public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] OT - ipkungfu perhaps not doing its job
@ 2006-11-16 18:29 Michael Sullivan
  2006-11-16 19:09 ` Alan McKinnon
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Sullivan @ 2006-11-16 18:29 UTC (permalink / raw
  To: gentoo-user

Can anyone tell me why I have about a hundred of these

Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 
Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 
Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 
Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 

when that IP address is in /etc/ipkungfu/deny_hosts.conf?  Here's my
rules; I don't understand them:

bullet ~ # ipkungfu -l
Chain INPUT (policy DROP 2 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source
destination
45662 6103K ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 LOG        all  --  lo     any     0.0.0.1
anywhere            LOG level warning prefix `IPKF IPKungFu (--init)'
    0     0 DROP       all  --  eth0   any     210.188.206.107
anywhere
    0     0 DROP       all  --  eth0   any     222.90.206.62
anywhere
    0     0 DROP       all  --  eth0   any     61.178.185.124
anywhere
    0     0 DROP       all  --  eth0   any     65.98.76.197
anywhere
    0     0 DROP       all  --  eth0   any     211.234.99.230
anywhere
    0     0 DROP       all  --  eth0   any     60.191.34.155
anywhere
    0     0 DROP       all  --  eth0   any     sd-2742.dedibox.fr
anywhere
    1    40 DROP       all  --  eth0   any     nameservices.net
anywhere
    1    55 DROP       all  --  eth0   any     222.135.146.45
anywhere
   28  1598 ACCEPT     all  --  any    any     camille.espersunited.com
anywhere 
    7   351 ACCEPT     all  --  any    any
catherine.espersunited.com  anywhere 
    0     0 DROP       all  --  any    any     anywhere
anywhere            recent: CHECK seconds: 120 name: badguy side: source
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    3   276 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp echo-request
   85  3400 LOG        all  --  any    any     anywhere
anywhere            state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
   85  3400 DROP       all  --  any    any     anywhere
anywhere            state INVALID
    0     0 LOG        all  -f  eth0   any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
    0     0 DROP       all  -f  eth0   any     anywhere
anywhere
    0     0 LOG        icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
    0     0 DROP       icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request
  125  6656 syn-flood  tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            multiport dports netbios-ns,6666
    2   808 DROP       udp  --  eth0   any     anywhere
anywhere            multiport dports ms-sql-m
  102  5552 ACCEPT     tcp  --  eth0   any     anywhere
anywhere            state NEW multiport dports
ftp,ssh,smtp,http,imap,https
    0     0 ACCEPT     udp  --  eth0   any     anywhere
anywhere            state NEW multiport dports imap
  203 15337 ACCEPT     all  --  lo     any     anywhere
anywhere            state NEW
    0     0 ACCEPT     all  --  lo     any     localhost.localdomain
anywhere            state NEW
    2   112 REJECT     tcp  --  any    any     anywhere
anywhere            tcp dpt:auth reject-with tcp-reset
  146 38531 LOG       !icmp --  any    any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF INPUT Catch-all: '
  146 38531 DROP       all  --  any    any     anywhere
anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   any     camille.espersunited.com
anywhere 
    0     0 ACCEPT     all  --  eth0   any
catherine.espersunited.com  anywhere 
    0     0 DROP       all  --  eth0   any     anywhere
anywhere            recent: CHECK seconds: 120 name: badguy side: source
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
    0     0 LOG        all  --  eth0   any     anywhere
anywhere            state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
    0     0 DROP       all  --  eth0   any     anywhere
anywhere            state INVALID
    0     0 LOG        all  -f  eth0   any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
    0     0 DROP       all  -f  eth0   any     anywhere
anywhere
    0     0 LOG        icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
    0     0 DROP       icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request
    0     0 syn-flood  tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            multiport dports netbios-ns,6666
    0     0 DROP       udp  --  eth0   any     anywhere
anywhere            multiport dports ms-sql-m
    0     0 REJECT     tcp  --  eth0   any     anywhere
anywhere            tcp dpt:auth reject-with tcp-reset

Chain OUTPUT (policy ACCEPT 5 packets, 366 bytes)
 pkts bytes target     prot opt in     out     source
destination
60950   17M ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
  968 76964 ACCEPT     all  --  any    any     anywhere
anywhere            state NEW

Chain syn-flood (2 references)
 pkts bytes target     prot opt in     out     source
destination
  125  6656 RETURN     all  --  any    any     anywhere
anywhere            limit: avg 10/sec burst 24
    0     0 LOG        all  --  any    any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF SYN flood: '
    0     0 DROP       all  --  any    any     anywhere
anywhere
bullet ~ #






-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user] OT - ipkungfu perhaps not doing its job
  2006-11-16 18:29 [gentoo-user] OT - ipkungfu perhaps not doing its job Michael Sullivan
@ 2006-11-16 19:09 ` Alan McKinnon
  2006-11-16 20:59   ` Michael Sullivan
  0 siblings, 1 reply; 3+ messages in thread
From: Alan McKinnon @ 2006-11-16 19:09 UTC (permalink / raw
  To: gentoo-user

On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
> Can anyone tell me why I have about a hundred of these
>
> Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
>
> when that IP address is in /etc/ipkungfu/deny_hosts.conf?  Here's my
> rules; I don't understand them:

[snip]

>     1    55 DROP       all  --  eth0   any     222.135.146.45
> anywhere

Some scipt kiddie is trying a brute force attack on your ftp port trying 
random combinations of user name and pasword every three seconds.

'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs 
to some maschine on network sdjnptt.net.cn and that turns out to be 
what looks like some chinese isp.

So, a chinese person is trying to exploit your machine. Hey, it happens. 
And will happen for about the rest of your life. The solution is to 
drop them at the firewall, and the above rule is doing exactly that.

This specific attack from this specific person at that specific address 
si no longer something you need to worry about :-)


alan

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user] OT - ipkungfu perhaps not doing its job
  2006-11-16 19:09 ` Alan McKinnon
@ 2006-11-16 20:59   ` Michael Sullivan
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Sullivan @ 2006-11-16 20:59 UTC (permalink / raw
  To: gentoo-user

On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote:
> On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
> > Can anyone tell me why I have about a hundred of these
> >
> > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> >
> > when that IP address is in /etc/ipkungfu/deny_hosts.conf?  Here's my
> > rules; I don't understand them:
> 
> [snip]
> 
> >     1    55 DROP       all  --  eth0   any     222.135.146.45
> > anywhere
> 
> Some scipt kiddie is trying a brute force attack on your ftp port trying 
> random combinations of user name and pasword every three seconds.
> 
> 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs 
> to some maschine on network sdjnptt.net.cn and that turns out to be 
> what looks like some chinese isp.
> 
> So, a chinese person is trying to exploit your machine. Hey, it happens. 
> And will happen for about the rest of your life. The solution is to 
> drop them at the firewall, and the above rule is doing exactly that.
> 
> This specific attack from this specific person at that specific address 
> si no longer something you need to worry about :-)
> 
> 
> alan
> 

So why do I get the hourly log reports (from logcheck) saying that this
IP is trying to access my FTP?  How does vsftpd know about this if
they're being dropped at the firewall?

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-11-16 21:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-16 18:29 [gentoo-user] OT - ipkungfu perhaps not doing its job Michael Sullivan
2006-11-16 19:09 ` Alan McKinnon
2006-11-16 20:59   ` Michael Sullivan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox