou if ya caint, lol yours...Ben -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
Hi Ben,
Yes i know that is true with linux but it seems that it is MS that is causing the offending here, I know this is suse-security but is there anything you could suggest to find out why this is happening, I will be changing over to suse but to be able to show my boss how MS is the cause would help in the move over to suse.
--> even if the computer is logged off, the services are still running. See "Control Panel", "Administrative Tools", "Services". These may include for example a VNC server so you can connect to the VNC server from remote even if no user is currently logged in to the machine. Can you tell us some more details about the outgoing connections like protocol (TCP or UDP), source and destination ports ? This would help to understand where it may have come from. Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:40 pm, Ben wrote:
Hello all I have a strange problem, I keep watch on a network belonging to a non-profit org at which there are one hardware firewall (linksys) that is a embedded linux (i think). The computers where logged off yet i saw that three of the computers made a tcp connection to the net. How is it possible to make this connection if the computers are logged off? is this a fault with the firewall or is it possible for a logged off computer to make an outgoing connection? Any suggestion's will be greatfully received
Logged off, or Turned off? Makes a big difference.
Many nics nowdays are always hot, so that you can use wake-on-lan. But they should not make an outgoing connection.
The computers are MS Pro & SuSE9.1 -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:40 pm, Ben wrote:
Hello all I have a strange problem, I keep watch on a network belonging to a non-profit org at which there are one hardware firewall (linksys) that is a embedded linux (i think). The computers where logged off yet i saw that three of the computers made a tcp connection to the net. How is it possible to make this connection if the computers are logged off? is this a fault with the firewall or is it possible for a logged off computer to make an outgoing connection? Any suggestion's will be greatfully received
Logged off, or Turned off? Makes a big difference.
Many nics nowdays are always hot, so that you can use wake-on-lan. But they should not make an outgoing connection.
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading??? -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off. If you want them off POWER THEM DOWN. Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on... If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug. Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me! -- _____________________________________ John Andersen
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off.
If you want them off POWER THEM DOWN.
Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on...
If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug.
Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me!
Yes i try an tell people to shut down but alas no luck, drives me up the wall, lol -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off.
If you want them off POWER THEM DOWN.
Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on...
If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug.
Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me!
What you on about, Own IT department, Im just asking a question? ya lost me there :D -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off.
If you want them off POWER THEM DOWN.
Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on...
If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug.
Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me!
I think my question has been answered well, Thankyou But i still caint get an answer on how to get ICS working on SUSE? is there ICS on suse? There must be, i just caint find where or how to activate it? anyone know? -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tuesday 28 September 2004 07:43 pm, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net>
But i still caint get an answer on how to get ICS working on SUSE?
Its can't. Or can not. Its never caint.
is there ICS on suse? There must be, i just caint find where or how to activate it?
ICS? Even google yields no clue. -- _____________________________________ John Andersen
On Tue, 28 Sep 2004, John Andersen wrote:
On Tuesday 28 September 2004 07:43 pm, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net>
But i still caint get an answer on how to get ICS working on SUSE?
Its can't. Or can not. Its never caint.
is there ICS on suse? There must be, i just caint find where or how to activate it?
ICS? Even google yields no clue.
I think he means "internet Connection Sharing" :-) Noah.
On Tue, 28 Sep 2004 12:13:34 +0300 (EAT), Noah Sematimba <sematin@mtn.co.ug> wrote:
On Tue, 28 Sep 2004, John Andersen wrote:
On Tuesday 28 September 2004 07:43 pm, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net>
But i still caint get an answer on how to get ICS working on SUSE?
Its can't. Or can not. Its never caint.
is there ICS on suse? There must be, i just caint find where or how to activate it?
ICS? Even google yields no clue.
I think he means "internet Connection Sharing" :-)
Noah.
YUP, thats what i mean!!! -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tue, 28 Sep 2004 01:06:37 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 07:43 pm, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net>
But i still caint get an answer on how to get ICS working on SUSE?
Its can't. Or can not. Its never caint.
is there ICS on suse? There must be, i just caint find where or how to activate it?
ICS? Even google yields no clue.
WHAT GOOGLE R U USING????? -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tuesday 28 September 2004 08:24 pm, Ben wrote:
On Tue, 28 Sep 2004 01:06:37 -0800, John Andersen <jsa@pen.homeip.net>
wrote:
On Tuesday 28 September 2004 07:43 pm, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net>
But i still caint get an answer on how to get ICS working on SUSE?
Its can't. Or can not. Its never caint.
is there ICS on suse? There must be, i just caint find where or how to activate it?
ICS? Even google yields no clue.
WHAT GOOGLE R U USING?????
Heh... Caught me. I was googling ICS and LINUX, and could't find any meaningfull hits. I couldn't believe you would know about Windows ICS and STILL be confused as to why a machine with no one logged in would try to contact the net... You acted like you didn't know about daemons which run with no one logged in (Like ICS). -- _____________________________________ John Andersen
Well we don't call it "ICS". however try taking a look at /etc/sysconfig/SuSEfirewall2 it should do all that you want as far as sharing your connection at home is concerned. As for the original question: You need to look at the traffic that is being spewed out and see what the source ip addresses are, destination ip addresses, destination ports, etc and then you will be able to tell what kind of traffic this is. Noah. On Tue, 28 Sep 2004, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off.
If you want them off POWER THEM DOWN.
Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on...
If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug.
Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me!
I think my question has been answered well, Thankyou But i still caint get an answer on how to get ICS working on SUSE? is there ICS on suse? There must be, i just caint find where or how to activate it? anyone know?
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Tue, 28 Sep 2004 12:12:11 +0300 (EAT), Noah Sematimba <sematin@mtn.co.ug> wrote:
Well we don't call it "ICS". however try taking a look at /etc/sysconfig/SuSEfirewall2
it should do all that you want as far as sharing your connection at home is concerned.
As for the original question:
You need to look at the traffic that is being spewed out and see what the source ip addresses are, destination ip addresses, destination ports, etc and then you will be able to tell what kind of traffic this is.
--------------------------------------------------------------------------- OK Noah, Thankyou very much, I will take that advice Thanks for your time, I appreciate it alot all questions answered Thanks for your patience Have a great day and keep up the great work that you do Yours...Ben ------------------------------------------------------------------------------
Noah.
On Tue, 28 Sep 2004, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off.
If you want them off POWER THEM DOWN.
Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on...
If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug.
Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me!
I think my question has been answered well, Thankyou But i still caint get an answer on how to get ICS working on SUSE? is there ICS on suse? There must be, i just caint find where or how to activate it? anyone know?
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Tue, 28 Sep 2004 12:12:11 +0300 (EAT), Noah Sematimba <sematin@mtn.co.ug> wrote:
Well we don't call it "ICS". however try taking a look at /etc/sysconfig/SuSEfirewall2
it should do all that you want as far as sharing your connection at home is concerned.
As for the original question:
You need to look at the traffic that is being spewed out and see what the source ip addresses are, destination ip addresses, destination ports, etc and then you will be able to tell what kind of traffic this is.
Noah.
----------------------------------------------------------------------------- WAHOOOOO, That worked, I have a SuSE firewall/router (ICS) Thankyou, very very much all Questions answered Excellent Thanks Bye Yours...Ben -----------------------------------------------------------------------------
On Tue, 28 Sep 2004, Ben wrote:
On Tue, 28 Sep 2004 00:33:12 -0800, John Andersen <jsa@pen.homeip.net> wrote:
On Tuesday 28 September 2004 06:57 pm, Ben wrote:
On Mon, 27 Sep 2004 23:45:01 -0800, John Andersen <jsa@pen.homeip.net>
I have set up another SuSE as a firewall to another node on the network and they are so impressed i nearly have the go ahead to convert the lot to SuSE. But to find out why this logged off problem is happening would help me explain to them why this has happend. Could it be a fault in the hardware or something like a false positive/reading???
Just because the user is logged off does not mean the computer is doing nothing. Both Windows and Linux have dozens of programs running even when all users are logged off.
If you want them off POWER THEM DOWN.
Any number of things can be going on... Checking for updates Renewing their dynamic IPs Synchronizing clocks Electing Browse masters Answering ARP requests.. Spewing Spam from a spam bot... --- The list goes on and on...
If the machine is on, its doing something, if you don't like that you have to turn it off. Power down. Pull the plug.
Ben, I'm a little worried about you. You talk like you are setting up your own IT department but then you come with a question like this... Scares me!
I think my question has been answered well, Thankyou But i still caint get an answer on how to get ICS working on SUSE? is there ICS on suse? There must be, i just caint find where or how to activate it? anyone know?
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
Ben, Security is HARD...there are just too many variables. The OS is just one variable. That said, many Linux distributions are not very secure out of the box (some are though). However, they can be made more secure. I work from the assumption that Linux is no more secure than the average Windows 98 installation. Though this is hyperbole, I build the box up from there. You really should acquire several books on Linux security and implement the basics. Go to www.tldp.org. This is The Linux Documentation Project. Click on "GUIDES" and scroll down to "Securing and Optimizing Linux". Read the first sections and implement the basics contained in that manual. You should also read the SAG (Systems Administrator Guide) and NAG (Network Administrator Guide) also on that page. When you are working with Securing and Optimizing Linux, remember it was written for Red Hat. This means some of files will not be in the same location as shown in the book. Type "man find" on the command line to learn how to use the find command. Here's an example: find / -iname '*pass*' 2>/dev/null. This finds all files that have p-a-s-s in them. So, it would find /etc/passwd at a minimum. If you know the full filename, then use: find / -iname passwd 2>/dev/null. This will show you all instances of passwd under the / directory. SuSE generally includes a script called harden_suse (or something like that). You should be able to run it directly or through the YAST2 tool (I think through the security level). Run it and paranoid levels. You may want to acquire some books on Linux security. I highly recommend: _Linux System Security: The Administrator's Guide to Open Source Security Tools, Second Edition_ by Scott Mann, Ellen Mitchell, Michell Krell, and Mitch Krell. http://www.amazon.com/exec/obidos/tg/detail/-/0130470112/qid=1096377802/sr=1-9/ref=sr_1_9/002-9334792-9580834?v=glance&s=books For general Linux system administration, buy: The Linux System Administration Handbook by Evi Nemeth, et al. Both books will help you ALOT! Good luck! --Tom
And what OS were these computers that make connections while logged off running? Noah. On Tue, 28 Sep 2004, Ben wrote:
Hello all I have a strange problem, I keep watch on a network belonging to a non-profit org at which there are one hardware firewall (linksys) that is a embedded linux (i think). The computers where logged off yet i saw that three of the computers made a tcp connection to the net. How is it possible to make this connection if the computers are logged off? is this a fault with the firewall or is it possible for a logged off computer to make an outgoing connection? Any suggestion's will be greatfully received
Yours...Ben :D
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (5)
-
Armin Schoech -
Ben -
John Andersen -
Noah Sematimba -
Tom Sasser