Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] Fwd: noah 12/09/00:01.45 system check
  • From: Les Catterall <catterau@xxxxxxxxxxx>
  • Date: Sun, 10 Dec 2000 14:44:26 +1100
  • Message-id: <3A32FC1A.8D8D8FF7@xxxxxxxxxxx>
rjwohlfar@xxxxxxxxxxx wrote:
>
> I am trying to figure out if these log entries are an attack. Or if
> the Squid proxy is causing them. I'd appreciate any suggestions on their
> cause...
>
> These entries have been appearing for over a month. And they
> consistently appear every time I dial in (it's a dial-up ISP). The
> source address is always 222.22.22.22:53 or 222.22.22.25:53.
>
> The IP address 222.22.22.22 and 222.22.22.25 represent my ISP's DNS
> servers. I changed their real addresses to "222.22.22.22/25". But the
> log entries always come from the same two IP addresses.
>
> This is a dial-up ISP. So my IP address changes everytime. I understand
> that these packets are coming from port 53 (DNS). They always come
> from port 53. But The target port will change every time I dial in. For
> example, tomorrow the target address may be 222.22.22.44:111.
>
> Is Squid nmaking some request, and the firewall blocks the response?
> Thanks, in advance.
>
> --
> Robert Wohlfarth
>
> ------ Forwarded message ------
> Dec 9 01:31:27 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=121 S=0x00 I=23121 F=0x0000 T=125 (#27)
> Dec 9 01:31:32 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.25:53 222.22.22.11:1187 L=121 S=0x00 I=27106 F=0x0000 T=126 (#27)
> Dec 9 01:31:37 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=77 S=0x00 I=46417 F=0x0000 T=126 (#27)
> Dec 9 01:31:40 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.25:53 222.22.22.11:1187 L=77 S=0x00 I=16874 F=0x0000 T=126 (#27)
> Dec 9 01:31:43 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=77 S=0x00 I=49233 F=0x0000 T=126 (#27)
> Dec 9 01:31:49 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.25:53 222.22.22.11:1187 L=77 S=0x00 I=15348 F=0x0000 T=126 (#27)
> Dec 9 01:31:55 noah kernel: Packet log: input DENY ppp0 PROTO=17 222.22.22.22:53 222.22.22.11:1187 L=77 S=0x00 I=59473 F=0x0000 T=126 (#27)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

Hi,

The log entries indicate that your firewall is silently dropping (DENY)
UDP packets (PROTO=17) from the DNS port (:53) of the given source IP
address.

If the source IP addresses match those of your DNS servers at your
favorite ISP, this is probably not what you want. In this case your
"rc.firewall" script appears to be faulty.

Assuming your Linux box does DNS lookups as a client using your ISP DNS
servers, your "rc.firewall" script should contain entries similar to
the following (one for each 'N'):

#
# Snippets from the "rc.firewall" script which is run automatically by
# virtue of the symbolic link:
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# This is done immediately after "pppd" brings IPCP up (see man "pppd").
# Our external interface's IP address is made available to us via the 4th
# parameter on the command-line.
#

#--

EXTERNAL_INTERFACE="$1" # Tell the script we use PPP.
TTY_DEVICE="$2" # The serial device used.
MODEM_SPEED="$3" # Speed of connection.
IPADDR="$4" # Our IP address this time around.
REMOTE_IP="$5" # Other end of the PPP link.
UNPRIVPORTS="1024:65535" # Unprivileged port range.

#--

NAMESERVER_N="aaa.bbb.ccc.ddd" # IP address of DNS server 'N'

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_N 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_N 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_N 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_N 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT


Presumably, you already have "output" rules in place which permit
DNS requests from your Linux client to traverse the firewall. The
"input" rules above will permit your DNS client to receive the DNS
responses from the servers which are currently being blocked.

Hope this helps - Les Catterall

< Previous Next >
This Thread
References