I thought I had a handle on what I was seeing in the logs...but then this. My 3 NIC''d firewall box spit this out, eth0 is connected to the internet with a real IP address aa.bb.cc.dd I then NAT out on eth1 (of the firewall) to a webserver, one of the real IP addresses is aa.bb.cc.ee (dd+3) my /etc/shoreall/nat table contains: dd+1 172... No No dd+2 172... No No dd+3 172... No No Feb 4 08:16:34 xxxxx kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:03:47:48:77:8d:00:10:67:00:b1:86:08:00 SRC=146.188.11.222 DST=aa.bb.cc.ee LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=aa.bb.cc.ee DST=64.191.26.117 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=13217 PROTO=TCP SPT=51629 DPT=8010 WINDOW=31040 RES=0x0c ECE URG ACK SYN FIN URGP=27694 ] What in the heck did I stop ? Why is one of my "real" IP addresses doing a TCP port 8010 to whoever ? Is 146... trying to attack 64... through me ? Is this indicative that my webserver has been compromised ? For what it''s worth...being paranoid, I also run shorewall 1.3.13 on the webserver. And, there are no entries in the webserver''s log.
--On Tuesday, February 04, 2003 2:13 PM -0800 Bill.Light@kp.org wrote:> I thought I had a handle on what I was seeing in the logs...but then this. > > My 3 NIC''d firewall box spit this out, > > eth0 is connected to the internet with a real IP address aa.bb.cc.dd > > I then NAT out on eth1 (of the firewall) to a webserver, one of the real > IP addresses is aa.bb.cc.ee (dd+3) > > my /etc/shoreall/nat table contains: > > dd+1 172... No No > dd+2 172... No No > dd+3 172... No No > > Feb 4 08:16:34 xxxxx kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:03:47:48:77:8d:00:10:67:00:b1:86:08:00 SRC=146.188.11.222 > DST=aa.bb.cc.ee LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=0 PROTO=ICMP TYPE=11 > CODE=0 [SRC=aa.bb.cc.ee DST=64.191.26.117 LEN=40 TOS=0x00 PREC=0x00 TTL=1 > ID=13217 PROTO=TCP SPT=51629 DPT=8010 WINDOW=31040 RES=0x0c ECE URG ACK > SYN FIN URGP=27694 ] > > What in the heck did I stop ? Why is one of my "real" IP addresses > doing a TCP port 8010 to whoever ? Is 146... trying to attack 64... > through me ? Is this indicative that my webserver has been compromised ? > > For what it''s worth...being paranoid, I also run shorewall 1.3.13 on the > webserver. And, there are no entries in the webserver''s log. >The original packet is certainly suspect (note the eclectic combination of TCP flags). You can determine if these are really coming from your web server by setting ''tcpflags'' on the firewall interace to that server. The other possibility is that someone is sending these with a spoofed source IP. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Done.
Any reason to suspect that I have been compromised ?
Tom Eastep <teastep@shorewall.net>
Sent by: shorewall-users-bounces@lists.shorewall.net
02/04/03 03:22 PM
To: shorewall-users@lists.shorewall.net
cc:
Subject: Re: [Shorewall-users] What am I seeing ?
--On Tuesday, February 04, 2003 2:13 PM -0800 Bill.Light@kp.org wrote:
> I thought I had a handle on what I was seeing in the logs...but then
this.>
> My 3 NIC''d firewall box spit this out,
>
> eth0 is connected to the internet with a real IP address aa.bb.cc.dd
>
> I then NAT out on eth1 (of the firewall) to a webserver, one of the real
> IP addresses is aa.bb.cc.ee (dd+3)
>
> my /etc/shoreall/nat table contains:
>
> dd+1 172... No No
> dd+2 172... No No
> dd+3 172... No No
>
> Feb 4 08:16:34 xxxxx kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
MAC=00:03:47:48:77:8d:00:10:67:00:b1:86:08:00 SRC=146.188.11.222
> DST=aa.bb.cc.ee LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=0 PROTO=ICMP
TYPE=11> CODE=0 [SRC=aa.bb.cc.ee DST=64.191.26.117 LEN=40 TOS=0x00 PREC=0x00
TTL=1> ID=13217 PROTO=TCP SPT=51629 DPT=8010 WINDOW=31040 RES=0x0c ECE URG ACK
> SYN FIN URGP=27694 ]
>
> What in the heck did I stop ? Why is one of my "real" IP
addresses
> doing a TCP port 8010 to whoever ? Is 146... trying to attack 64...
> through me ? Is this indicative that my webserver has been compromised
?>
> For what it''s worth...being paranoid, I also run shorewall 1.3.13
on the
> webserver. And, there are no entries in the webserver''s log.
>
The original packet is certainly suspect (note the eclectic combination of
TCP flags). You can determine if these are really coming from your web
server by setting ''tcpflags'' on the firewall interace to that
server. The
other possibility is that someone is sending these with a spoofed source
IP.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.shorewall.net
http://lists.shorewall.net/mailman/listinfo/shorewall-users
--On Tuesday, February 04, 2003 3:40 PM -0800 Bill.Light@kp.org wrote:> Done. > > Any reason to suspect that I have been compromised ? > >Yes -- unless your ruleset denies connections to port 8010 from your web server->net already (in which case, the original request wouldn''t have made it past the firewall to start with). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Tuesday, February 04, 2003 03:49:57 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Tuesday, February 04, 2003 3:40 PM -0800 Bill.Light@kp.org wrote: > >> Done. >> >> Any reason to suspect that I have been compromised ? >> >> > > Yes -- unless your ruleset denies connections to port 8010 from your web > server->net already (in which case, the original request wouldn''t have > made it past the firewall to start with). >To the list -- note that this is a classic example of why it is a good idea to specify each type of connection that you expect from your servers to the internet and to reject the rest. Remember that your servers are much more likely to be compromised than is your firewall. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net