CentOS - Aug 2019 - [OT] odd network question

On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:
> Fred Smith wrote:
> > On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote:
> >
> >>
> >>> This is just the first screen of it, there are many more. The
data
> >>> compiled here is for the last month (rsyslog is keeping the
current log
> >>> plus four older logs). I find it disturbing that there were
12251
> >>> attempts at telnet during that time, 2154 on 8080, and so
forth.
> >>> either I'm some kind of special/hot target, or else
everybody gets
> >>> this kind of crap and may not even know it.
> <snip>
> >>> But the one thing I mean to ask about here is the very first
item,
> >>> 140,750 attempts at port 48825. What the heck is port 48825? I
can't
> >>> find any reference to anything that uses it online, but for
some
> >>> reason it is extremely popular, at least amongst the turkeys
trying to
> >>> break into my network!
> >>>
> >>> reveals that of all the source addresses trying to poke at
48825,
> >>> there are 193 unique addresses. Either this indicates a heck
of a lot
> >>>  of sites having at my firewall, or that some few sites are
all
> >>> spoofing their addresses. I can sort of understand people
whaling away
> >>> at ports that may conceal gold, from their warped point of
view, but I
> >>> haven't a clue why so many people would be beating on some
apparently
> >>> unassigned and unused port.
> >>>
> >> As you say 48825 is not a known port and too low to be a dynamic
port.
> >> I suspect it's a command/control port for a botnet - they
aren't
> >> particular renowned for their elegance and subtlety and so it
might be
> >> that your IP address (if it's a DSL line) in the past had been
> >> compromised and was running a bot controller and all the bot
workers on
> >>  hacked machines are trying to contact their controller to find
out
> >> what to do.  Certainly all the monitoring sites I've looked at
see
> >> almost zero traffic on that port (zero = less than 10 packets a
day).
> >
> > Nope, I've never had a DSL line. was dialup to a local ISP for
some
> > years until a cable company that would provide what I wanted (instead
of
> > insisting on selling me what I didn't want) ran fiber down the
street, and
> > was willing to sell me a static IP address. right now my memory fails
me
> > as to exactly when that was, but it may have been as much as 20 years
ago,
> > certainly at least 15. so I've had that address for long enough
that there
> > shouldn't be any botnets thinking that I am one of its
command/control
> > servers.
> >
> > but the amount of attempted traffic on that port certainly does seem
like
> > it could be a botnet banging on me.
> >
> >> Just be thankful that you have a working firewall in place!
> >>
> You want a perfectly silly... and perfectly believable thought? I've
seen
> attempts against our outward-facing servers these last 10 years... and
> I've seen enough where the idiot script kiddies were so stupid that
they
> couldn't manage to read the directions enough to at least salt the
> autogenerated name. The result was "user@" or a blank where there
should
> be a name.
> 
> So, I'm wondering if someone botnet got screwed up... and it's
going to
> the *wrong* address for its command and control. If so, sorry it's
hitting
and I didn't even mention the huge number of failed attempts on port
25. /var/log/maillog is full of systems trying to send spam, or trying
to DOS me with incompleted connection attempts, or just plain spamming
with mail for addresses not at this system. The little light on the
network switch serving this machine hardly ever stops blinking with all
the traffic hitting it.

One thing I don't understand is how/why the firewall is DROPping so 
many attempts on port 25 when it in fact has a port forward rule
sending port 25 on to my mailserver. How does it know, or why does
it think that some of them can be dropped at the outer barrier?
> you, but thank you for taking a hundred thousand or so for all of us.
Hey, its the least I can do for all the good guys out there! :)
But that doesn't mean the same dratsabs aren't hitting all the rest
of you too.

Fred

-- 
---- Fred Smith -- fredex at fcshome.stoneham.ma.us
-----------------------------
                       I can do all things through Christ 
                              who strengthens me.
------------------------------ Philippians 4:13 -------------------------------

On 02/08/2019 15:07, Fred Smith wrote:
>
> and I didn't even mention the huge number of failed attempts on port
> 25. /var/log/maillog is full of systems trying to send spam, or trying
> to DOS me with incompleted connection attempts, or just plain spamming
> with mail for addresses not at this system. The little light on the
> network switch serving this machine hardly ever stops blinking with all
> the traffic hitting it.
>
> One thing I don't understand is how/why the firewall is DROPping so
> many attempts on port 25 when it in fact has a port forward rule
> sending port 25 on to my mailserver. How does it know, or why does
> it think that some of them can be dropped at the outer barrier?
Some spamming tools are just telnet with an expect script, lightweight 
and can be loaded onto embedded systems, e.g. other firewalls / modems 
etc...

A downside of using these tools is that telnet sets the PUSH TCP flag, 
so many firewalls (e.g. Cisco ASA) have protocol inspection for SMTP and 
signals the connection as invalid. if it uses the PUSH TCP flag, which a 
proper SMTP daemon wouldn't use for that protocol (PUSH flags ask the 
server to service the sent data, even if it hasn't finished with a CR/LF)

Fred Smith wrote:
> On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:
<MVNCH>
> One thing I don't understand is how/why the firewall is DROPping so
> many attempts on port 25 when it in fact has a port forward rule sending
> port 25 on to my mailserver. How does it know, or why does it think that
> some of them can be dropped at the outer barrier?
>
>> you, but thank you for taking a hundred thousand or so for all of us.
>
> Hey, its the least I can do for all the good guys out there! :)
> But that doesn't mean the same dratsabs aren't hitting all the rest
> of you too.
>
I'm sure they are. Are you running fail2ban?

And you do know that the last time someone, as a test, might have been
last year, put an open PC on the 'Net, it was 20 min before it was
compromised?

       mark

On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote:
> Fred Smith wrote:
> > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:
> <MVNCH>
> > One thing I don't understand is how/why the firewall is DROPping
so
> > many attempts on port 25 when it in fact has a port forward rule
sending
> > port 25 on to my mailserver. How does it know, or why does it think
that
> > some of them can be dropped at the outer barrier?
> >
> >> you, but thank you for taking a hundred thousand or so for all of
us.
> >
> > Hey, its the least I can do for all the good guys out there! :)
> > But that doesn't mean the same dratsabs aren't hitting all the
rest
> > of you too.
> >
> I'm sure they are. Are you running fail2ban?
> 
Several years back I switched from sendmail to postfix.
Not knowing what I was doing, I think I have it set to
say it will forward email following SASL authentication.
But as I had no intention of forwarding anything, I did
not set up any authentication methods.  So anyone who
tries fails to authenticate.

With fail2ban in place I get 200-500 daily SASL "fail to
authenticate" instances.  In contrast, several months ago
fail2ban either died or did not restart correctly.  This
went unnoticed for about a week.  During that time I got
10000-32000 daily "failed to authenticate".

Jon
-- 
Jon H. LaBadie                 jon at jgcomp.com
 11226 South Shore Rd.          (703) 787-0688 (H)
 Reston, VA  20190              (703) 935-6720 (C)