Since grsec no SuSE-FW-DROP-DEFAULT IN
There is a SuSE 8.2 pc with SuSE-Firewall 2 and a 2.4.21-rc7-grsec Kernel, with the following options: CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_LOW=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_RANDPID=y CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y I have to mention too, that there is no need for a special security. All external ports are closed and the ip-adress is dynamic. Before I got a lot of messages like: fw kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=213.23.18.107 DST=62.46.154.238 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=38567 DF PROTO=TCP SPT=56414 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A207010A30000000001030300) But now I can't see any like this. Is this a misconfiguration or does grsec prevent me from portscans? Al
Al Bogner wrote:
Before I got a lot of messages like: fw kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=213.23.18.107 DST=62.46.154.238 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=38567 DF PROTO=TCP SPT=56414 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A207010A30000000001030300)
But now I can't see any like this. Is this a misconfiguration or does grsec prevent me from portscans?
That are no portscans. DPT=4662 is the portnumber which overnet/edonkey/emule uses. You've got a ip-address which was previously used by an filesharing guy. Wait long enough and you'll see them again. ( Why do people log their drop after the deployment phase of their ruleset? I do that only when I'm experiencing strange connect problems. ) Peter
Hi Peter !
( Why do people log their drop after the deployment phase of their ruleset? I do that only when I'm experiencing strange connect problems. )
--> It's a nice way to monitor what's going on with your system. And you might get a hint from these logs if someone is trying an attack by multiple connections. I get them emailed every hour from my systems abroad and use it like this. Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
* Peter Wiersig wrote on Thu, Jun 12, 2003 at 12:27 +0200:
( Why do people log their drop after the deployment phase of their ruleset? I do that only when I'm experiencing strange connect problems. )
I log it, too :-) All the day on all firewalls. IDS messages usually get logged by many people also. In case of incident, you have informations for analysis. For instance, often you can see that one IP does a portscan or a distributed portscan from multiple IPs, then another IP systematically connects each webserver (but no other host) and makes some GET request (e.g. formmail probe) and a thrid IP spams if a formmail was found. Well, and so you get an idea of what really happend I think. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Friday 20 June 2003 11:27, Steffen Dettmer wrote:
* Peter Wiersig wrote on Thu, Jun 12, 2003 at 12:27 +0200:
( Why do people log their drop after the deployment phase of their ruleset? I do that only when I'm experiencing strange connect problems. )
I log it, too :-)
But nobody could explain me, why I have *no* logs when I use a 2.4.21-rc7-grsec kernel. I do nothing else than change the kernel in the boot menu of grub. When I start the original SuSE-kernel, I get logs, when I start the grsec-kernel I don't. I also tried a grep -r <IP> /var/log/* and looked for an external IP which scanned my machine. There is no other file which stores the scans. So is there a kernel option in the SuSE-kernel which is needed for logging? nmap -v -P0 <IP> says: All 1601 scanned ports on x.x are: filtered Don't scan the ip in my mailheader for a test, it is a dynamic IP! Al
participants (4)
-
Al Bogner -
Armin Schoech -
Peter Wiersig -
Steffen Dettmer