* [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
@ 2007-02-22 16:45 Michael Sullivan
2007-02-22 17:19 ` Raymond Lewis Rebbeck
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Michael Sullivan @ 2007-02-22 16:45 UTC (permalink / raw
To: gentoo-user
I have logsentry installed on my system which sends me hourly reports
about possible hack attempts on my three boxes. I use ipkungfu for my
firewall. I've stuck with the default configuration for ipkungfu,
except for listing each of my machines in my LAN in the
accepted_hosts.conf file. I also set ipkungfu to drop all offensive
packets (not sure if that's the default or not.) Whenever I see someone
trying the break in in the logsentry reports, I add their IP to the
deny_hosts.conf file and restart ipkungfu so that the changes will take
effect. I'm wondering why if these offending IPs in deny_hosts.conf are
being stopped at the firewall I'm still seeing them fail to authenticate
to my FTP and ssh servers? Also, I've always heard that you shouldn't
have any ports open on your machine unless you have some server bound to
that port because hackers can get in through unbound open ports. Is
this true? If so, how does it work? What do they connect to if
nothing's running on the port they're trying? I know the concept of a
backdoor in a running program, but if no program is running on said port
for them to connect to, how do they get in???
-Michael Sullivan-
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
@ 2007-02-22 17:19 ` Raymond Lewis Rebbeck
2007-02-22 18:46 ` Michael Sullivan
2007-02-22 17:33 ` Alan McKinnon
2007-02-23 8:38 ` Jakob
2 siblings, 1 reply; 10+ messages in thread
From: Raymond Lewis Rebbeck @ 2007-02-22 17:19 UTC (permalink / raw
To: gentoo-user
On Friday, 23 February 2007 3:15, Michael Sullivan wrote:
> I have logsentry installed on my system which sends me hourly reports
> about possible hack attempts on my three boxes. I use ipkungfu for my
> firewall. I've stuck with the default configuration for ipkungfu,
> except for listing each of my machines in my LAN in the
> accepted_hosts.conf file. I also set ipkungfu to drop all offensive
> packets (not sure if that's the default or not.) Whenever I see someone
> trying the break in in the logsentry reports, I add their IP to the
> deny_hosts.conf file and restart ipkungfu so that the changes will take
> effect. I'm wondering why if these offending IPs in deny_hosts.conf are
> being stopped at the firewall I'm still seeing them fail to authenticate
> to my FTP and ssh servers?
If you think you've setup your firewall to block these IPs and yet they are
still able to access your machines, then it sounds like your firewall is
misconfigured and isn't blocking the IPs.
> Also, I've always heard that you shouldn't
> have any ports open on your machine unless you have some server bound to
> that port because hackers can get in through unbound open ports. Is
> this true?
I've never heard of this. All ports that you don't want accessible from the
internet should be completely blocked by your firewall if you have it
correctly configured.
> If so, how does it work? What do they connect to if
> nothing's running on the port they're trying? I know the concept of a
> backdoor in a running program, but if no program is running on said port
> for them to connect to, how do they get in???
They connect to nothing, they shouldn't be able to establish a connection.
> -Michael Sullivan-
--
Raymond Lewis Rebbeck
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
2007-02-22 17:19 ` Raymond Lewis Rebbeck
@ 2007-02-22 17:33 ` Alan McKinnon
2007-02-22 17:56 ` Nelson, David (ED, PAR&D)
2007-02-22 18:02 ` Dan Cowsill
2007-02-23 8:38 ` Jakob
2 siblings, 2 replies; 10+ messages in thread
From: Alan McKinnon @ 2007-02-22 17:33 UTC (permalink / raw
To: gentoo-user
On Thursday 22 February 2007, Michael Sullivan wrote:
> Also, I've always heard that you shouldn't
> have any ports open on your machine unless you have some server bound
> to that port because hackers can get in through unbound open ports.
> Is this true? If so, how does it work?
That sounds like something out of Hollywod, perhaps that atrocious movie
called Hackers with Angelina Jolie in it.....
