* [gentoo-user] OT - ipkungfu perhaps not doing its job
@ 2006-11-16 18:29 Michael Sullivan
2006-11-16 19:09 ` Alan McKinnon
0 siblings, 1 reply; 3+ messages in thread
From: Michael Sullivan @ 2006-11-16 18:29 UTC (permalink / raw
To: gentoo-user
Can anyone tell me why I have about a hundred of these
Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
rules; I don't understand them:
bullet ~ # ipkungfu -l
Chain INPUT (policy DROP 2 packets, 144 bytes)
pkts bytes target prot opt in out source
destination
45662 6103K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 LOG all -- lo any 0.0.0.1
anywhere LOG level warning prefix `IPKF IPKungFu (--init)'
0 0 DROP all -- eth0 any 210.188.206.107
anywhere
0 0 DROP all -- eth0 any 222.90.206.62
anywhere
0 0 DROP all -- eth0 any 61.178.185.124
anywhere
0 0 DROP all -- eth0 any 65.98.76.197
anywhere
0 0 DROP all -- eth0 any 211.234.99.230
anywhere
0 0 DROP all -- eth0 any 60.191.34.155
anywhere
0 0 DROP all -- eth0 any sd-2742.dedibox.fr
anywhere
1 40 DROP all -- eth0 any nameservices.net
anywhere
1 55 DROP all -- eth0 any 222.135.146.45
anywhere
28 1598 ACCEPT all -- any any camille.espersunited.com
anywhere
7 351 ACCEPT all -- any any
catherine.espersunited.com anywhere
0 0 DROP all -- any any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side: source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
3 276 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
85 3400 LOG all -- any any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
85 3400 DROP all -- any any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
125 6656 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
2 808 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
102 5552 ACCEPT tcp -- eth0 any anywhere
anywhere state NEW multiport dports
ftp,ssh,smtp,http,imap,https
0 0 ACCEPT udp -- eth0 any anywhere
anywhere state NEW multiport dports imap
203 15337 ACCEPT all -- lo any anywhere
anywhere state NEW
0 0 ACCEPT all -- lo any localhost.localdomain
anywhere state NEW
2 112 REJECT tcp -- any any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
146 38531 LOG !icmp -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF INPUT Catch-all: '
146 38531 DROP all -- any any anywhere
anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any camille.espersunited.com
anywhere
0 0 ACCEPT all -- eth0 any
catherine.espersunited.com anywhere
0 0 DROP all -- eth0 any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side: source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 LOG all -- eth0 any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
0 0 DROP all -- eth0 any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
0 0 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
0 0 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
0 0 REJECT tcp -- eth0 any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
Chain OUTPUT (policy ACCEPT 5 packets, 366 bytes)
pkts bytes target prot opt in out source
destination
60950 17M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
968 76964 ACCEPT all -- any any anywhere
anywhere state NEW
Chain syn-flood (2 references)
pkts bytes target prot opt in out source
destination
125 6656 RETURN all -- any any anywhere
anywhere limit: avg 10/sec burst 24
0 0 LOG all -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF SYN flood: '
0 0 DROP all -- any any anywhere
anywhere
bullet ~ #
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] OT - ipkungfu perhaps not doing its job
2006-11-16 18:29 [gentoo-user] OT - ipkungfu perhaps not doing its job Michael Sullivan
@ 2006-11-16 19:09 ` Alan McKinnon
2006-11-16 20:59 ` Michael Sullivan
0 siblings, 1 reply; 3+ messages in thread
From: Alan McKinnon @ 2006-11-16 19:09 UTC (permalink / raw
To: gentoo-user
On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
> Can anyone tell me why I have about a hundred of these
>
> Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
>
> when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
> rules; I don't understand them:
[snip]
> 1 55 DROP all -- eth0 any 222.135.146.45
> anywhere
Some scipt kiddie is trying a brute force attack on your ftp port trying
random combinations of user name and pasword every three seconds.
'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs
to some maschine on network sdjnptt.net.cn and that turns out to be
what looks like some chinese isp.
So, a chinese person is trying to exploit your machine. Hey, it happens.
And will happen for about the rest of your life. The solution is to
drop them at the firewall, and the above rule is doing exactly that.
This specific attack from this specific person at that specific address
si no longer something you need to worry about :-)
alan
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] OT - ipkungfu perhaps not doing its job
2006-11-16 19:09 ` Alan McKinnon
@ 2006-11-16 20:59 ` Michael Sullivan
0 siblings, 0 replies; 3+ messages in thread
From: Michael Sullivan @ 2006-11-16 20:59 UTC (permalink / raw
To: gentoo-user
On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote:
> On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
> > Can anyone tell me why I have about a hundred of these
> >
> > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> >
> > when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
> > rules; I don't understand them:
>
> [snip]
>
> > 1 55 DROP all -- eth0 any 222.135.146.45
> > anywhere
>
> Some scipt kiddie is trying a brute force attack on your ftp port trying
> random combinations of user name and pasword every three seconds.
>
> 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs
> to some maschine on network sdjnptt.net.cn and that turns out to be
> what looks like some chinese isp.
>
> So, a chinese person is trying to exploit your machine. Hey, it happens.
> And will happen for about the rest of your life. The solution is to
> drop them at the firewall, and the above rule is doing exactly that.
>
> This specific attack from this specific person at that specific address
> si no longer something you need to worry about :-)
>
>
> alan
>
So why do I get the hourly log reports (from logcheck) saying that this
IP is trying to access my FTP? How does vsftpd know about this if
they're being dropped at the firewall?
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-11-16 21:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-16 18:29 [gentoo-user] OT - ipkungfu perhaps not doing its job Michael Sullivan
2006-11-16 19:09 ` Alan McKinnon
2006-11-16 20:59 ` Michael Sullivan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox