Very Computer

Hi !

  I use snort for IDS ans Today, i have been been scan from host
192.168.100.100, but in my network, i don't use this ip :(

I have block ip spoofing ...

  How can a user from external take an internal ip adress ? And how can
i block that ?

  thanks

Michael

Michael (Cegonha) s'est fendu de cette remarque :

Quote:> I have block ip spoofing ...

What do you mean exactly by this? What measures have you taken?

Quote:>   How can a user from external take an internal ip adress ? And how can
> i block that ?

It usually involves having your border firewall block incoming traffic
originating from adresses in use on your internal network. Since in your
case, the internal network is RFC 1918, all such packets should be
blocked by your border firewall.

Also note that the fact that _you_ don't use the offending address
doesn't mean that nobody else has set up a box using that address on
your internal network.

Quote:>   I use snort for IDS ans Today, i have been been scan from host
> 192.168.100.100, but in my network, i don't use this ip :(
> I have block ip spoofing ...

You can't completely block IP spoofing. You can check against routing
table that packets are arriving through the good interface (using
rp_filter setting), but not more.

Quote:>   How can a user from external take an internal ip adress ? And how can
> i block that ?

He just spoof this IP.
Try to see if that portscan comes from your network or from the
Internet. However, you should block RFC1918 IPs in your filtering rules,
except for the network you use for your LAN.

--
 Crons donc un groupe spcial pour les cons et les connes. Tu seras la
 modratrice en chef.
 -+- C in Guide du Neuneu d'Usenet-Je veux tre le premier y poster -+-

Je suis nouveau danms iptables et je ne sais pas trop comment faire ...
comment puis-je vrifier avec rp_filter ?

  Comment bloquer RFD1918 ?  de l'interne j'ai seulement 3 postes ...

iptables -A INPUT -j DROP -i eth1 \! -s $LAN_SUBNET
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
       echo -n "Setting up IP spoofing protection"
       for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f ;
       done
       echo -e "       \033[47m\033[1;31m OK \033[0m\37 "
else
       echo " DANGER PROBLEMS SETTING UP IP SPOOFING "
fi

Quote:

>>  How can a user from external take an internal ip adress ? And how can
>>i block that ?

> It usually involves having your border firewall block incoming traffic
> originating from adresses in use on your internal network. Since in your
> case, the internal network is RFC 1918, all such packets should be
> blocked by your border firewall.

 How can i do that ?

Quote:> Also note that the fact that _you_ don't use the offending address
> doesn't mean that nobody else has set up a box using that address on
> your internal network.

I have only 3 computers on my networks, so i know which ip adresse have been use ...

noone can be sure that it is coming from outside. Since you did blocked
in for any rfc-1918 range of addresses, the very best guess is somebody
*inside* your own lan. Remember: your worst enemy is the one you have
inside (even inside yourself, btw).

Try to track it with tcpdump (difficult) or iptraf. Also you can try to
ping this ip just now, to see if it is alive.

The next worst thing is someone from outside, sitting in a remotely
controled inner box.

--

sauda??es,

Irado Furioso com Tudo
Linux (SuSE) User 179402
se abrirem as portas de *todas* as pris?es, os roubos ainda ser?o em
menor volume do que os de nossos polticos. Na verdade, mal
perceberamos a diferen?a (think about)!.

Michael (Cegonha) s'est fendu de cette remarque :

Quote:>> What do you mean exactly by this? What measures have you taken?

[snipped enabling of rp_filter]

If your internal network doesn't use addresses in the 192.168.100.x
class, rp_filter won't help you with that packet. See RFC 1812 section
5.3.8 for details.

To block all incoming RFC 1918 packets, you can do something as simple
as :

  iptables -A my_chain -s 10.0.0.0/8 -j DROP
  iptables -A my_chain -s 172.16.0.0/12 -j DROP
  iptables -A my_chain -s 192.168.0.0/16 -j DROP

This will only work if the scans are coming from the internal network -
setup 'arpwatch'.  Be sure to read the man page and/or docs.

Arpwatch will keep a database of all IP/MAC address pairs from the
LAN.  Just 'cat' the database then 'grep 192.168.100.100' and it
should give you the originating MAC address.

If you have managed network switches, you should be able to
track the MAC address back to a specific network connection.
Otherwise, you're probably going to have to do sneakernet.

On Cisco Catalyst 5000/6000 series switch, you would use 'show cam
dynamic <mac-addr>'.  It may take you a couple of minutes if you have
more than one switch to track it down.

If arpwatch doesn't log that IP address to a MAC, chances are that it is
coming from outside your network.

Randy

192.168.100.100 is commonly used as a management address for
cable modems.  It also has a simple webserver built into it,
so you can get some statistics about your bandwidth usage etc
if that feature is enabled.

Quote:> I have block ip spoofing ...

Good, but that only stops your system from giving an incorrect
source address.

When you say you have been scanned from that IP, what do you
mean?  What are the actual log entries?

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

Then you should not be seeing it, inside your "wall".

Quote:

> I have block ip spoofing ...

Clearly you have not done as you thought.  If this IP is showing on
your network and you do not have someone tapped into your network you
should not be seeing it inside your network.  If you block on the
INTERFACE you will ensure that that IP can not come in from the
outside.  If that IP can not get in from the OUTSIDE and it is not
USED on the INSIDE, the ONLY way it can be seen on the INSIDE is if it
is GENERATED from the INSIDE.  The ONLY way that can happen is for
someone to TAP into your network on the INSIDE....  If you get my
drift...

Your rules are not properly set up... Don't feel bad.  Most rules have
holes.

-m- (also Michael)

Laterz

Quote:> noone can be sure that it is coming from outside. Since you did blocked
> in for any rfc-1918 range of addresses, the very best guess is somebody
> *inside* your own lan. Remember: your worst enemy is the one you have
> inside (even inside yourself, btw).

Now, that is profound... Who said that?

-m-

[**] [100:3:1] spp_portscan: PORTSCAN DETECTED from 192.168.100.100
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
01/10-07:40:48.536477

192.168.xxx.xxx is it not "privet C IP address" that does not suppose to
be routed to the Internet?
It may be router miss configuration.

Irek

yes, it is, as per rfc1918. *But*, when connecting your side to your
ISP, I can configure both wan interfaces to any address, at my choice,
as it is considered just as a point-to-point connection, so it is a
privative (sort of) connection. Your side (real ip-addr) will be routed,
but wan-wan arenot.

--

sauda??es,

Irado Furioso com Tudo
Linux (SuSE) User 179402
se abrirem as portas de *todas* as pris?es, os roubos ainda ser?o em
menor volume do que os de nossos polticos. Na verdade, mal
perceberamos a diferen?a (think about)!.

Hmm, that is an interpretation made by snort based on some rules.

If you are using a cable modem then you will see all sorts of
management packets on your side of the modem interface, but to
determine if this is the case (and harmless) you need more detailed
data than snort provides.

If you are using iptables then you can log the packets with
this command:

  iptables -I INPUT -s 192.168.100.100 -j LOG

Same with ipchains:

  ipchains -I INPUT -s 192.168.100.100 -l

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>