I fail to see how, in this universe, you can open a port and not have
something listen on it. Let's face it: a process, or the kernel itself,
asks to be informed about packets arriving for port X. What is port X?
It's a number in the TCP/UDP packet so the receiving kernel knows which
process to send the data to. If that process is not listening, the
packets go ... nowhere. They don't have magic Gandalfs inside them that
suddenly sprout up and do l33t h4x0r sh1t to your machine.
Maybe there's some default behaviour the kernel applies to packets that
are sent to hung/sleeping/absent processes. Maybe that default
behaviour is such that there's a buffer overflow waiting to be
exploited. Maybe... I think I wanna see the code and not some bullshit
posted on an arb blog somewhere.
You should be much more worried about vulnerabilities in known software
that you don't really use that are running by default.
By far the most common attack vector is weak user names and passwords
accessed via ssh. Solution is a sensbile password policy, or allow ssh
access only via keys.
Then there's php, but I don't think you want to get me started on
that...
alan
--
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 17:33 ` Alan McKinnon
@ 2007-02-22 17:56 ` Nelson, David (ED, PAR&D)
2007-02-22 18:02 ` Dan Cowsill
1 sibling, 0 replies; 10+ messages in thread
From: Nelson, David (ED, PAR&D) @ 2007-02-22 17:56 UTC (permalink / raw
To: gentoo-user
> -----Original Message-----
> From: Alan McKinnon [mailto:alan@linuxholdings.co.za]
> Sent: 22 February 2007 17:33
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] OT - Some miscellanous questions about hack
> attacks and dealing with them
>
> By far the most common attack vector is weak user names and passwords
> accessed via ssh. Solution is a sensbile password policy, or
> allow ssh
> access only via keys.
>
I agree. Until I have the time and effort to set up key based authentication I have disabled root logon via SSH and set all users passwords to 10 to 15 random character passwords.
Check /var/log/secure.log on any webserver. On both of mine I see lots (and I mean thousands) of attacks where people try common user names and weak passwords (apache, awstats, mysql, admin, etc and common forenames... )
Running SSH on a port other than 22 is possible and potentially more secure.
--
djn
I do not represent anyone else in emails I send to this list.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 17:33 ` Alan McKinnon
2007-02-22 17:56 ` Nelson, David (ED, PAR&D)
@ 2007-02-22 18:02 ` Dan Cowsill
2007-02-22 22:35 ` kashani
2007-02-23 7:17 ` Alan McKinnon
1 sibling, 2 replies; 10+ messages in thread
From: Dan Cowsill @ 2007-02-22 18:02 UTC (permalink / raw
To: gentoo-user
Actually, I'd be pretty interested in what you have to rant about PHP.
I run apache with php_mod installed and have the http port open. Is
there a security risk I should be aware of?
Thanks
On 2/22/07, Alan McKinnon <alan@linuxholdings.co.za> wrote:
> On Thursday 22 February 2007, Michael Sullivan wrote:
>
> > Also, I've always heard that you shouldn't
> > have any ports open on your machine unless you have some server bound
> > to that port because hackers can get in through unbound open ports.
> > Is this true? If so, how does it work?
>
> That sounds like something out of Hollywod, perhaps that atrocious movie
> called Hackers with Angelina Jolie in it.....
>
> I fail to see how, in this universe, you can open a port and not have
> something listen on it. Let's face it: a process, or the kernel itself,
> asks to be informed about packets arriving for port X. What is port X?
> It's a number in the TCP/UDP packet so the receiving kernel knows which
> process to send the data to. If that process is not listening, the
> packets go ... nowhere. They don't have magic Gandalfs inside them that
> suddenly sprout up and do l33t h4x0r sh1t to your machine.
>
> Maybe there's some default behaviour the kernel applies to packets that
> are sent to hung/sleeping/absent processes. Maybe that default
> behaviour is such that there's a buffer overflow waiting to be
> exploited. Maybe... I think I wanna see the code and not some bullshit
> posted on an arb blog somewhere.
>
> You should be much more worried about vulnerabilities in known software
> that you don't really use that are running by default.
>
> By far the most common attack vector is weak user names and passwords
> accessed via ssh. Solution is a sensbile password policy, or allow ssh
> access only via keys.
>
> Then there's php, but I don't think you want to get me started on
> that...
>
> alan
>
> --
> Optimists say the glass is half full,
> Pessimists say the glass is half empty,
> Developers say wtf is the glass twice as big as it needs to be?
>
> Alan McKinnon
> alan at linuxholdings dot co dot za
> +27 82, double three seven, one nine three five
> --
> gentoo-user@gentoo.org mailing list
>
>
--
-·=»Ðŧħ«=·-
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 17:19 ` Raymond Lewis Rebbeck
@ 2007-02-22 18:46 ` Michael Sullivan
0 siblings, 0 replies; 10+ messages in thread
From: Michael Sullivan @ 2007-02-22 18:46 UTC (permalink / raw
To: gentoo-user
On Fri, 2007-02-23 at 03:49 +1030, Raymond Lewis Rebbeck wrote:
> On Friday, 23 February 2007 3:15, Michael Sullivan wrote:
> > I have logsentry installed on my system which sends me hourly reports
> > about possible hack attempts on my three boxes. I use ipkungfu for my
> > firewall. I've stuck with the default configuration for ipkungfu,
> > except for listing each of my machines in my LAN in the
> > accepted_hosts.conf file. I also set ipkungfu to drop all offensive
> > packets (not sure if that's the default or not.) Whenever I see someone
> > trying the break in in the logsentry reports, I add their IP to the
> > deny_hosts.conf file and restart ipkungfu so that the changes will take
> > effect. I'm wondering why if these offending IPs in deny_hosts.conf are
> > being stopped at the firewall I'm still seeing them fail to authenticate
> > to my FTP and ssh servers?
>
> If you think you've setup your firewall to block these IPs and yet they are
> still able to access your machines, then it sounds like your firewall is
> misconfigured and isn't blocking the IPs.
>
> > Also, I've always heard that you shouldn't
> > have any ports open on your machine unless you have some server bound to
> > that port because hackers can get in through unbound open ports. Is
> > this true?
>
> I've never heard of this. All ports that you don't want accessible from the
> internet should be completely blocked by your firewall if you have it
> correctly configured.
>
> > If so, how does it work? What do they connect to if
> > nothing's running on the port they're trying? I know the concept of a
> > backdoor in a running program, but if no program is running on said port
> > for them to connect to, how do they get in???
>
> They connect to nothing, they shouldn't be able to establish a connection.
>
> > -Michael Sullivan-
>
>
>
> --
> Raymond Lewis Rebbeck
This is my /etc/ipkungfu/ipkungfu.conf file on
catherine.espersunited.com . The comments have been removed for
conciseness:
EXT_NET="eth0"
LOCAL_NET="127.0.0.1"
ALLOWED_TCP_IN="21 22 25 80"
ALLOWED_UDP_IN=""
SUSPECT="DROP"
KNOWN_BAD="DROP"
PORT_SCAN="DROP"
GET_IP="AUTO"
DONT_DROP_IDENTD=1
WAIT_SECONDS=5
Is this not a correct configuration? Here is the output of ipkungfu -l:
catherine ipkungfu # ipkungfu -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
7098 2517K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 LOG all -- lo any 0.0.0.1
anywhere LOG level warning prefix `IPKF IPKungFu (--init)'
0 0 DROP all -- eth0 any 124.1.149.222
anywhere
0 0 DROP all -- eth0 any
205.158.114.117.ptr.us.xo.net anywhere
0 0 DROP all -- eth0 any 222.90.206.62
anywhere
0 0 DROP all -- eth0 any 61.178.185.124
anywhere
0 0 DROP all -- eth0 any 65.98.76.197
anywhere
0 0 DROP all -- eth0 any 211.234.99.230
anywhere
0 0 DROP all -- eth0 any sd-2613.dedibox.fr
anywhere
0 0 DROP all -- eth0 any 222.135.146.45
anywhere
0 0 DROP all -- eth0 any 210.75.200.104
anywhere
0 0 DROP all -- eth0 any 210.83.48.238
anywhere
0 0 DROP all -- eth0 any 69.149.231.150
anywhere
0 0 DROP all -- eth0 any 61.243.90.149
anywhere
0 0 DROP all -- eth0 any 222.62.149.99
anywhere
0 0 DROP all -- eth0 any
72.237.88.202.asianet.co.in anywhere
0 0 DROP all -- eth0 any 211.61.207.31
anywhere
0 0 DROP all -- eth0 any 212.14.53.4
anywhere
0 0 DROP all -- eth0 any
61-222-84-195.HINET-IP.hinet.net anywhere
0 0 DROP all -- eth0 any smtp.tvitatiba.com.br
anywhere
0 0 DROP all -- eth0 any 91.25.73.211-savecom
anywhere
0 0 DROP all -- eth0 any
host150197.metrored.net.mx anywhere
0 0 DROP all -- eth0 any
d5152C2AF.access.telenet.be anywhere
0 0 DROP all -- eth0 any 218.50.2.99
anywhere
0 0 DROP all -- eth0 any 210.97.242.17
anywhere
0 0 DROP all -- eth0 any sd-156.dedibox.fr
anywhere
0 0 DROP all -- eth0 any
lax-static-208.57.150.227.mpowercom.net anywhere
0 0 DROP all -- eth0 any 61.145.175.51
anywhere
0 0 DROP all -- eth0 any
adsl-131.98.51.info.com.ph anywhere
0 0 DROP all -- eth0 any 203.190.147.138
anywhere
0 0 DROP all -- eth0 any slo-guest.not.iac.es
anywhere
0 0 DROP all -- eth0 any 219.94.134.39
anywhere
0 0 DROP all -- eth0 any
customer-201-147-235-248.uninet-ide.com.mx anywhere
0 0 DROP all -- eth0 any 216.218.240.157
anywhere
0 0 DROP all -- eth0 any 202.113.3.104
anywhere
0 0 DROP all -- eth0 any 60.12.225.7
anywhere
0 0 DROP all -- eth0 any 61.142.175.65
anywhere
0 0 DROP all -- eth0 any 219.235.231.105
anywhere
0 0 DROP all -- eth0 any 219.148.237.109
anywhere
0 0 DROP all -- eth0 any
s15192846.onlinehome-server.info anywhere
0 0 DROP all -- eth0 any 219.234.80.58
anywhere
0 0 DROP all -- eth0 any 61.167.117.140
anywhere
0 0 DROP all -- eth0 any 61.139.78.2
anywhere
0 0 DROP all -- eth0 any 219.232.59.181
anywhere
0 0 DROP all -- eth0 any 222.36.2.100
anywhere
0 0 DROP all -- eth0 any 218.5.4.236
anywhere
0 0 DROP all -- eth0 any
static-81-219-251-66.devs.futuro.pl anywhere
0 0 DROP all -- eth0 any 222.216.204.101
anywhere
0 0 DROP all -- eth0 any 203.71.2.73
anywhere
0 0 DROP all -- eth0 any 125.251.149.66
anywhere
0 0 DROP all -- eth0 any
61-218-62-150.HINET-IP.hinet.net anywhere
0 0 DROP all -- eth0 any 196.46.235.118
anywhere
0 0 DROP all -- eth0 any
static-71-166-159-154.washdc.east.verizon.net anywhere
0 0 DROP all -- eth0 any 222.122.20.110
anywhere
0 0 DROP all -- eth0 any
200-91-244-86-host.ifx.net.co anywhere
0 0 DROP all -- eth0 any 219.235.231.103
anywhere
0 0 DROP all -- eth0 any host54.77.cable1.evro.net
anywhere
0 0 DROP all -- eth0 any 203.149.62.140
anywhere
0 0 DROP all -- eth0 any jerkface.org
anywhere
0 0 DROP all -- eth0 any
mailscanner.net-rosas.com.br anywhere
0 0 DROP all -- eth0 any tm.net.my
anywhere
0 0 DROP all -- eth0 any mail.iab.com.ar
anywhere
0 0 DROP all -- eth0 any 202.122.16.35
anywhere
0 0 DROP all -- eth0 any 218.78.209.253
anywhere
0 0 DROP all -- eth0 any
59-106-20-54.r-bl100.sakura.ne.jp anywhere
0 0 DROP all -- eth0 any
gcg62.internetdsl.tpnet.pl anywhere
0 0 DROP all -- eth0 any se.ramm.net
anywhere
0 0 DROP all -- eth0 any 210.94.6.89
anywhere
0 0 DROP all -- eth0 any 203.127.35.166
anywhere
0 0 DROP all -- eth0 any
59-106-20-94.r-bl100.sakura.ne.jp anywhere
0 0 DROP all -- eth0 any 124.1.35.2
anywhere
0 0 DROP all -- eth0 any 196.12.53.52
anywhere
0 0 DROP all -- eth0 any 64.27.28.229
anywhere
0 0 DROP all -- eth0 any 125.243.145.2
anywhere
0 0 DROP all -- eth0 any
53.subnet216.astinet.telkom.net.id anywhere
0 0 DROP all -- eth0 any 65.205.238.12
anywhere
0 0 DROP all -- eth0 any 221.136.78.17
anywhere
0 0 DROP all -- eth0 any 85.132.13.186
anywhere
0 0 DROP all -- eth0 any p87-237.cmet.net
anywhere
0 0 DROP all -- eth0 any p87-237.cmet.net
anywhere
0 0 DROP all -- eth0 any 61.129.41.20
anywhere
0 0 DROP all -- eth0 any
host-87-74-30-140.bulldogdsl.com anywhere
0 0 DROP all -- eth0 any 212.144.240.140
anywhere
0 0 DROP all -- eth0 any 159.226.234.16
anywhere
0 0 DROP all -- eth0 any 222.138.97.20
anywhere
0 0 DROP all -- eth0 any 61.152.169.150
anywhere
0 0 DROP all -- eth0 any
dsl51B7DB9D.fixip.t-online.hu anywhere
0 0 DROP all -- eth0 any 80-239-2-89.tjgroup.no
anywhere
0 0 DROP all -- eth0 any
host64-231-149-62.serverdedicati.aruba.it anywhere
0 0 DROP all -- eth0 any
62-148-177-206-hosted-by.denit.net anywhere
0 0 DROP all -- eth0 any 211.176.61.119
anywhere
0 0 DROP all -- eth0 any 61.136.143.176
anywhere
0 0 DROP all -- eth0 any 216.17.96.152
anywhere
0 0 DROP all -- eth0 any 61.125.24.84
anywhere
0 0 DROP all -- eth0 any 125.248.148.10
anywhere
0 0 DROP all -- eth0 any oa
anywhere
0 0 DROP all -- eth0 any 125.246.65.136
anywhere
0 0 DROP all -- eth0 any 202.79.208.131
anywhere
0 0 DROP all -- eth0 any 124.128.157.98
anywhere
0 0 DROP all -- eth0 any main.popligroup.com
anywhere
0 0 DROP all -- eth0 any 125.152.17.236
anywhere
0 0 DROP all -- eth0 any mail.triple-eagle.com
anywhere
0 0 DROP all -- eth0 any 211.99.140.229
anywhere
0 0 DROP all -- eth0 any
216.31.131.61.broad.dynamic.pt.fj.cndata.com anywhere
0 0 DROP all -- eth0 any 125.244.116.130
anywhere
5 302 ACCEPT all -- any any bullet.espersunited.com
anywhere
2 248 ACCEPT all -- any any camille.espersunited.com
anywhere
0 0 DROP all -- any any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side:
source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS):
'
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
1 92 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
10 400 LOG all -- any any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
10 400 DROP all -- any any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
4 192 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
1 404 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
2 96 ACCEPT tcp -- eth0 any anywhere
anywhere state NEW multiport dports ftp,ssh,smtp,http
37 3156 ACCEPT all -- lo any anywhere
anywhere state NEW
0 0 ACCEPT all -- lo any localhost.localdomain
anywhere state NEW
0 0 REJECT tcp -- any any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
36 11218 LOG !icmp -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF INPUT Catch-all: '
36 11218 DROP all -- any any anywhere
anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any bullet.espersunited.com
anywhere
0 0 ACCEPT all -- eth0 any camille.espersunited.com
anywhere
0 0 DROP all -- eth0 any anywhere
anywhere recent: CHECK seconds: 120 name: badguy side:
source
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 LOG all -- eth0 any anywhere
anywhere state INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
0 0 DROP all -- eth0 any anywhere
anywhere state INVALID
0 0 LOG all -f eth0 any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP all -f eth0 any anywhere
anywhere
0 0 LOG icmp -- eth0 any anywhere
anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF ICMP Timestamp: '
0 0 DROP icmp -- eth0 any anywhere
anywhere icmp timestamp-request
0 0 syn-flood tcp -- eth0 any anywhere
anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg
3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: '
0 0 DROP tcp -- eth0 any anywhere
anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- eth0 any anywhere
anywhere multiport dports netbios-ns,6666
0 0 DROP udp -- eth0 any anywhere
anywhere multiport dports ms-sql-m
0 0 REJECT tcp -- eth0 any anywhere
anywhere tcp dpt:auth reject-with tcp-reset
Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source
destination
6646 1321K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
513 31858 ACCEPT all -- any any anywhere
anywhere state NEW
Chain syn-flood (2 references)
pkts bytes target prot opt in out source
destination
4 192 RETURN all -- any any anywhere
anywhere limit: avg 10/sec burst 24
0 0 LOG all -- any any anywhere
anywhere limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF SYN flood: '
0 0 DROP all -- any any anywhere
anywhere
I don't understand a lot of this, but those IP addresses are from
my /etc/ipkungfu/deny_hosts.conf file. Is this not actually blocking
them? I almost always read about connections from (a) recently-blocked
IP address(es) for a few hours after I block them in the hourly
logsentry reports...
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 18:02 ` Dan Cowsill
@ 2007-02-22 22:35 ` kashani
2007-02-23 7:17 ` Alan McKinnon
1 sibling, 0 replies; 10+ messages in thread
From: kashani @ 2007-02-22 22:35 UTC (permalink / raw
To: gentoo-user
Dan Cowsill wrote:
> Actually, I'd be pretty interested in what you have to rant about PHP.
> I run apache with php_mod installed and have the http port open. Is
> there a security risk I should be aware of?
>
It really depends on how badly the PHP application you're running has
been written. Assuming you're keeping up to date on PHP and your webapps
and have funky applications .htaccess'ed off you're reasonably safe.
However I'd highly recommend adding hardenedphp to your php USE flags as
it stops a number of things. I've never had a problem with the hardened
patch over the past year or so and frankly would not use any application
that it broke.
Another simple trick is to have an empty vhost as your primary and your
real applications sites only accessible by name. This way little script
kiddies scanning by IP or hostname hits Apache they are dumped to the
first loaded vhost, your empty one, instead of your actual site. Then
thay come up with nothing when they hit
/var/www/localhost/htdocs/wordpress/ instead of the actual site tree.
Doesn't stop a determined person, but has the added benifit of keeping
x20x20x20x20 type crap out of your real logs. :-)
kashani
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 18:02 ` Dan Cowsill
2007-02-22 22:35 ` kashani
@ 2007-02-23 7:17 ` Alan McKinnon
2007-02-23 10:08 ` Nelson, David (ED, PAR&D)
1 sibling, 1 reply; 10+ messages in thread
From: Alan McKinnon @ 2007-02-23 7:17 UTC (permalink / raw
To: gentoo-user
On Thursday 22 February 2007, Dan Cowsill wrote:
> Actually, I'd be pretty interested in what you have to rant about
> PHP. I run apache with php_mod installed and have the http port open.
> Is there a security risk I should be aware of?
The problem is not so much with php itself - that' s just a language. If
the langauge were at fault, we'd have to chuck C becuase of all the
exploits that are possible when you code in it.
The problem is that php enables every kid and his dog to put an
interactive site up on the net. So, every kid and his dog does. All the
while making coding mistakes that open holes. Forum software seems
especially prone.
Apache and php_mod themselves are as safe as is reasonable, at least I
haven't seen many weaknesses reported on those two packages. To know if
you should be taking extra security precautions, watch for security
advisories about the php apps you have running
alan
--
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
2007-02-22 17:19 ` Raymond Lewis Rebbeck
2007-02-22 17:33 ` Alan McKinnon
@ 2007-02-23 8:38 ` Jakob
2 siblings, 0 replies; 10+ messages in thread
From: Jakob @ 2007-02-23 8:38 UTC (permalink / raw
To: gentoo-user
> Whenever I see someone
> trying the break in in the logsentry reports, I add their IP to the
> deny_hosts.conf file and restart ipkungfu so that the changes will take
> effect.
maybe you want to have a look at sshdfilter
http://www.csc.liv.ac.uk/~greg/sshdfilter/
jakob
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
2007-02-23 7:17 ` Alan McKinnon
@ 2007-02-23 10:08 ` Nelson, David (ED, PAR&D)
0 siblings, 0 replies; 10+ messages in thread
From: Nelson, David (ED, PAR&D) @ 2007-02-23 10:08 UTC (permalink / raw
To: gentoo-user
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8", Size: 1507 bytes --]
> -----Original Message-----
> From: Alan McKinnon [mailto:alan@linuxholdings.co.za]
> Sent: 23 February 2007 07:17
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] OT - Some miscellanous questions about hack
> attacks and dealing with them
>
>
> The problem is that php enables every kid and his dog to put an
> interactive site up on the net. So, every kid and his dog
> does. All the
> while making coding mistakes that open holes. Forum software seems
> especially prone.
>
> Apache and php_mod themselves are as safe as is reasonable,
> at least I
> haven't seen many weaknesses reported on those two packages.
> To know if
> you should be taking extra security precautions, watch for security
> advisories about the php apps you have running
>
Forgive my ignorance if I'm incorrect - but I was told at one point by a friend who runs a few servers and sites that if an app wont run in PHP Safe Mode then he wont run it at all.
http://us2.php.net/features.safe-mode
I'm not a PHP expert by any means so I can't definitively say "use safe mode" but if people are looking to lock down a server it may be worth a peek.
OT: Also, my name is "David Nelson" not "Nelson David". Don't blame me - it's a work email account and they have our names Surname, Forename all over the place. :P I've just seen people refer to me as "Nelson" sometimes ... ;-)
--
djn
I do not represent anyone else in emails I send to this list.
éí¢¬z¸\x1eÚ(¢¸&j)b b²
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2007-02-23 10:14 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-22 16:45 [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them Michael Sullivan
2007-02-22 17:19 ` Raymond Lewis Rebbeck
2007-02-22 18:46 ` Michael Sullivan
2007-02-22 17:33 ` Alan McKinnon
2007-02-22 17:56 ` Nelson, David (ED, PAR&D)
2007-02-22 18:02 ` Dan Cowsill
2007-02-22 22:35 ` kashani
2007-02-23 7:17 ` Alan McKinnon
2007-02-23 10:08 ` Nelson, David (ED, PAR&D)
2007-02-23 8:38 ` Jakob
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox