public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user]  blocking netbios-ssn rule?
@ 2006-08-18 19:24 James
  2006-08-18 19:59 ` [gentoo-user] OT: A netbios-ssn blocking rule? James
  2006-08-18 21:43 ` Daniel Iliev
  0 siblings, 2 replies; 7+ messages in thread
From: James @ 2006-08-18 19:24 UTC (permalink / raw
  To: gentoo-user

Hello,

My iptables based firewall seem to be working, However, I keep getting
triplets of this activity:

source     dest.     proto   info
rouge.ip   www.me.com tcp

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [gentoo-user]  OT: A netbios-ssn blocking rule?
  2006-08-18 19:24 [gentoo-user] blocking netbios-ssn rule? James
@ 2006-08-18 19:59 ` James
  2006-08-18 21:43 ` Daniel Iliev
  1 sibling, 0 replies; 7+ messages in thread
From: James @ 2006-08-18 19:59 UTC (permalink / raw
  To: gentoo-user

Hello,

My iptables based firewall seem to be working, However, I keep getting
triplets of this activity:

Problem (2286 > netbios-ssn)
source     dest.      proto   info
curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
Win=0 Len=0

Any ideas on a rule to drop these requests to my web server?

similarly I see the same thing except the info section is slightly 
different:
similar problem (2469 > microsoft-ds)
rouge.ip   www.me.com tcp     2469 > microsoft-ds Seq=0 Len=0 MSS=1460

and the response from my firewall is simialr
www.me.com rouge.ip   tcp     microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 
Win=0 Len=0

Other problems are (info section is only difference) epmap > 3081
                                                     3081 > epmap

Each of these appear in tripplets... and seem useless. Are they
part of something stupidly done by microsoft?  I think not
because they occur quite frequently, almost systematcially,
leading me to suspect they are part of nefarious activities?

The only change is the port numbers (2286; 2469; 3081) and the 
source IP address change after each triplet of queries.

Any ideas, information and iptables rules to silently drop these 
queries are most welcome. I see them all day long.


James




-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user]  OT: A netbios-ssn blocking rule?
  2006-08-18 19:24 [gentoo-user] blocking netbios-ssn rule? James
  2006-08-18 19:59 ` [gentoo-user] OT: A netbios-ssn blocking rule? James
@ 2006-08-18 21:43 ` Daniel Iliev
  2006-08-21  4:11   ` [gentoo-user] " James
  1 sibling, 1 reply; 7+ messages in thread
From: Daniel Iliev @ 2006-08-18 21:43 UTC (permalink / raw
  To: gentoo-user

James wrote:
> Hello,
>
> My iptables based firewall seem to be working, However, I keep getting
> triplets of this activity:
>
> Problem (2286 > netbios-ssn)
> source     dest.      proto   info
> curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
> www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
> Win=0 Len=0
>
> Any ideas on a rule to drop these requests to my web server?
>
> similarly I see the same thing except the info section is slightly 
> different:
> similar problem (2469 > microsoft-ds)
> rouge.ip   www.me.com tcp     2469 > microsoft-ds Seq=0 Len=0 MSS=1460
>
> and the response from my firewall is simialr
> www.me.com rouge.ip   tcp     microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 
> Win=0 Len=0
>
> Other problems are (info section is only difference) epmap > 3081
>                                                      3081 > epmap
>
> Each of these appear in tripplets... and seem useless. Are they
> part of something stupidly done by microsoft?  I think not
> because they occur quite frequently, almost systematcially,
> leading me to suspect they are part of nefarious activities?
>
> The only change is the port numbers (2286; 2469; 3081) and the 
> source IP address change after each triplet of queries.
>
> Any ideas, information and iptables rules to silently drop these 
> queries are most welcome. I see them all day long.
>
>
> James
>
>
>
>
>   
Depending on which PC these packets are targeted to you should use
"INPUT" or "FORWARD" chains. If the target is a PC behind the firewall
("FW" from now on) use "FORWARD". If the target is the FW itself use
"INPUT". The rules should look like this:

"iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets
have destination the FW itself)
"iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP"
( < the packets have destination the "target-PC". )

If you omit "-d target-PC" from the second rule your FW will drop every
packet with destination port="microsoft-ds" and IP address different
from the IP address of the FW itself. Keep in mind that these rules may
not be matched if the packets match other rules you have added previously.

-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [gentoo-user]  Re: OT: A netbios-ssn blocking rule?
  2006-08-18 21:43 ` Daniel Iliev
@ 2006-08-21  4:11   ` James
  2006-08-23 21:33     ` Daniel Iliev
  0 siblings, 1 reply; 7+ messages in thread
From: James @ 2006-08-21  4:11 UTC (permalink / raw
  To: gentoo-user

> Daniel Iliev <danny <at> ilievnet.com> writes:


My iptables based firewall seem to be working, However, I keep getting triplets
of this activity:

curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
 Win=0 Len=0

similar problem (2469 > microsoft-ds)
 Other problems are (info section is only difference) epmap > 3081



> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets
> have destination the FW itself)
> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP"
> ( < the packets have destination the "target-PC". )


Your advice is working, beautiful

Much Thanks!


James



-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user]  Re: OT: A netbios-ssn blocking rule?
  2006-08-21  4:11   ` [gentoo-user] " James
@ 2006-08-23 21:33     ` Daniel Iliev
  2006-08-23 21:46       ` gentuxx
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel Iliev @ 2006-08-23 21:33 UTC (permalink / raw
  To: gentoo-user

James wrote:
>> Daniel Iliev <danny <at> ilievnet.com> writes:
>>     
>
>
> My iptables based firewall seem to be working, However, I keep getting triplets
> of this activity:
>
> curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
> www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
>  Win=0 Len=0
>
> similar problem (2469 > microsoft-ds)
>  Other problems are (info section is only difference) epmap > 3081
>
>
>
>   
>> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets
>> have destination the FW itself)
>> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP"
>> ( < the packets have destination the "target-PC". )
>>     
>
>
> Your advice is working, beautiful
>
> Much Thanks!
>
>
> James
>
>
>
>   
I'm not sure if get this message right, but if it is a question how to
deal with packets like these:

>curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
>www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 

the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like:
"iptables -A INPUT -p tcp --dport netbios-ssn -j DROP"
 it's the same as:
"iptables -A INPUT -p tcp --dport 139 -j DROP"

And if the target is not the FW:
iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP
or
iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP


It seems that you want to stop the ms netbios activity. The ports used
for this service are 137,138,139 and 445 so the rule-set could be
something like this:

iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP
iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP

or 

iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p tcp --dport 137:139 -j DROP




-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user]  Re: OT: A netbios-ssn blocking rule?
  2006-08-23 21:33     ` Daniel Iliev
@ 2006-08-23 21:46       ` gentuxx
  2006-08-24  1:36         ` Daniel Iliev
  0 siblings, 1 reply; 7+ messages in thread
From: gentuxx @ 2006-08-23 21:46 UTC (permalink / raw
  To: gentoo-user

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Iliev wrote:
> James wrote:
>>> Daniel Iliev <danny <at> ilievnet.com> writes:
>>>     
>>
>> My iptables based firewall seem to be working, However, I keep getting triplets
>> of this activity:
>>
>> curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
>> www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
>>  Win=0 Len=0
>>
>> similar problem (2469 > microsoft-ds)
>>  Other problems are (info section is only difference) epmap > 3081
>>
>>
>>
>>   
>>> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets
>>> have destination the FW itself)
>>> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP"
>>> ( < the packets have destination the "target-PC". )
>>>     
>>
>> Your advice is working, beautiful
>>
>> Much Thanks!
>>
>>
>> James
>>
>>
>>
>>   
> I'm not sure if get this message right, but if it is a question how to
> deal with packets like these:
> 
>> curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
>> www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
> 
> the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like:
> "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP"
>  it's the same as:
> "iptables -A INPUT -p tcp --dport 139 -j DROP"
> 
> And if the target is not the FW:
> iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP
> or
> iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP
> 
> 
> It seems that you want to stop the ms netbios activity. The ports used
> for this service are 137,138,139 and 445 so the rule-set could be
> something like this:
> 
> iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP
> iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP
> 
> or 
> 
> iptables -A INPUT -p tcp --dport 445 -j DROP
> iptables -A INPUT -p tcp --dport 137:139 -j DROP
> 
> 

Actually, some of those ports are UDP.  /etc/services says the same for
both TCP and UDP.  So if -p is required for --dport, you would have to
add rules for UDP as well.

iptables -A FORWARD -d *target-PC* -p udp --dport 137:139 -j DROP
iptables -A INPUT -p udp --dport 137:139 -j DROP

- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7MyxTPA54hjTSp4RAhjGAKCUmxCgS62ZjCKhGsUW28M25UfnVgCfeHer
R9eOM9mQA999cNZ43ICRqAQ=
=SX5D
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user]  Re: OT: A netbios-ssn blocking rule?
  2006-08-23 21:46       ` gentuxx
@ 2006-08-24  1:36         ` Daniel Iliev
  0 siblings, 0 replies; 7+ messages in thread
From: Daniel Iliev @ 2006-08-24  1:36 UTC (permalink / raw
  To: gentoo-user

gentuxx wrote:
> Actually, some of those ports are UDP.  /etc/services says the same for
> both TCP and UDP.  So if -p is required for --dport, you would have to
> add rules for UDP as well.
>
> iptables -A FORWARD -d *target-PC* -p udp --dport 137:139 -j DROP
> iptables -A INPUT -p udp --dport 137:139 -j DROP
>

gentuxx, I'm not 100% sure about this, but I think MS NetBIOS doesn't
use UDP (only TCP). However theoretically you are absolutely right.

--
Best Regards,
Daniel
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2006-08-24  1:38 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-18 19:24 [gentoo-user] blocking netbios-ssn rule? James
2006-08-18 19:59 ` [gentoo-user] OT: A netbios-ssn blocking rule? James
2006-08-18 21:43 ` Daniel Iliev
2006-08-21  4:11   ` [gentoo-user] " James
2006-08-23 21:33     ` Daniel Iliev
2006-08-23 21:46       ` gentuxx
2006-08-24  1:36         ` Daniel Iliev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox