security newbie - /var/log/messages scans

security newbie - /var/log/messages scans

Post by tux love » Mon, 03 Jun 2002 02:53:12



hi

periodically, my firewall gets dinged with the following entries in
/var/log/messages.  each episode lasts 30+ minutes.  i'm not running
anything on port 80, and /definitely/ not on 85!  not that i'm aware of
anyway.

May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63625 10.30.101.73:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63624 10.30.101.27:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63626 10.30.101.31:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63626 10.30.101.70:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63628 10.30.101.17:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63627 10.30.101.33:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63629 10.30.101.19:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63627 10.30.101.71:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63630 10.30.101.26:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63628 10.30.101.70:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
my.ip.add.res:63629 10.30.101.70:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)

i'm using ipchains and a generic firewall script on redhat kernel 2.4.9-31.

my private address range starts with "10." but the apparently spoofed
address similarity ends there.

can anyone tell me what kind of attack this is and whether there is
anything i can do to prevent it's reoccurance.

thanks!  simon

 
 
 

security newbie - /var/log/messages scans

Post by Davi » Mon, 03 Jun 2002 09:40:30



> hi

> periodically, my firewall gets dinged with the following entries in
> /var/log/messages.  each episode lasts 30+ minutes.  i'm not running
> anything on port 80, and /definitely/ not on 85!  not that i'm aware of
> anyway.

> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> my.ip.add.res:63625 10.30.101.73:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
[snip]

> i'm using ipchains and a generic firewall script on redhat kernel 2.4.9-31.

> my private address range starts with "10." but the apparently spoofed
> address similarity ends there.

> can anyone tell me what kind of attack this is and whether there is
> anything i can do to prevent it's reoccurance.

If it is a "spoofed" address you might enable rp_filter in
/etc/sysctl.conf if your system uses it. Add the lines below to
/etc/sysctl.conf then restart the network.

# Enable IP spoofing protection
# 0 Disables, 1 Enables Source Address Verification
net.ipv4.conf.all.rp_filter = 1

Or you can do it with an "echo" command like this.

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Then add it to /etc/rc.d/rc.local so it is started during system boot.
It is best to use the /etc/sysctl.conf method if your system is setup to
use sysctl.

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

security newbie - /var/log/messages scans

Post by tux love » Mon, 03 Jun 2002 13:46:14


thanks david

that's already in.  i think it's the red hat default.

???  any more thoughts?


> If it is a "spoofed" address you might enable rp_filter in
> /etc/sysctl.conf if your system uses it. Add the lines below to
> /etc/sysctl.conf then restart the network.

> # Enable IP spoofing protection
> # 0 Disables, 1 Enables Source Address Verification
> net.ipv4.conf.all.rp_filter = 1

 
 
 

security newbie - /var/log/messages scans

Post by Luke Voge » Mon, 03 Jun 2002 14:09:23



> hi

> periodically, my firewall gets dinged with the following entries in
> /var/log/messages.  each episode lasts 30+ minutes.  i'm not running
> anything on port 80, and /definitely/ not on 85!  not that i'm aware of
> anyway.
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> my.ip.add.res:63625 10.30.101.73:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> my.ip.add.res:63624 10.30.101.27:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)

<snip>
The above log entries refer to _outgoing_ packets _from_ your ip _to_
the 10.30.101.0/24 address space, and destined for port 80 or 85.
10.0.0.0/8 is reserved address space, I'm guessing that perhaps you have
some sort of network mis-configuration.

These are also tcp packets (proto=6) originating from your box (ttl=255,
it don't get much higher than that).

It is rule number 6 (#6) that is catching and reporting these packets.
Perhaps you need to look at your rule set and see why it is catching
these packets.

Quote:> i'm using ipchains and a generic firewall script on redhat kernel 2.4.9-31.

Ipchains is good, iptables would be better ... That generic script may
be part of your problem!

Quote:> my private address range starts with "10." but the apparently spoofed
> address similarity ends there.
> can anyone tell me what kind of attack this is and whether there is
> anything i can do to prevent it's reoccurance.

I think a re-config of your firewall is in order.

Are you able to properly surf the net with your configuration?
--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------

 
 
 

security newbie - /var/log/messages scans

Post by Davi » Mon, 03 Jun 2002 14:55:43



> that's already in.  i think it's the red hat default.

> ???  any more thoughts?

Ok, What is rule #6 ?  Do you have any of the other IP's listed in the
logs on your network?

It appears you are DENYing outbound packets.

  echo "       Optional parameter: Internet HTTP"
/sbin/ipchains -A output -j ACCEPT -i $EXTDEV -p tcp -s $EXTERNALIP http
-d $ANYWHERE

One recommendation would be to separate your "input" and "output" rules
into two sections with the input rules in the first section. I find it
easier to find the problem with it setup this way.

# Network values
External device
LOCALIP
MAILSERVER
DNS          # Must have one
ANYWHERE     # world

#INPUT RULES
echo "   Optional INPUT rule 1"
blah
echo "   Optional INPUT rule 2"
blah
echo "   Catch ALL rule INPUT"
Catchall rule

#OUTPUT RULES
echo "   Optional OUTPUT rule 1"
yada
echo "   Optional OUTPUT rule 2"
yada
echo "   Catch ALL rule OUTPUT"
Catchall rule

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

security newbie - /var/log/messages scans

Post by Luke Voge » Mon, 03 Jun 2002 15:32:52




> > that's already in.  i think it's the red hat default.

> > ???  any more thoughts?

> Ok, What is rule #6 ?  Do you have any of the other IP's listed in the
> logs on your network?

> It appears you are DENYing outbound packets.

>   echo "       Optional parameter: Internet HTTP"
> /sbin/ipchains -A output -j ACCEPT -i $EXTDEV -p tcp -s $EXTERNALIP http
> -d $ANYWHERE

The "http" is in the wrong place, it should be on the "-d $ANYWHERE
http" not your source ip.

--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------

 
 
 

security newbie - /var/log/messages scans

Post by RainbowHa » Mon, 03 Jun 2002 16:44:44


< tux lover

Quote:>each episode lasts 30+ minutes.  i'm not running anything on port 80,
>and /definitely/ not on 85!  not that i'm aware of anyway.

SPT   DST:DPT  frq. SPT    frq. DST  frq. DPT
63625 .73:85   1    63624  1    .17  6    80
63624 .27:80   1    63625  1    .26  5    85
63626 .31:80   2    63626  1    .27
63626 .70:85   2    63627  1    .31
63628 .17:80   2    63628  1    .33
63627 .33:80   2    63629  3    .70
63629 .19:80   1    63630  1    .71
63627 .71:85               1    .73
63630 .26:80
63628 .70:85
63629 .70:85
May 30 18:08:44 to May 30 18:08:44

mit-ml-dev 85/tcp # MIT ML Device

Quote:>May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
>my.ip.add.res:63625 10.30.101.73:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)

Looks high rate packets above 11 packets per second. This is "output"
packets and originated your IP from high number ports to private IP
address 10.30.101.0/24 port 80|85. Packet length was minimum IP+TCP 40
bytes. ipchains don't log TCP flags so we need to guess it. You are
using kernel 2.4.9 so you'd better to change ipchains to iptables that
will log more clue. Most default initial TTL is 64 except ICMP and TCP
RST. I guess TCP RST flag was set and initial TTL was 255.

Quote:>i'm using ipchains and a generic firewall script on redhat kernel 2.4.9-31.
>my private address range starts with "10." but the apparently spoofed
>address similarity ends there.
>can anyone tell me what kind of attack this is and whether there is
>anything i can do to prevent it's reoccurance.

Possibility-1: I imagine that you, someone in local or some automated
(cron?) program in local scaned private IP addresses port 80|85 using
some scanner. Possibility-2: Someone at your upper stream (maybe same
ISP VLAN, same switched network, same network layer 1|2) attempted to
connect() scan port 63624 to 63630 with decoy IP. Your ipchains passed
through this packets. There were not served port 80|85. Your box
attempted to respond TCP RST. But your ipchains output rule #6 droped
it and logged it. Maybe port 80|85 were purpose of evading stateless
firewall and checking stateless or stateful.

I'd like to know the following.
1) Is 'eth0' external interface or internal interface? Very important.
2) Did you set the customize TTL like
   `echo 255 > /proc/sys/net/ipv4/ip_default_ttl`?
3) Is your sanitized IP address 216.x.x.x or 10.x.x.x (or 127.0.0.1)?
4) Are you using IP masquerade?
5) Are there any other persons inside your LAN?
6) Do you have Windoze inside your LAN? It seems like Windoze box in
   your LAN, "User Mode Linux" or "VM Ware" infected Nimda. But included
   destination port 85 and TTL was 255. So I guess not.

---[ Static investigations: `man ipchains`, `/sbin/ipchains -n -L`,
`/sbin/ipchains -n -C ...` and `netstat -nr`.

---[ Passive investigations: Append log drop input chains.

Vele='10.0.0.0/8'
Vdev=eth0       # your external interface
/sbin/ipchains -I input -i $Vdev -s $Vele -j DENY -l
/usr/sbin/tcpdump -exnvv -i eth0 -s 2048 net $Vele

---[ Active investigations:

wget 10.30.101.70;   wget 10.30.101.70:85

Have a look at your '/var/log/messages' especially 'T=255|64'.

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

 
 
 

security newbie - /var/log/messages scans

Post by RainbowHa » Tue, 04 Jun 2002 00:46:43


[ Sorry, I've mistaken. ]

Quote:>Possibility-1: I imagine that you, someone in local or some automated
>(cron?) program in local scaned private IP addresses port 80|85 using
>some scanner. Possibility-2: Someone at your upper stream (maybe same
>ISP VLAN, same switched network, same network layer 1|2) attempted to
>connect() scan port 63624 to 63630 with decoy IP. Your ipchains passed
>through this packets. There were not served port 80|85. Your box

             ^ input                              ^^^^^ 63624 to 63630

Quote:>attempted to respond TCP RST. But your ipchains output rule #6 droped
>it and logged it. Maybe port 80|85 were purpose of evading stateless
>firewall and checking stateless or stateful.

No firewall:
SPT=80 return TCP RST
SPT=85 return TCP RST

stateless firewall for web browsing:
SPT=80 return TCP RST
SPT=85 return ICMP3-3(REJECT) or no answer(DROP)

stateless firewall for no web browsing or stateful firewall:
SPT=80 ICMP3-3(REJECT), TCP RST(REJECT w/t RST) or no answer(DROP)
SPT=85 ICMP3-3(REJECT), TCP RST(REJECT w/t RST) or no answer(DROP)

Quote:>---[ Passive investigations: Append log drop input chains.

>Vele='10.0.0.0/8'
>Vdev=eth0   # your external interface
>/sbin/ipchains -I input -i $Vdev -s $Vele -j DENY -l
>/usr/sbin/tcpdump -exnvv -i eth0 -s 2048 net $Vele

/usr/sbin/tcpdump -exnvv -i $Vdev -s 2048 src net $Vele

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

 
 
 

security newbie - /var/log/messages scans

Post by Davi » Tue, 04 Jun 2002 01:48:28




[snip]
>>  echo "       Optional parameter: Internet HTTP"
>>/sbin/ipchains -A output -j ACCEPT -i $EXTDEV -p tcp -s $EXTERNALIP http
>>-d $ANYWHERE

> The "http" is in the wrong place, it should be on the "-d $ANYWHERE
> http" not your source ip.

Maybe on the "input" rule but not on the "output" rule.

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

security newbie - /var/log/messages scans

Post by drumsti » Tue, 04 Jun 2002 03:15:32



> hi

> periodically, my firewall gets dinged with the following entries in
> /var/log/messages.  each episode lasts 30+ minutes.  i'm not running
> anything on port 80, and /definitely/ not on 85!  not that i'm aware of
> anyway.

> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> 216.103.86.140:63625 10.30.101.73:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> 216.103.86.140:63624 10.30.101.27:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> 216.103.86.140:63626 10.30.101.31:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> 216.103.86.140:63626 10.30.101.70:85 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> 216.103.86.140:63628 10.30.101.17:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)
> May 30 18:08:44 hal kernel: Packet log: output DENY eth0 PROTO=6
> 216.103.86.140:63627 10.30.101.33:80 L=40 S=0x00 I=0 F=0x4000 T=255 (#6)

These are all outbound packets blocked by rule number six.  

Quote:> i'm using ipchains and a generic firewall script on redhat kernel
> 2.4.9-31.

Maybe the generic thing is the problem

Quote:> my private address range starts with "10." but the apparently spoofed
> address similarity ends there.

> can anyone tell me what kind of attack this is and whether there is
> anything i can do to prevent it's reoccurance.

It isn't an attack, it's a poorly configured firewall.  O'd go with
ipchains or iptables and roll your own

--
drumstik
www.ameriphreak.com
http://phreaks.freeshell.org/files/valuhackAdv.exe
http://valuhack.sourceforge.net

 
 
 

security newbie - /var/log/messages scans

Post by tux love » Tue, 04 Jun 2002 04:52:30


yes, can surf the net no problem.

my firewall script is:
http://www.redhat.com/support/resources/tips/firewall/firewallservice...

question: if these are outgoing packets, what really concerns me is that
my ip addresses are in the 10.10.10.xxx range, not 10.30.101.xxx.  and
there are no machines on my network that are or ever have been in that
range.  the other question is, and i'm new to this stuff so please
correct me, if it was misconfiguration, wouldn't it be more frequent
than 2 or 3 times a month?  and this stuff gets logged whether or not
the network is populated with clients or it's just my two servers running.



> <snip>
> The above log entries refer to _outgoing_ packets _from_ your ip _to_
> the 10.30.101.0/24 address space, and destined for port 80 or 85.
> 10.0.0.0/8 is reserved address space, I'm guessing that perhaps you have
> some sort of network mis-configuration.

> These are also tcp packets (proto=6) originating from your box (ttl=255,
> it don't get much higher than that).

> It is rule number 6 (#6) that is catching and reporting these packets.
> Perhaps you need to look at your rule set and see why it is catching
> these packets.

> Are you able to properly surf the net with your configuration?

 
 
 

security newbie - /var/log/messages scans

Post by tux love » Tue, 04 Jun 2002 04:58:52


this is my ipchains script:
http://www.redhat.com/support/resources/tips/firewall/firewallservice...



>> that's already in.  i think it's the red hat default.

>> ???  any more thoughts?

> Ok, What is rule #6 ?  Do you have any of the other IP's listed in the
> logs on your network?

not that i can see.
 
 
 

security newbie - /var/log/messages scans

Post by Davi » Tue, 04 Jun 2002 09:41:34



> this is my ipchains script:
> http://www.redhat.com/support/resources/tips/firewall/firewallservice...

[snip]

> not that i can see.

Ok. The catch all rule for the output side of that firewall is rule #6,
but not rule #6 for the firewall if you haven't made any changes.

As root run the following to see what it shows.

ipchains -L output
OR:
ipchains -L output --line-numbers

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

security newbie - /var/log/messages scans

Post by tux love » Tue, 04 Jun 2002 09:52:25


ok,

Quote:> ipchains -L output --line-numbers

gives:

Chain output (policy DENY):
num  target     prot opt     source                destination
  ports
1    acctout    all  ------  anywhere             anywhere              n/a
2    acctio     all  ------  anywhere             anywhere              n/a
3    ACCEPT     all  ------  anywhere             10.1.1.0/24           n/a
4    ACCEPT     all  ------  anywhere             anywhere              n/a
5    DENY       all  ------  anywhere             10.1.1.0/24           n/a
6    DENY       all  ------  10.1.1.0/24          anywhere              n/a
7    ACCEPT     all  ------  adsl-216-103-86-140.dsl.snfc21.pacbell.net
anywhere              n/a
8    DENY       all  ----l-  anywhere             anywhere              n/a

 
 
 

security newbie - /var/log/messages scans

Post by Davi » Tue, 04 Jun 2002 10:54:19



> ok,

>> ipchains -L output --line-numbers

[snip]
> 8    DENY    all  ----l-  anywhere   anywhere    n/a

Ok. It appears that the packets are being DENY'd by the catch all rule
because the packets don't get passed through any of the previous rules
and are being logged with the "-l" option in the rule.

--
   Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org

 
 
 

1. How large can /var/log/messages and /var/log/syslog get ?

My /var/log/messages is now over 3 meg, and my syslog is 200+ k. I'm
very curious how far is this going to go ?
Is there a way to restrict their sizes ?

cheers,
Hong Siang.
--
======================================================================
The sticker on the box said, "Windows 95, Windows NT 4.0, or better."
So I installed Linux.
======================================================================
Teo Hong Siang                                   Tel (H): (65)746 2598
Manager, DTG Development Office                      (O): (65)772 7114

2. Network Data Transfer Monitoring

3. How to close /var/log/syslog and /var/log/messages..

4. Linux tools to substitute for MS Project

5. Security: Messages in /var/log/secure

6. help me plz

7. newbie Q about /var/log/messages

8. Make Money With Your Computer!

9. newbie: diald statements in /var/log/messages

10. Kernel messages in /var/log/messages

11. kdm message in /var/log/messages?

12. identd messages in /var/log/messages

13. ATAPI cd-rom creates many, many logs in /var/log/messages