Hello,
when I execute "shorewall hits" command I find this stats:
HITS IP DATE
---- --------------- ------
92099 192.168.0.2 Nov 24
7764 59.104.107.85 Nov 23
3997 192.168.1.77 Nov 24
337 181.50.93.89 Nov 23
331 59.104.156.68 Nov 23
315 99.109.157.73 Nov 23
301 190.225.157.40 Nov 23
275 179.153.183.53 Nov 23
268 109.53.131.59 Nov 23
259 36.173.226.249 Nov 24
251 82.143.197.189 Nov 23
238 89.22.226.184 Nov 24
235 177.57.135.206 Nov 24
213 31.64.195.17 Nov 23
204 182.206.125.93 Nov 24
196 98.11.208.229 Nov 23
190 101.6.68.108 Nov 23
186 107.155.221.24 Nov 23
172 120.252.234.46 Nov 23
169 72.169.4.27 Nov 23
150 117.2.119.167 Nov 23
145 50.55.233.210 Nov 23
142 71.71.55.184 Nov 23
138 116.159.169.69 Nov 23
137 96.211.247.37 Nov 23
137 116.202.31.6 Nov 24
134 77.220.80.99 Nov 23
133 94.58.208.1 Nov 23
133 118.99.195.10 Nov 23
130 75.210.65.20 Nov 24
130 173.4.157.138 Nov 23
122 90.62.93.121 Nov 23
118 72.214.21.184 Nov 24
114 75.67.170.63 Nov 23
113 42.8.169.4 Nov 23
113 2.115.62.162 Nov 24
112 104.159.106.144 Nov 23
111 108.14.229.94 Nov 24
107 103.62.156.46 Nov 23
106 176.0.17.17 Nov 23
105 113.6.131.33 Nov 23
103 119.154.29.203 Nov 23
103 109.210.55.216 Nov 23
102 66.79.189.120 Nov 23
98 61.187.233.187 Nov 22
97 123.208.226.243 Nov 24
95 74.224.220.219 Nov 23
95 112.206.170.95 Nov 23
93 187.72.247.4 Nov 23
91 39.110.4.223 Nov 23
87 7.165.174.7 Nov 24
85 41.209.145.90 Nov 24
83 91.49.29.149 Nov 24
82 109.12.172.150 Nov 24
80 91.204.60.121 Nov 24
80 24.109.146.132 Nov 21
80 183.106.247.51 Nov 24
79 217.93.100.130 Nov 21
78 78.93.46.102 Nov 24
78 175.215.150.79 Nov 24
78 123.150.144.82 Nov 23
77 95.113.42.193 Nov 23
77 173.217.234.2 Nov 24
77 111.108.220.252 Nov 23
76 180.27.97.67 Nov 23
75 72.57.62.254 Nov 24
72 66.79.8.148 Nov 21
72 2.115.154.148 Nov 24
72 192.168.10.168 Nov 23
71 91.148.70.219 Nov 24
71 107.114.7.114 Nov 24
68 186.159.124.66 Nov 24
67 100.217.224.134 Nov 24
66 92.48.193.177 Nov 24
66 183.49.74.191 Nov 24
66 117.59.236.101 Nov 24
65 104.18.114.214 Nov 24
64 190.254.117.1 Nov 24
64 183.50.3.149 Nov 24
63 114.104.80.131 Nov 23
63 101.64.150.14 Nov 24
62 98.55.34.138 Nov 24
62 94.73.175.1 Nov 24
62 66.79.32.79 Nov 21
62 36.145.196.22 Nov 24
61 97.226.213.37 Nov 24
61 100.164.246.10 Nov 23
60 173.203.201.72 Nov 24
60 121.210.118.141 Nov 23
59 78.32.232.217 Nov 24
59 73.57.98.27 Nov 24
58 77.108.11.70 Nov 24
58 27.113.97.39 Nov 24
58 116.218.180.187 Nov 24
57 79.20.169.36 Nov 23
57 124.58.84.62 Nov 24
55 66.79.8.148 Nov 23
55 36.115.144.89 Nov 23
55 119.213.40.66 Nov 24
54 97.212.84.40 Nov 24
54 93.4.184.87 Nov 24
54 216.17.230.10 Nov 22
54 125.48.55.118 Nov 23
53 100.95.2.128 Nov 24
52 91.66.88.182 Nov 24
52 113.50.212.197 Nov 24
49 209.56.255.7 Nov 21
49 197.4.221.11 Nov 24
49 177.156.232.233 Nov 24
49 108.57.181.240 Nov 24
48 76.53.15.119 Nov 24
48 66.79.32.113 Nov 22
48 59.116.172.189 Nov 24
48 5.12.136.226 Nov 24
48 42.122.177.74 Nov 24
48 39.55.143.83 Nov 24
48 110.10.16.154 Nov 23
47 98.38.150.212 Nov 24
47 93.102.225.157 Nov 24
47 72.11.144.10 Nov 21
47 63.246.15.18 Nov 21
46 72.11.144.10 Nov 22
46 71.215.113.155 Nov 24
46 49.100.52.69 Nov 24
46 120.211.20.137 Nov 24
etc...
What you think about first line "92099 192.168.0.2 Nov 24" and
"3997 192.168.1.77 Nov 24" is that attack from local network (IP:
192.168.) or...?
More stats:
HITS IP PORT
---- --------------- -----
92076 192.168.0.2 80
7764 59.104.107.85 80
3997 192.168.1.77 80
etc.
HITS DATE
---- ------
108631 Nov 24
16662 Nov 23
1625 Nov 22
1500 Nov 21
HITS PORT SERVICE(S)
---- ----- ----------
123112 80 http,80/tcp,www,www-http,#,WorldWideWeb,HTTP
864 1025
626 1433
293 5554
261 9898
242 1027
238 4899
194 22 ssh,22/tcp,#,SSH,Remote,Login,Protocol
190 1026
185 2745
174 53 domain,53/tcp,#,name-domain,server,domain,53/udp
170 3410
154 1434
144 6129
119 33436
100 57
89 33438
82 3127
54 33437
51 33435
49 32768
36 33442
34 8000
33 8080
32 5000
32 1023
27 1080
20 3128
Can somebody explain this to me?
sorry if my english bad
Thanks
--
Best regards,
Ratko mailto:ratko@teol.net
On Wed, 2004-11-24 at 15:55 +0100, Ratko Dakic wrote:> etc... > > What you think about first line "92099 192.168.0.2 Nov 24" and > "3997 192.168.1.77 Nov 24" is that attack from local network (IP: > 192.168.) or...?Why don''t you look at your log and see what these messages are? ''shorewall hits'' just scans your log, sorting and counting ''Shorewall'' messages in various ways. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Tom, in log: Nov 24 13:44:52 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2812 PROTO=TCP SPT=4493 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2814 PROTO=TCP SPT=4743 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2816 PROTO=TCP SPT=4779 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2818 PROTO=TCP SPT=4770 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2820 PROTO=TCP SPT=4874 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2822 PROTO=TCP SPT=4557 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2824 PROTO=TCP SPT=4884 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2826 PROTO=TCP SPT=4838 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2828 PROTO=TCP SPT=4280 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2830 PROTO=TCP SPT=4210 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2832 PROTO=TCP SPT=4284 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2834 PROTO=TCP SPT=4239 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2836 PROTO=TCP SPT=4693 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2838 PROTO=TCP SPT=4393 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2652 PROTO=TCP SPT=4544 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2660 PROTO=TCP SPT=4563 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2666 PROTO=TCP SPT=4435 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2674 PROTO=TCP SPT=4053 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2685 PROTO=TCP SPT=4897 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2691 PROTO=TCP SPT=4337 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 13:44:53 plain kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:0d:61:2a:cf:3f:00:e0:52:d8:41:c4:08:00 SRC=192.168.0.2 DST=Server Main IP LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2699 PROTO=TCP SPT=4519 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 this and much more like this! What is this? Thanks -- Best regards, Ratko mailto:ratko@teol.net Wednesday, November 24, 2004, 4:58:39 PM, you wrote: TE> On Wed, 2004-11-24 at 15:55 +0100, Ratko Dakic wrote:>> etc... >> >> What you think about first line "92099 192.168.0.2 Nov 24" and >> "3997 192.168.1.77 Nov 24" is that attack from local network (IP: >> 192.168.) or...?TE> Why don''t you look at your log and see what these messages are? TE> ''shorewall hits'' just scans your log, sorting and counting ''Shorewall'' TE> messages in various ways. TE> -Tom
On Wed, 2004-11-24 at 17:09 +0100, Ratko Dakic wrote: Ratko -- a) I JUST POSTED asking that people KEEP REPLIES ON THE LIST!!!!!!!!!!!!!!!!!!! b) Log messages are absolutely useless without seeing your /etc/shorewall/interfaces and /etc/shorewall/hosts (if you use that file). c) Please at least TRY to understand these messages yourself by looking at Shorewall FAQ 17. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-11-24 at 08:13 -0800, Tom Eastep wrote:> On Wed, 2004-11-24 at 17:09 +0100, Ratko Dakic wrote: > > Ratko -- > > a) I JUST POSTED asking that people KEEP REPLIES ON THE > LIST!!!!!!!!!!!!!!!!!!!Oops -- I humbly beg your pardon. I should have looked more carefully at the message headers before having my tantrum. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hey folks; Easy big fella << that one is for you Tom ;-) Here''s my 2c... Ratko, your packets are failing because of a ''norfc1918'' option on the eth0 interface in your ''/etc/shorewall/interface'' file. (I suspect) Now the question is why? norfc1918 is used to drop packets that should never contain rfc1918 network src addrs. (Like from the internet?). If you are NAT with some other device (DSL modem, firewall, etc) and your eth interface is using one of these addresses (10.x.x.x, 172-16-32.x.x, 192.168.x.x) then you need to remove it from that interface. BTW those ''attacks'' look like some drones (spyware, adware, etc) running on your workstations that are trying to connect to your default gateways'' web port. But Again, Tom always suggests that you show us your files (see shorewall.net/support.htm) and I''ll have to agree.. HTH . Jeff ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Wednesday, November 24, 2004 11:15 AM Subject: Re: Re[2]: [Shorewall-users] Attack from local network or...?> On Wed, 2004-11-24 at 08:13 -0800, Tom Eastep wrote: > > On Wed, 2004-11-24 at 17:09 +0100, Ratko Dakic wrote: > > > > Ratko -- > > > > a) I JUST POSTED asking that people KEEP REPLIES ON THE > > LIST!!!!!!!!!!!!!!!!!!! > > Oops -- I humbly beg your pardon. I should have looked more carefully at > the message headers before having my tantrum. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Sorry but I can`t understand this, only what I have in "interfaces" is this: net eth0 detect norfc1918,nobogons,blacklist,nosmurfs File HOSTS empty... What I can do now, now I stop firewall, LOAD 150 on server!!! Can I SET something, can shorewall kill this bad traffic...HOW? I don`t know what now...server is offline because now I have firewall stoped... -- Best regards, Ratko mailto:ratko@teol.net Wednesday, November 24, 2004, 5:13:55 PM, you wrote: TE> On Wed, 2004-11-24 at 17:09 +0100, Ratko Dakic wrote: TE> Ratko -- TE> a) I JUST POSTED asking that people KEEP REPLIES ON THE TE> LIST!!!!!!!!!!!!!!!!!!! TE> b) Log messages are absolutely useless without seeing TE> your /etc/shorewall/interfaces and /etc/shorewall/hosts (if you use that TE> file). TE> c) Please at least TRY to understand these messages yourself by looking TE> at Shorewall FAQ 17. TE> -Tom
On Wed, 2004-11-24 at 19:40 +0100, Ratko Dakic wrote:> Sorry but I can`t understand this, only what I have in "interfaces" is this: > > net eth0 detect norfc1918,nobogons,blacklist,nosmurfs > > File HOSTS empty... > > What I can do now, now I stop firewall, LOAD 150 on server!!! > Can I SET something, can shorewall kill this bad traffic...HOW? I > don`t know what now...server is offline because now I have firewall > stoped... >a) Copy /usr/share/shorewall/rfc1918 to /etc/shorewall b) Add this record as the FIRST record in /etc/shorewall/rfc1918: 192.168.0.2 DROP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-11-24 at 19:40 +0100, Ratko Dakic wrote:> Sorry but I can`t understand this, only what I have in "interfaces" is this: > > net eth0 detect norfc1918,nobogons,blacklist,nosmurfs > > File HOSTS empty... > > What I can do now, now I stop firewall, LOAD 150 on server!!!The change that I suggested will simply stop the messages you were complaining about -- if your server is under some sort of DOS attack, that change won''t have any effect on the attack. For that, you might wish to rate-limit connections to your server to see of that helps. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
that don`t help much to me :) how I can block that IPs like when I stop firewall? When I stop firewall server load down from 150 to 0! Thanks -- Best regards, Ratko mailto:ratko@teol.net Wednesday, November 24, 2004, 10:08:08 PM, you wrote: TE> On Wed, 2004-11-24 at 19:40 +0100, Ratko Dakic wrote:>> Sorry but I can`t understand this, only what I have in "interfaces" is this: >> >> net eth0 detect >> norfc1918,nobogons,blacklist,nosmurfs >> >> File HOSTS empty... >> >> What I can do now, now I stop firewall, LOAD 150 on server!!!TE> The change that I suggested will simply stop the messages you were TE> complaining about -- if your server is under some sort of DOS attack, TE> that change won''t have any effect on the attack. TE> For that, you might wish to rate-limit connections to your server to see TE> of that helps. TE> -Tom
On Wed, 2004-11-24 at 22:37 +0100, Ratko Dakic wrote:> that don`t help much to me :) > how I can block that IPs like when I stop firewall? When I stop > firewall server load down from 150 to 0!You need to determine what IP addresses are involved in the attack (look at your server''s access log and at "shorewall show connections") then blacklist those addresses. The messages you posted represented traffic that was dropped by your firewall and hence was not contributing to the load on your server (although the logging probably put a significant load on your firewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key