| View previous topic :: View next topic |
| Author |
Message |
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
 Posted: Wed Jun 15, 2005 10:32 pm Post subject: Where to direct attempts to access port 1026 |
 |
|
Hi all,
Well, ever since my cable company switched to Comcast I get a ton of hits on port 1026 (unfortunately, my router lets them through.) From what I am to understand that it's an attempt to spim the MSN Messenger services by infected computers. I guess since being moved to a well-known ISP, I'm a bigger target.
I was wondering, if I wanted to use SUA/NAT routing to forward these attempts to a black hole or dead end, where should I direct them? 127.0.0.1?
Best,
Alex |
|
| Back to top |
|
 |
tukachinchila
Apprentice
Joined: 11 Mar 2005
Posts: 274
Location: Oregon
|
| Posted: Thu Jun 16, 2005 6:04 am Post subject: |
|
|
I would just drop any tcp and udp inbound packets on port 1026 using iptables, or ebtables. I'm not an expert on firewall rules, so you might want to check the man pages. Something like this might work though: | Code: | iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto tcp --ip-dport 1026 -j DROP
iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto udp --ip-dport 1026 -j DROP |
(Changing 10.0.0.2 to whatever your IP address is)
The more secure way would be to drop all packets on all ports, and then poke holes for only the applications you need. |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Thu Jun 16, 2005 10:02 am Post subject: |
|
|
| tukachinchila wrote: | I would just drop any tcp and udp inbound packets on port 1026 using iptables, or ebtables. I'm not an expert on firewall rules, so you might want to check the man pages. Something like this might work though: | Code: | iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto tcp --ip-dport 1026 -j DROP
iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto udp --ip-dport 1026 -j DROP |
(Changing 10.0.0.2 to whatever your IP address is)
The more secure way would be to drop all packets on all ports, and then poke holes for only the applications you need. |
Ok, thanks for the info. My router pretty much deals with everything else, so I just need to set up iptables in the manner you've described.
Best,
Alex |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Sat Jun 18, 2005 2:05 pm Post subject: |
|
|
Hi again,
I tried to run iptables using the rules you specified, but I got the following error.
| Code: | # iptables -A INPUT -p IPv4 --ip-dst 192.168.1.35 --ip-proto tcp --ip-dport 1026 -j DROP
iptables v1.2.11: unknown protocol `ipv4' specified
Try `iptables -h' or 'iptables --help' for more information.
|
If I recall correctly, the way to properly set up iptables is by sealing everything off and then 'poking holes' in the ports you want to keep open. Even though I have a router with SPI, I'd still like to it the correct way. In my case, the ports to keep open would be ssh, bittorrent, and something for irc file transfers.
Can anybody help me with this? I tried to search for a how-to, but must be missing something.
Best,
Alex |
|
| Back to top |
|
|
Arno
Tux's lil' helper
Joined: 19 Oct 2002
Posts: 126
Location: France
|
| Posted: Sat Jun 18, 2005 11:19 pm Post subject: |
|
|
Here's a web based iptables generator that might help you getting started:
| Code: | | http://easyfwgen.morizot.net/gen/ |
|
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Mon Jun 27, 2005 2:59 am Post subject: |
|
|
Hi,
| Arno wrote: | Here's a web based iptables generator that might help you getting started:
| Code: | | http://easyfwgen.morizot.net/gen/ |
|
Thanks, but I found a different solution that involved the zywall firewall router I have. Basically, the problem was that either a) I used a newer version of the firmware and blocked said port, but couldn't receive email alerts for anything or b) used the original firmware and said port was forwarded and I got email alerts.
What I did was revert to the older version of the firmware (no security problems with it ever) and then looked around and found out how to get the router to do what I wanted by telnetting into its CLI. So, in short, I changed the rule that was set for port 1026 to block AND specified that hits to that port don't trigger an alert email to me. Mind you, I'll still see hits to that port in my daily log, but I won't be barragged with false positive email alerts all day long (I once had around 300 hits to that port in an hour, the joys of Comcast!)
I have no idea why the company set port 1026 open by default, perhaps there was some purpose early on, but it seemed weird.
Best,
Alex |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Tue Jun 28, 2005 7:29 am Post subject: |
|
|
The way to do it, IMHO is to set a DROP policy for the INPUT chain, like this:
| Code: | | iptables -P INPUT DROP |
Then you poke holes in it for the services you want to allow, something like this:
| Code: | | iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
If you want to get back a bit, you can look at the TARPIT target, which makes it very hard for scanners to close the connection to your box. 
| Code: |
iptables -A INPUT -p tcp --dport 1026 -j LOG --log-prefix "Lamer scanning msn... TARPIT! "
iptables - INPUT -p tcp --dport 1026 -j TARPIT |
Lastly, you can add a LOG rule to the end of the chain:
| Code: | | iptables -A INPUT -j LOG --log-prefix "Dropped packet: " |
I don't know if tarpit is in the default installation of iptables, though.
(Edit: maybe i should have read all the posts before i posted... Oh well...)
_________________
Banana Republic |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Wed Jul 06, 2005 2:04 pm Post subject: |
|
|
Hi NiklasH,
Thanks for the info about setting up iptables. Is there a specific file I put these settings in or will executing those commands and then setting iptables to run as default via rc-update do the trick?
[rant]Also, I'm getting REALLY pissed off at Comcast. Everything worked dandy with my previous ISP, a small cable TV company. However, since Comcast took over I have had one problem after another with dropped connections. I don't know whether there's some problem that Comcast has with my router (a Zywall 1 with SPI) or whether they are just fscked up. Has anybody else had these sorts of problems with them or am I the only one?[/rant]
Alex |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Wed Jul 06, 2005 2:22 pm Post subject: |
|
|
| evoweiss wrote: | Hi NiklasH,
Thanks for the info about setting up iptables. Is there a specific file I put these settings in or will executing those commands and then setting iptables to run as default via rc-update do the trick?
|
NP 
You just add the rules, check that everything is OK, then do | Code: | | /etc/init.d/iptables save |
Then you need to add iptables to default with rc-update.
| Quote: |
[rant]Also, I'm getting REALLY pissed off at Comcast. Everything worked dandy with my previous ISP, a small cable TV company. However, since Comcast took over I have had one problem after another with dropped connections. I don't know whether there's some problem that Comcast has with my router (a Zywall 1 with SPI) or whether they are just fscked up. Has anybody else had these sorts of problems with them or am I the only one?[/rant]
Alex |
A long shot might be to set up a cron job that pings some external server every five minutes or so. We have had a few brain-dead switches at work that seem to be too
used to Windows boxes, with their constant network blabber... The ping cronjob seemed to work for that.
Apparently the Linux/Unix boxes were so silent that the switches thought that they were gone from the network, and dropped them from their ARP cache (or whatever they do...).
If you do use the ping cron job, remember the -c switch. I hosed a server at work when I forgot that... 
_________________
Banana Republic |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Wed Jul 06, 2005 2:50 pm Post subject: |
|
|
NiklasH,
Thanks for the quick reply. Now, I hate to sound stupid, but what would I need to do to set up said cron job? Believe it or not, I've come this far without the need to use it until now. I will set something like that up as soon as I get home and will keep my fingers crossed. I guess a ping with a count of 1 or 5 should do, right?
Alex |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Wed Jul 06, 2005 3:11 pm Post subject: |
|
|
| evoweiss wrote: | NiklasH,
Thanks for the quick reply. Now, I hate to sound stupid, but what would I need to do to set up said cron job? Believe it or not, I've come this far without the need to use it until now. I will set something like that up as soon as I get home and will keep my fingers crossed. I guess a ping with a count of 1 or 5 should do, right?
Alex |
I guess you've already got a cron daemon running, so all you need to do is make sure you're in the cron group,
then edit your crontab (with crontab -e), something like this:
| Code: | MAILTO=<your mail>
*/5 * * * * ping -c 5 www.sco.com > /dev/null 2>&1 |
The MAILTO makes cron mail the output to you.
Not very interesting for this job, though...
_________________
Banana Republic |
|
| Back to top |
|
|
nephros
Advocate
Joined: 07 Feb 2003
Posts: 2139
Location: Graz, Austria (Europe - no kangaroos.)
|
| Posted: Wed Jul 06, 2005 3:41 pm Post subject: |
|
|
| NiklasH wrote: |
| Code: | MAILTO=<your mail>
*/5 * * * * ping -c 5 www.sco.com > /dev/null 2>&1 |
|
sco.com might not be very wise choice for real use, their furure is not looking rosy and they might disappear soon
Use icann.org or verisign.com, we're in trouble when those are down..
_________________
Please put [SOLVED] in your topic if you are a moron. |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Wed Jul 06, 2005 5:39 pm Post subject: |
|
|
Funny... Incidentally, I think it might not be a case of no traffic resulting in the death of the connection. After all, both times so far the connection died in the midst of something that would have resulted in network activity.
I'm going to try setting up the IP tables instead of using my router to see whether that does the trick.
Best,
Alex |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Fri Jul 08, 2005 2:48 am Post subject: |
|
|
Hi all,
Well, there appears to be some weird bug in my router firmware, so I need to take the iptables approach to drop those idiots who try to access 1026 (the tarpit option sounds fun ). However, there's a problem. I emerged iptables and when I tried to issue the iptables -P INPUT DROP command I got the following:
| Code: |
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
So, what do I need to set as a module in my kernel?
Alex |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Fri Jul 08, 2005 6:15 am Post subject: |
|
|
| evoweiss wrote: | Hi all,
Well, there appears to be some weird bug in my router firmware, so I need to take the iptables approach to drop those idiots who try to access 1026 (the tarpit option sounds fun ). However, there's a problem. I emerged iptables and when I tried to issue the iptables -P INPUT DROP command I got the following:
| Code: |
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
So, what do I need to set as a module in my kernel?
Alex |
The iptables modules are under Device Drivers -> Networking support -> Networking options -> Network packet filtering
I think you need to emerge iptables with the extensions USE flag for tarpit.
_________________
Banana Republic |
|
| Back to top |
|
|
nephros
Advocate
Joined: 07 Feb 2003
Posts: 2139
Location: Graz, Austria (Europe - no kangaroos.)
|
| Posted: Fri Jul 08, 2005 6:34 am Post subject: |
|
|
| NiklasH wrote: | The iptables modules are under Device Drivers -> Networking support -> Networking options -> Network packet filtering
I think you need to emerge iptables with the extensions USE flag for tarpit. |
That, and depending on the kernel sources you use, you might have to patch them with patch-o-matic-ng from netfilter.org.
IIRC gentoo-sources are already patched with TARPIT support.
_________________
Please put [SOLVED] in your topic if you are a moron. |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Fri Jul 08, 2005 12:17 pm Post subject: |
|
|
| nephros wrote: | | NiklasH wrote: | The iptables modules are under Device Drivers -> Networking support -> Networking options -> Network packet filtering
I think you need to emerge iptables with the extensions USE flag for tarpit. |
That, and depending on the kernel sources you use, you might have to patch them with patch-o-matic-ng from netfilter.org.
IIRC gentoo-sources are already patched with TARPIT support. |
Thanks... I'm running the ck-sources. I'll be upgrading my kernel in a few days, so I'll take care of it then.
Alex |
|
| Back to top |
|
|
|
Networking & Security
