Portscan detected from 192.168.100.100

Portscan detected from 192.168.100.100

Post by Cegon » Fri, 11 Jan 2002 00:57:01



Hi !

  I use snort for IDS ans Today, i have been been scan from host
192.168.100.100, but in my network, i don't use this ip :(

I have block ip spoofing ...

  How can a user from external take an internal ip adress ? And how can
i block that ?

  thanks

Michael

 
 
 

Portscan detected from 192.168.100.100

Post by Daniel Polomb » Fri, 11 Jan 2002 01:00:21


Michael (Cegonha) s'est fendu de cette remarque :

Quote:> I have block ip spoofing ...

What do you mean exactly by this? What measures have you taken?

Quote:>   How can a user from external take an internal ip adress ? And how can
> i block that ?

It usually involves having your border firewall block incoming traffic
originating from adresses in use on your internal network. Since in your
case, the internal network is RFC 1918, all such packets should be
blocked by your border firewall.

Also note that the fact that _you_ don't use the offending address
doesn't mean that nobody else has set up a box using that address on
your internal network.

 
 
 

Portscan detected from 192.168.100.100

Post by Cedric Blanche » Fri, 11 Jan 2002 01:01:03



Quote:>   I use snort for IDS ans Today, i have been been scan from host
> 192.168.100.100, but in my network, i don't use this ip :(
> I have block ip spoofing ...

You can't completely block IP spoofing. You can check against routing
table that packets are arriving through the good interface (using
rp_filter setting), but not more.

Quote:>   How can a user from external take an internal ip adress ? And how can
> i block that ?

He just spoof this IP.
Try to see if that portscan comes from your network or from the
Internet. However, you should block RFC1918 IPs in your filtering rules,
except for the network you use for your LAN.

--
 Crons donc un groupe spcial pour les cons et les connes. Tu seras la
 modratrice en chef.
 -+- C in Guide du Neuneu d'Usenet-Je veux tre le premier y poster -+-

 
 
 

Portscan detected from 192.168.100.100

Post by Cegon » Fri, 11 Jan 2002 01:21:36


Je suis nouveau danms iptables et je ne sais pas trop comment faire ...
comment puis-je vrifier avec rp_filter ?

  Comment bloquer RFD1918 ?  de l'interne j'ai seulement 3 postes ...



>>  I use snort for IDS ans Today, i have been been scan from host
>>192.168.100.100, but in my network, i don't use this ip :(
>>I have block ip spoofing ...

> You can't completely block IP spoofing. You can check against routing
> table that packets are arriving through the good interface (using
> rp_filter setting), but not more.

>>  How can a user from external take an internal ip adress ? And how can
>>i block that ?

> He just spoof this IP.
> Try to see if that portscan comes from your network or from the
> Internet. However, you should block RFC1918 IPs in your filtering rules,
> except for the network you use for your LAN.

 
 
 

Portscan detected from 192.168.100.100

Post by Cegon » Fri, 11 Jan 2002 01:23:26



> Michael (Cegonha) s'est fendu de cette remarque :

>>I have block ip spoofing ...

> What do you mean exactly by this? What measures have you taken?

iptables -A INPUT -j DROP -i eth1 \! -s $LAN_SUBNET
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
       echo -n "Setting up IP spoofing protection"
       for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f ;
       done
       echo -e "       \033[47m\033[1;31m OK \033[0m\37 "
else
       echo " DANGER PROBLEMS SETTING UP IP SPOOFING "
fi

Quote:

>>  How can a user from external take an internal ip adress ? And how can
>>i block that ?

> It usually involves having your border firewall block incoming traffic
> originating from adresses in use on your internal network. Since in your
> case, the internal network is RFC 1918, all such packets should be
> blocked by your border firewall.

 How can i do that ?

Quote:> Also note that the fact that _you_ don't use the offending address
> doesn't mean that nobody else has set up a box using that address on
> your internal network.

I have only 3 computers on my networks, so i know which ip adresse have been use ...
 
 
 

Portscan detected from 192.168.100.100

Post by irado furioso com tud » Fri, 11 Jan 2002 02:48:09


noone can be sure that it is coming from outside. Since you did blocked
in for any rfc-1918 range of addresses, the very best guess is somebody
*inside* your own lan. Remember: your worst enemy is the one you have
inside (even inside yourself, btw).

Try to track it with tcpdump (difficult) or iptraf. Also you can try to
ping this ip just now, to see if it is alive.

The next worst thing is someone from outside, sitting in a remotely
controled inner box.


> Hi !

>  I use snort for IDS ans Today, i have been been scan from host
> 192.168.100.100, but in my network, i don't use this ip :(

> I have block ip spoofing ...

>  How can a user from external take an internal ip adress ? And how can i
> block that ?

>  thanks

> Michael

--

sauda??es,

Irado Furioso com Tudo
Linux (SuSE) User 179402
se abrirem as portas de *todas* as pris?es, os roubos ainda ser?o em
menor volume do que os de nossos polticos. Na verdade, mal
perceberamos a diferen?a (think about)!.

 
 
 

Portscan detected from 192.168.100.100

Post by Daniel Polomb » Fri, 11 Jan 2002 01:57:10


Michael (Cegonha) s'est fendu de cette remarque :

Quote:>> What do you mean exactly by this? What measures have you taken?

[snipped enabling of rp_filter]

If your internal network doesn't use addresses in the 192.168.100.x
class, rp_filter won't help you with that packet. See RFC 1812 section
5.3.8 for details.

To block all incoming RFC 1918 packets, you can do something as simple
as :

  iptables -A my_chain -s 10.0.0.0/8 -j DROP
  iptables -A my_chain -s 172.16.0.0/12 -j DROP
  iptables -A my_chain -s 192.168.0.0/16 -j DROP

 
 
 

Portscan detected from 192.168.100.100

Post by Rand » Fri, 11 Jan 2002 04:35:37


This will only work if the scans are coming from the internal network -
setup 'arpwatch'.  Be sure to read the man page and/or docs.

Arpwatch will keep a database of all IP/MAC address pairs from the
LAN.  Just 'cat' the database then 'grep 192.168.100.100' and it
should give you the originating MAC address.

If you have managed network switches, you should be able to
track the MAC address back to a specific network connection.
Otherwise, you're probably going to have to do sneakernet.

On Cisco Catalyst 5000/6000 series switch, you would use 'show cam
dynamic <mac-addr>'.  It may take you a couple of minutes if you have
more than one switch to track it down.

If arpwatch doesn't log that IP address to a MAC, chances are that it is
coming from outside your network.

Randy

 
 
 

Portscan detected from 192.168.100.100

Post by Manfred Bart » Fri, 11 Jan 2002 11:06:01



>   I use snort for IDS ans Today, i have been been scan from host
> 192.168.100.100, but in my network, i don't use this ip :(

192.168.100.100 is commonly used as a management address for
cable modems.  It also has a simple webserver built into it,
so you can get some statistics about your bandwidth usage etc
if that feature is enabled.

Quote:> I have block ip spoofing ...

Good, but that only stops your system from giving an incorrect
source address.

When you say you have been scanned from that IP, what do you
mean?  What are the actual log entries?

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

Portscan detected from 192.168.100.100

Post by Michael Erski » Fri, 11 Jan 2002 14:33:39



> Hi !

>   I use snort for IDS ans Today, i have been been scan from host
> 192.168.100.100, but in my network, i don't use this ip :(

Then you should not be seeing it, inside your "wall".

Quote:

> I have block ip spoofing ...

Clearly you have not done as you thought.  If this IP is showing on
your network and you do not have someone tapped into your network you
should not be seeing it inside your network.  If you block on the
INTERFACE you will ensure that that IP can not come in from the
outside.  If that IP can not get in from the OUTSIDE and it is not
USED on the INSIDE, the ONLY way it can be seen on the INSIDE is if it
is GENERATED from the INSIDE.  The ONLY way that can happen is for
someone to TAP into your network on the INSIDE....  If you get my
drift...

Your rules are not properly set up... Don't feel bad.  Most rules have
holes.

-m- (also Michael)

Laterz

 
 
 

Portscan detected from 192.168.100.100

Post by Michael Erski » Fri, 11 Jan 2002 14:35:22



Quote:> noone can be sure that it is coming from outside. Since you did blocked
> in for any rfc-1918 range of addresses, the very best guess is somebody
> *inside* your own lan. Remember: your worst enemy is the one you have
> inside (even inside yourself, btw).

Now, that is profound... Who said that?

-m-

 
 
 

Portscan detected from 192.168.100.100

Post by Cegon » Fri, 11 Jan 2002 21:38:42




>>  I use snort for IDS ans Today, i have been been scan from host
>>192.168.100.100, but in my network, i don't use this ip :(

> 192.168.100.100 is commonly used as a management address for
> cable modems.  It also has a simple webserver built into it,
> so you can get some statistics about your bandwidth usage etc
> if that feature is enabled.

>>I have block ip spoofing ...

> Good, but that only stops your system from giving an incorrect
> source address.

> When you say you have been scanned from that IP, what do you
> mean?  What are the actual log entries?

[**] [100:3:1] spp_portscan: PORTSCAN DETECTED from 192.168.100.100
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
01/10-07:40:48.536477
 
 
 

Portscan detected from 192.168.100.100

Post by any.. » Sat, 12 Jan 2002 01:22:46




> >   I use snort for IDS ans Today, i have been been scan from host
> > 192.168.100.100, but in my network, i don't use this ip :(

> 192.168.100.100 is commonly used as a management address for
> cable modems.  It also has a simple webserver built into it,
> so you can get some statistics about your bandwidth usage etc
> if that feature is enabled.

> > I have block ip spoofing ...

> Good, but that only stops your system from giving an incorrect
> source address.

> When you say you have been scanned from that IP, what do you
> mean?  What are the actual log entries?

> --
> Manfred
> ----------------------------------------------------------------
> NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

192.168.xxx.xxx is it not "privet C IP address" that does not suppose to
be routed to the Internet?
It may be router miss configuration.

Irek

 
 
 

Portscan detected from 192.168.100.100

Post by irado furioso com tud » Sat, 12 Jan 2002 02:37:48


yes, it is, as per rfc1918. *But*, when connecting your side to your
ISP, I can configure both wan interfaces to any address, at my choice,
as it is considered just as a point-to-point connection, so it is a
privative (sort of) connection. Your side (real ip-addr) will be routed,
but wan-wan arenot.


> 192.168.xxx.xxx is it not "privet C IP address" that does not suppose to
> be routed to the Internet?

--

sauda??es,

Irado Furioso com Tudo
Linux (SuSE) User 179402
se abrirem as portas de *todas* as pris?es, os roubos ainda ser?o em
menor volume do que os de nossos polticos. Na verdade, mal
perceberamos a diferen?a (think about)!.

 
 
 

Portscan detected from 192.168.100.100

Post by Manfred Bart » Sat, 12 Jan 2002 07:45:09



> > 192.168.100.100 is commonly used as a management address for
> > cable modems.  It also has a simple webserver built into it,
> > so you can get some statistics about your bandwidth usage etc
> > if that feature is enabled.
> > When you say you have been scanned from that IP, what do you
> > mean?  What are the actual log entries?

> [**] [100:3:1] spp_portscan: PORTSCAN DETECTED from 192.168.100.100
> (THRESHOLD 4 connections exceeded in 0 seconds) [**]
> 01/10-07:40:48.536477

Hmm, that is an interpretation made by snort based on some rules.

If you are using a cable modem then you will see all sorts of
management packets on your side of the modem interface, but to
determine if this is the case (and harmless) you need more detailed
data than snort provides.

If you are using iptables then you can log the packets with
this command:

  iptables -I INPUT -s 192.168.100.100 -j LOG

Same with ipchains:

  ipchains -I INPUT -s 192.168.100.100 -l

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

1. From:192.168.0.101 TO:192.168.0.xxx VIA:192.168.2.1 ?

Hi,

My home network is configured as follows:  an iMac G3 gets the
Internet connection from dial-up (!) and shares it through its en0
interface on 192.168.2.1 (a static, pre-defined setting on MacOS X
10.4 for sharing an Internet connection).  en0 also has an IP of:
192.168.0.101 as shown below:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::20a:27ff:feab:3692%en0 prefixlen 64 scopeid 0x4
        inet 192.168.0.101 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        ether 00:0a:27:ab:36:92
        media: autoselect (100baseTX <full-duplex>) status: active
        supported media: 10baseT/UTP 10baseT/UTP <full-duplex>
100baseTX 100baseTX <full-duplex> autoselect autosel

From en0, a crossover cable goes into a DLink DI-624 router on its WAN
connector.  DI-624 (192.168.0.1) then gives dynamic IPs from
192.168.0.2- 192.168.0.255.  Computers are all able to share their
resources and to go on the Internet.

The problem is that the iMac G3 cannot communicate with the other
machines on 192.168.0.x and I'd like to know if there is a way around
it?

Thanks.

2. Apache: mime types

3. Can't get to 192.168.100.1 from router, but can through it

4. Mounting Floppy Drive

5. Using 192.168.0 versus 192.168.1

6. latest version of tar for BSDI

7. 192.168.0.0 vs. 192.168.1.0

8. A jaz connected to a solaris 2.6 and to write pc format...

9. Browsing 192.168.0.23 returns 192.168.0.11, why?

10. Joining 192.168.1.* to 192.168.1.* with filtering for only MS SQL Server?

11. NAT Interface 192.168.1.x External 192.168.1.x Possible?

12. Routing Linux 192.168.10.x network to Dlink router on 192.168.1.x network

13. 192.168.0.* vs 192.168.1.*