public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
@ 2007-02-22 16:45 Michael Sullivan
  2007-02-22 17:19 ` Raymond Lewis Rebbeck
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Michael Sullivan @ 2007-02-22 16:45 UTC (permalink / raw
  To: gentoo-user

I have logsentry installed on my system which sends me hourly reports
about possible hack attempts on my three boxes.  I use ipkungfu for my
firewall.  I've stuck with the default configuration for ipkungfu,
except for listing each of my machines in my LAN in the
accepted_hosts.conf file.  I also set ipkungfu to drop all offensive
packets (not sure if that's the default or not.)  Whenever I see someone
trying the break in in the logsentry reports, I add their IP to the
deny_hosts.conf file and restart ipkungfu so that the changes will take
effect.  I'm wondering why if these offending IPs in deny_hosts.conf are
being stopped at the firewall I'm still seeing them fail to authenticate
to my FTP and ssh servers?  Also, I've always heard that you shouldn't
have any ports open on your machine unless you have some server bound to
that port because hackers can get in through unbound open ports.  Is
this true?  If so, how does it work?  What do they connect to if
nothing's running on the port they're trying?  I know the concept of a
backdoor in a running program, but if no program is running on said port
for them to connect to, how do they get in???
-Michael Sullivan-

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
@ 2007-02-22 17:19 ` Raymond Lewis Rebbeck
  2007-02-22 18:46   ` Michael Sullivan
  2007-02-22 17:33 ` Alan McKinnon
  2007-02-23  8:38 ` Jakob
  2 siblings, 1 reply; 10+ messages in thread
From: Raymond Lewis Rebbeck @ 2007-02-22 17:19 UTC (permalink / raw
  To: gentoo-user

On Friday, 23 February 2007 3:15, Michael Sullivan wrote:
> I have logsentry installed on my system which sends me hourly reports
> about possible hack attempts on my three boxes.  I use ipkungfu for my
> firewall.  I've stuck with the default configuration for ipkungfu,
> except for listing each of my machines in my LAN in the
> accepted_hosts.conf file.  I also set ipkungfu to drop all offensive
> packets (not sure if that's the default or not.)  Whenever I see someone
> trying the break in in the logsentry reports, I add their IP to the
> deny_hosts.conf file and restart ipkungfu so that the changes will take
> effect.  I'm wondering why if these offending IPs in deny_hosts.conf are
> being stopped at the firewall I'm still seeing them fail to authenticate
> to my FTP and ssh servers?

If you think you've setup your firewall to block these IPs and yet they are 
still able to access your machines, then it sounds like your firewall is 
misconfigured and isn't blocking the IPs.

> Also, I've always heard that you shouldn't 
> have any ports open on your machine unless you have some server bound to
> that port because hackers can get in through unbound open ports.  Is
> this true? 

I've never heard of this. All ports that you don't want accessible from the 
internet should be completely blocked by your firewall if you have it 
correctly configured.

> If so, how does it work?  What do they connect to if 
> nothing's running on the port they're trying?  I know the concept of a
> backdoor in a running program, but if no program is running on said port
> for them to connect to, how do they get in???

They connect to nothing, they shouldn't be able to establish a connection.

> -Michael Sullivan-



-- 
Raymond Lewis Rebbeck
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
  2007-02-22 17:19 ` Raymond Lewis Rebbeck
@ 2007-02-22 17:33 ` Alan McKinnon
  2007-02-22 17:56   ` Nelson, David (ED, PAR&D)
  2007-02-22 18:02   ` Dan Cowsill
  2007-02-23  8:38 ` Jakob
  2 siblings, 2 replies; 10+ messages in thread
From: Alan McKinnon @ 2007-02-22 17:33 UTC (permalink / raw
  To: gentoo-user

On Thursday 22 February 2007, Michael Sullivan wrote:

>  Also, I've always heard that you shouldn't
> have any ports open on your machine unless you have some server bound
> to that port because hackers can get in through unbound open ports.
>  Is this true?  If so, how does it work?

That sounds like something out of Hollywod, perhaps that atrocious movie 
called Hackers with Angelina Jolie in it.....

I fail to see how, in this universe, you can open a port and not have 
something listen on it. Let's face it: a process, or the kernel itself, 
asks to be informed about packets arriving for port X. What is port X? 
It's a number in the TCP/UDP packet so the receiving kernel knows which 
process to send the data to. If that process is not listening, the 
packets go ... nowhere. They don't have magic Gandalfs inside them that 
suddenly sprout up and do l33t h4x0r sh1t to your machine.

Maybe there's some default behaviour the kernel applies to packets that 
are sent to hung/sleeping/absent processes. Maybe that default 
behaviour is such that there's a buffer overflow waiting to be 
exploited. Maybe... I think I wanna see the code and not some bullshit 
posted on an arb blog somewhere.

You should be much more worried about vulnerabilities  in known software 
that you don't really use that are running by default.

By far the most common attack vector is weak user names and passwords 
accessed via ssh. Solution is a sensbile password policy, or allow ssh 
access only via keys.

Then there's php, but I don't think you want to get me started on 
that...

alan

-- 
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
--
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* RE: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 17:33 ` Alan McKinnon
@ 2007-02-22 17:56   ` Nelson, David (ED, PAR&D)
  2007-02-22 18:02   ` Dan Cowsill
  1 sibling, 0 replies; 10+ messages in thread
From: Nelson, David (ED, PAR&D) @ 2007-02-22 17:56 UTC (permalink / raw
  To: gentoo-user

> -----Original Message-----
> From: Alan McKinnon [mailto:alan@linuxholdings.co.za]
> Sent: 22 February 2007 17:33
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] OT - Some miscellanous questions about hack
> attacks and dealing with them
> 
> By far the most common attack vector is weak user names and passwords 
> accessed via ssh. Solution is a sensbile password policy, or 
> allow ssh 
> access only via keys.
> 

I agree. Until I have the time and effort to set up key based authentication I have disabled root logon via SSH and set all users passwords to 10 to 15 random character passwords.

Check /var/log/secure.log on any webserver. On both of mine I see lots (and I mean thousands) of attacks where people try common user names and weak passwords (apache, awstats, mysql, admin, etc and common forenames... )

Running SSH on a port other than 22 is possible and potentially more secure.

--
djn

I do not represent anyone else in emails I send to this list.
--
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 17:33 ` Alan McKinnon
  2007-02-22 17:56   ` Nelson, David (ED, PAR&D)
@ 2007-02-22 18:02   ` Dan Cowsill
  2007-02-22 22:35     ` kashani
  2007-02-23  7:17     ` Alan McKinnon
  1 sibling, 2 replies; 10+ messages in thread
From: Dan Cowsill @ 2007-02-22 18:02 UTC (permalink / raw
  To: gentoo-user

Actually, I'd be pretty interested in what you have to rant about PHP.
 I run apache with php_mod installed and have the http port open.  Is
there a security risk I should be aware of?

Thanks

On 2/22/07, Alan McKinnon <alan@linuxholdings.co.za> wrote:
> On Thursday 22 February 2007, Michael Sullivan wrote:
>
> > Also, I've always heard that you shouldn't
> > have any ports open on your machine unless you have some server bound
> > to that port because hackers can get in through unbound open ports.
> > Is this true? If so, how does it work?
>
> That sounds like something out of Hollywod, perhaps that atrocious movie
> called Hackers with Angelina Jolie in it.....
>
> I fail to see how, in this universe, you can open a port and not have
> something listen on it. Let's face it: a process, or the kernel itself,
> asks to be informed about packets arriving for port X. What is port X?
> It's a number in the TCP/UDP packet so the receiving kernel knows which
> process to send the data to. If that process is not listening, the
> packets go ... nowhere. They don't have magic Gandalfs inside them that
> suddenly sprout up and do l33t h4x0r sh1t to your machine.
>
> Maybe there's some default behaviour the kernel applies to packets that
> are sent to hung/sleeping/absent processes. Maybe that default
> behaviour is such that there's a buffer overflow waiting to be
> exploited. Maybe... I think I wanna see the code and not some bullshit
> posted on an arb blog somewhere.
>
> You should be much more worried about vulnerabilities  in known software
> that you don't really use that are running by default.
>
> By far the most common attack vector is weak user names and passwords
> accessed via ssh. Solution is a sensbile password policy, or allow ssh
> access only via keys.
>
> Then there's php, but I don't think you want to get me started on
> that...
>
> alan
>
> --
> Optimists say the glass is half full,
> Pessimists say the glass is half empty,
> Developers say wtf is the glass twice as big as it needs to be?
>
> Alan McKinnon
> alan at linuxholdings dot co dot za
> +27 82, double three seven, one nine three five
> --
> gentoo-user@gentoo.org mailing list
>
>


-- 
-·=»Ðŧħ«=·-

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 17:19 ` Raymond Lewis Rebbeck
@ 2007-02-22 18:46   ` Michael Sullivan
  0 siblings, 0 replies; 10+ messages in thread
From: Michael Sullivan @ 2007-02-22 18:46 UTC (permalink / raw
  To: gentoo-user

On Fri, 2007-02-23 at 03:49 +1030, Raymond Lewis Rebbeck wrote:
> On Friday, 23 February 2007 3:15, Michael Sullivan wrote:
> > I have logsentry installed on my system which sends me hourly reports
> > about possible hack attempts on my three boxes.  I use ipkungfu for my
> > firewall.  I've stuck with the default configuration for ipkungfu,
> > except for listing each of my machines in my LAN in the
> > accepted_hosts.conf file.  I also set ipkungfu to drop all offensive
> > packets (not sure if that's the default or not.)  Whenever I see someone
> > trying the break in in the logsentry reports, I add their IP to the
> > deny_hosts.conf file and restart ipkungfu so that the changes will take
> > effect.  I'm wondering why if these offending IPs in deny_hosts.conf are
> > being stopped at the firewall I'm still seeing them fail to authenticate
> > to my FTP and ssh servers?
> 
> If you think you've setup your firewall to block these IPs and yet they are 
> still able to access your machines, then it sounds like your firewall is 
> misconfigured and isn't blocking the IPs.
> 
> > Also, I've always heard that you shouldn't 
> > have any ports open on your machine unless you have some server bound to
> > that port because hackers can get in through unbound open ports.  Is
> > this true? 
> 
> I've never heard of this. All ports that you don't want accessible from the 
> internet should be completely blocked by your firewall if you have it 
> correctly configured.
> 
> > If so, how does it work?  What do they connect to if 
> > nothing's running on the port they're trying?  I know the concept of a
> > backdoor in a running program, but if no program is running on said port
> > for them to connect to, how do they get in???
> 
> They connect to nothing, they shouldn't be able to establish a connection.
> 
> > -Michael Sullivan-
> 
> 
> 
> -- 
> Raymond Lewis Rebbeck

This is my /etc/ipkungfu/ipkungfu.conf file on
catherine.espersunited.com .  The comments have been removed for
conciseness:

EXT_NET="eth0"
LOCAL_NET="127.0.0.1"
ALLOWED_TCP_IN="21 22 25 80"
ALLOWED_UDP_IN=""
SUSPECT="DROP"
KNOWN_BAD="DROP"
PORT_SCAN="DROP"
GET_IP="AUTO"
DONT_DROP_IDENTD=1
WAIT_SECONDS=5

Is this not a correct configuration?  Here is the output of ipkungfu -l:

catherine ipkungfu # ipkungfu -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
 7098 2517K ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED 
    0     0 LOG        all  --  lo     any     0.0.0.1
anywhere            LOG level warning prefix `IPKF IPKungFu (--init)' 
    0     0 DROP       all  --  eth0   any     124.1.149.222
anywhere            
    0     0 DROP       all  --  eth0   any
205.158.114.117.ptr.us.xo.net  anywhere            
    0     0 DROP       all  --  eth0   any     222.90.206.62
anywhere            
    0     0 DROP       all  --  eth0   any     61.178.185.124
anywhere            
    0     0 DROP       all  --  eth0   any     65.98.76.197
anywhere            
    0     0 DROP       all  --  eth0   any     211.234.99.230
anywhere            
    0     0 DROP       all  --  eth0   any     sd-2613.dedibox.fr
anywhere            
    0     0 DROP       all  --  eth0   any     222.135.146.45
anywhere            
    0     0 DROP       all  --  eth0   any     210.75.200.104
anywhere            
    0     0 DROP       all  --  eth0   any     210.83.48.238
anywhere            
    0     0 DROP       all  --  eth0   any     69.149.231.150
anywhere            
    0     0 DROP       all  --  eth0   any     61.243.90.149
anywhere            
    0     0 DROP       all  --  eth0   any     222.62.149.99
anywhere            
    0     0 DROP       all  --  eth0   any
72.237.88.202.asianet.co.in  anywhere            
    0     0 DROP       all  --  eth0   any     211.61.207.31
anywhere            
    0     0 DROP       all  --  eth0   any     212.14.53.4
anywhere            
    0     0 DROP       all  --  eth0   any
61-222-84-195.HINET-IP.hinet.net  anywhere            
    0     0 DROP       all  --  eth0   any     smtp.tvitatiba.com.br
anywhere            
    0     0 DROP       all  --  eth0   any     91.25.73.211-savecom
anywhere            
    0     0 DROP       all  --  eth0   any
host150197.metrored.net.mx  anywhere            
    0     0 DROP       all  --  eth0   any
d5152C2AF.access.telenet.be  anywhere            
    0     0 DROP       all  --  eth0   any     218.50.2.99
anywhere            
    0     0 DROP       all  --  eth0   any     210.97.242.17
anywhere            
    0     0 DROP       all  --  eth0   any     sd-156.dedibox.fr
anywhere            
    0     0 DROP       all  --  eth0   any
lax-static-208.57.150.227.mpowercom.net  anywhere            
    0     0 DROP       all  --  eth0   any     61.145.175.51
anywhere            
    0     0 DROP       all  --  eth0   any
adsl-131.98.51.info.com.ph  anywhere            
    0     0 DROP       all  --  eth0   any     203.190.147.138
anywhere            
    0     0 DROP       all  --  eth0   any     slo-guest.not.iac.es
anywhere            
    0     0 DROP       all  --  eth0   any     219.94.134.39
anywhere            
    0     0 DROP       all  --  eth0   any
customer-201-147-235-248.uninet-ide.com.mx  anywhere            
    0     0 DROP       all  --  eth0   any     216.218.240.157
anywhere            
    0     0 DROP       all  --  eth0   any     202.113.3.104
anywhere            
    0     0 DROP       all  --  eth0   any     60.12.225.7
anywhere            
    0     0 DROP       all  --  eth0   any     61.142.175.65
anywhere            
    0     0 DROP       all  --  eth0   any     219.235.231.105
anywhere            
    0     0 DROP       all  --  eth0   any     219.148.237.109
anywhere            
    0     0 DROP       all  --  eth0   any
s15192846.onlinehome-server.info  anywhere            
    0     0 DROP       all  --  eth0   any     219.234.80.58
anywhere            
    0     0 DROP       all  --  eth0   any     61.167.117.140
anywhere            
    0     0 DROP       all  --  eth0   any     61.139.78.2
anywhere            
    0     0 DROP       all  --  eth0   any     219.232.59.181
anywhere            
    0     0 DROP       all  --  eth0   any     222.36.2.100
anywhere            
    0     0 DROP       all  --  eth0   any     218.5.4.236
anywhere            
    0     0 DROP       all  --  eth0   any
static-81-219-251-66.devs.futuro.pl  anywhere            
    0     0 DROP       all  --  eth0   any     222.216.204.101
anywhere            
    0     0 DROP       all  --  eth0   any     203.71.2.73
anywhere            
    0     0 DROP       all  --  eth0   any     125.251.149.66
anywhere            
    0     0 DROP       all  --  eth0   any
61-218-62-150.HINET-IP.hinet.net  anywhere            
    0     0 DROP       all  --  eth0   any     196.46.235.118
anywhere            
    0     0 DROP       all  --  eth0   any
static-71-166-159-154.washdc.east.verizon.net  anywhere            
    0     0 DROP       all  --  eth0   any     222.122.20.110
anywhere            
    0     0 DROP       all  --  eth0   any
200-91-244-86-host.ifx.net.co  anywhere            
    0     0 DROP       all  --  eth0   any     219.235.231.103
anywhere            
    0     0 DROP       all  --  eth0   any     host54.77.cable1.evro.net
anywhere            
    0     0 DROP       all  --  eth0   any     203.149.62.140
anywhere            
    0     0 DROP       all  --  eth0   any     jerkface.org
anywhere            
    0     0 DROP       all  --  eth0   any
mailscanner.net-rosas.com.br  anywhere            
    0     0 DROP       all  --  eth0   any     tm.net.my
anywhere            
    0     0 DROP       all  --  eth0   any     mail.iab.com.ar
anywhere            
    0     0 DROP       all  --  eth0   any     202.122.16.35
anywhere            
    0     0 DROP       all  --  eth0   any     218.78.209.253
anywhere            
    0     0 DROP       all  --  eth0   any
59-106-20-54.r-bl100.sakura.ne.jp  anywhere            
    0     0 DROP       all  --  eth0   any
gcg62.internetdsl.tpnet.pl  anywhere            
    0     0 DROP       all  --  eth0   any     se.ramm.net
anywhere            
    0     0 DROP       all  --  eth0   any     210.94.6.89
anywhere            
    0     0 DROP       all  --  eth0   any     203.127.35.166
anywhere            
    0     0 DROP       all  --  eth0   any
59-106-20-94.r-bl100.sakura.ne.jp  anywhere            
    0     0 DROP       all  --  eth0   any     124.1.35.2
anywhere            
    0     0 DROP       all  --  eth0   any     196.12.53.52
anywhere            
    0     0 DROP       all  --  eth0   any     64.27.28.229
anywhere            
    0     0 DROP       all  --  eth0   any     125.243.145.2
anywhere            
    0     0 DROP       all  --  eth0   any
53.subnet216.astinet.telkom.net.id  anywhere            
    0     0 DROP       all  --  eth0   any     65.205.238.12
anywhere            
    0     0 DROP       all  --  eth0   any     221.136.78.17
anywhere            
    0     0 DROP       all  --  eth0   any     85.132.13.186
anywhere            
    0     0 DROP       all  --  eth0   any     p87-237.cmet.net
anywhere            
    0     0 DROP       all  --  eth0   any     p87-237.cmet.net
anywhere            
    0     0 DROP       all  --  eth0   any     61.129.41.20
anywhere            
    0     0 DROP       all  --  eth0   any
host-87-74-30-140.bulldogdsl.com  anywhere            
    0     0 DROP       all  --  eth0   any     212.144.240.140
anywhere            
    0     0 DROP       all  --  eth0   any     159.226.234.16
anywhere            
    0     0 DROP       all  --  eth0   any     222.138.97.20
anywhere            
    0     0 DROP       all  --  eth0   any     61.152.169.150
anywhere            
    0     0 DROP       all  --  eth0   any
dsl51B7DB9D.fixip.t-online.hu  anywhere            
    0     0 DROP       all  --  eth0   any     80-239-2-89.tjgroup.no
anywhere            
    0     0 DROP       all  --  eth0   any
host64-231-149-62.serverdedicati.aruba.it  anywhere            
    0     0 DROP       all  --  eth0   any
62-148-177-206-hosted-by.denit.net  anywhere            
    0     0 DROP       all  --  eth0   any     211.176.61.119
anywhere            
    0     0 DROP       all  --  eth0   any     61.136.143.176
anywhere            
    0     0 DROP       all  --  eth0   any     216.17.96.152
anywhere            
    0     0 DROP       all  --  eth0   any     61.125.24.84
anywhere            
    0     0 DROP       all  --  eth0   any     125.248.148.10
anywhere            
    0     0 DROP       all  --  eth0   any     oa
anywhere            
    0     0 DROP       all  --  eth0   any     125.246.65.136
anywhere            
    0     0 DROP       all  --  eth0   any     202.79.208.131
anywhere            
    0     0 DROP       all  --  eth0   any     124.128.157.98
anywhere            
    0     0 DROP       all  --  eth0   any     main.popligroup.com
anywhere            
    0     0 DROP       all  --  eth0   any     125.152.17.236
anywhere            
    0     0 DROP       all  --  eth0   any     mail.triple-eagle.com
anywhere            
    0     0 DROP       all  --  eth0   any     211.99.140.229
anywhere            
    0     0 DROP       all  --  eth0   any
216.31.131.61.broad.dynamic.pt.fj.cndata.com  anywhere            
    0     0 DROP       all  --  eth0   any     125.244.116.130
anywhere            
    5   302 ACCEPT     all  --  any    any     bullet.espersunited.com
anywhere            
    2   248 ACCEPT     all  --  any    any     camille.espersunited.com
anywhere            
    0     0 DROP       all  --  any    any     anywhere
anywhere            recent: CHECK seconds: 120 name: badguy side:
source 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS):
' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): ' 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    1    92 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp echo-request 
   10   400 LOG        all  --  any    any     anywhere
anywhere            state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: ' 
   10   400 DROP       all  --  any    any     anywhere
anywhere            state INVALID 
    0     0 LOG        all  -f  eth0   any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: ' 
    0     0 DROP       all  -f  eth0   any     anywhere
anywhere            
    0     0 LOG        icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: ' 
    0     0 DROP       icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request 
    4   192 syn-flood  tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: ' 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            multiport dports netbios-ns,6666 
    1   404 DROP       udp  --  eth0   any     anywhere
anywhere            multiport dports ms-sql-m 
    2    96 ACCEPT     tcp  --  eth0   any     anywhere
anywhere            state NEW multiport dports ftp,ssh,smtp,http 
   37  3156 ACCEPT     all  --  lo     any     anywhere
anywhere            state NEW 
    0     0 ACCEPT     all  --  lo     any     localhost.localdomain
anywhere            state NEW 
    0     0 REJECT     tcp  --  any    any     anywhere
anywhere            tcp dpt:auth reject-with tcp-reset 
   36 11218 LOG       !icmp --  any    any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF INPUT Catch-all: ' 
   36 11218 DROP       all  --  any    any     anywhere
anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth0   any     bullet.espersunited.com
anywhere            
    0     0 ACCEPT     all  --  eth0   any     camille.espersunited.com
anywhere            
    0     0 DROP       all  --  eth0   any     anywhere
anywhere            recent: CHECK seconds: 120 name: badguy side:
source 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): ' 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN/FIN,SYN 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:SYN,RST/SYN,RST 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN 
    0     0 LOG        all  --  eth0   any     anywhere
anywhere            state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: ' 
    0     0 DROP       all  --  eth0   any     anywhere
anywhere            state INVALID 
    0     0 LOG        all  -f  eth0   any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: ' 
    0     0 DROP       all  -f  eth0   any     anywhere
anywhere            
    0     0 LOG        icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: ' 
    0     0 DROP       icmp --  eth0   any     anywhere
anywhere            icmp timestamp-request 
    0     0 syn-flood  tcp  --  eth0   any     anywhere
anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
    0     0 LOG        tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: ' 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW 
    0     0 DROP       tcp  --  eth0   any     anywhere
anywhere            multiport dports netbios-ns,6666 
    0     0 DROP       udp  --  eth0   any     anywhere
anywhere            multiport dports ms-sql-m 
    0     0 REJECT     tcp  --  eth0   any     anywhere
anywhere            tcp dpt:auth reject-with tcp-reset 

Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
 pkts bytes target     prot opt in     out     source
destination         
 6646 1321K ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED 
  513 31858 ACCEPT     all  --  any    any     anywhere
anywhere            state NEW 

Chain syn-flood (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    4   192 RETURN     all  --  any    any     anywhere
anywhere            limit: avg 10/sec burst 24 
    0     0 LOG        all  --  any    any     anywhere
anywhere            limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF SYN flood: ' 
    0     0 DROP       all  --  any    any     anywhere
anywhere            


I don't understand a lot of this, but those IP addresses are from
my /etc/ipkungfu/deny_hosts.conf file.  Is this not actually blocking
them?  I almost always read about connections from (a) recently-blocked
IP address(es) for a few hours after I block them in the hourly
logsentry reports...

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 18:02   ` Dan Cowsill
@ 2007-02-22 22:35     ` kashani
  2007-02-23  7:17     ` Alan McKinnon
  1 sibling, 0 replies; 10+ messages in thread
From: kashani @ 2007-02-22 22:35 UTC (permalink / raw
  To: gentoo-user

Dan Cowsill wrote:
> Actually, I'd be pretty interested in what you have to rant about PHP.
> I run apache with php_mod installed and have the http port open.  Is
> there a security risk I should be aware of?
> 

It really depends on how badly the PHP application you're running has 
been written. Assuming you're keeping up to date on PHP and your webapps 
and have funky applications .htaccess'ed off you're reasonably safe.

However I'd highly recommend adding hardenedphp to your php USE flags as 
it stops a number of things. I've never had a problem with the hardened 
patch over the past year or so and frankly would not use any application 
that it broke.

Another simple trick is to have an empty vhost as your primary and your 
real applications sites only accessible by name. This way little script 
kiddies scanning by IP or hostname hits Apache they are dumped to the 
first loaded vhost, your empty one, instead of your actual site. Then 
thay come up with nothing when they hit 
/var/www/localhost/htdocs/wordpress/ instead of the actual site tree. 
Doesn't stop a determined person, but has the added benifit of keeping 
x20x20x20x20 type crap out of your real logs. :-)

kashani
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 18:02   ` Dan Cowsill
  2007-02-22 22:35     ` kashani
@ 2007-02-23  7:17     ` Alan McKinnon
  2007-02-23 10:08       ` Nelson, David (ED, PAR&D)
  1 sibling, 1 reply; 10+ messages in thread
From: Alan McKinnon @ 2007-02-23  7:17 UTC (permalink / raw
  To: gentoo-user

On Thursday 22 February 2007, Dan Cowsill wrote:
> Actually, I'd be pretty interested in what you have to rant about
> PHP. I run apache with php_mod installed and have the http port open.
>  Is there a security risk I should be aware of?

The problem is not so much with php itself - that' s just a language. If 
the langauge were at fault, we'd have to chuck C becuase of all the 
exploits that are possible when you code in it.

The problem is that php enables every kid and his dog to put an 
interactive site up on the net. So, every kid and his dog does. All the 
while making coding mistakes that open holes. Forum software seems 
especially prone.

Apache and php_mod themselves are as safe as is reasonable, at least I 
haven't seen many weaknesses reported on those two packages. To know if 
you should be taking extra security precautions, watch for security 
advisories about the php apps you have running

alan

-- 
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
--
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
  2007-02-22 17:19 ` Raymond Lewis Rebbeck
  2007-02-22 17:33 ` Alan McKinnon
@ 2007-02-23  8:38 ` Jakob
  2 siblings, 0 replies; 10+ messages in thread
From: Jakob @ 2007-02-23  8:38 UTC (permalink / raw
  To: gentoo-user

> Whenever I see someone
> trying the break in in the logsentry reports, I add their IP to the
> deny_hosts.conf file and restart ipkungfu so that the changes will take
> effect.

maybe you want to have a look at sshdfilter
http://www.csc.liv.ac.uk/~greg/sshdfilter/

jakob
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 10+ messages in thread

* RE: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
  2007-02-23  7:17     ` Alan McKinnon
@ 2007-02-23 10:08       ` Nelson, David (ED, PAR&D)
  0 siblings, 0 replies; 10+ messages in thread
From: Nelson, David (ED, PAR&D) @ 2007-02-23 10:08 UTC (permalink / raw
  To: gentoo-user

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8", Size: 1507 bytes --]

> -----Original Message-----
> From: Alan McKinnon [mailto:alan@linuxholdings.co.za]
> Sent: 23 February 2007 07:17
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] OT - Some miscellanous questions about hack
> attacks and dealing with them
> 
> 
> The problem is that php enables every kid and his dog to put an 
> interactive site up on the net. So, every kid and his dog 
> does. All the 
> while making coding mistakes that open holes. Forum software seems 
> especially prone.
> 
> Apache and php_mod themselves are as safe as is reasonable, 
> at least I 
> haven't seen many weaknesses reported on those two packages. 
> To know if 
> you should be taking extra security precautions, watch for security 
> advisories about the php apps you have running
> 

Forgive my ignorance if I'm incorrect - but I was told at one point by a friend who runs a few servers and sites that if an app wont run in PHP Safe Mode then he wont run it at all.
http://us2.php.net/features.safe-mode

I'm not a PHP expert by any means so I can't definitively say "use safe mode" but if people are looking to lock down a server it may be worth a peek.


OT: Also, my name is "David Nelson" not "Nelson David". Don't blame me - it's a work email account and they have our names Surname, Forename all over the place. :P I've just seen people refer to me as "Nelson" sometimes ... ;-)

--
djn

I do not represent anyone else in emails I send to this list.
éí¢‹¬z¸\x1ežÚ(¢¸&j)bž	b²

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2007-02-23 10:14 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
2007-02-22 17:19 ` Raymond Lewis Rebbeck
2007-02-22 18:46   ` Michael Sullivan
2007-02-22 17:33 ` Alan McKinnon
2007-02-22 17:56   ` Nelson, David (ED, PAR&D)
2007-02-22 18:02   ` Dan Cowsill
2007-02-22 22:35     ` kashani
2007-02-23  7:17     ` Alan McKinnon
2007-02-23 10:08       ` Nelson, David (ED, PAR&D)
2007-02-23  8:38 ` Jakob

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox