Please forgive what is almost certainly an ignorant question from one who has little understanding of the subject. I''m running CentOS-6.3 with shorewall (and fail2ban), accessing the internet through a Billion router/modem. I''ve noticed recently a large number of logwatch entries like ------------------------------------ Dropped 4177 packets on interface eth0 From 1.0.159.111 - 2 packets to udp(51001) ------------------------------------ all targeting port 51001 (from many different IP addresses). I haven''t explicitly opened this port on the router, nor is it mentioned in my shorewall rules. I would have thought this packet would be unable to get through the router? Or are UDP packets usually treated differently to TCP packets? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/15/2012 04:07 AM, Timothy Murphy wrote:> > Please forgive what is almost certainly an ignorant question > from one who has little understanding of the subject. > > I''m running CentOS-6.3 with shorewall (and fail2ban), > accessing the internet through a Billion router/modem. > > I''ve noticed recently a large number of logwatch entries like > ------------------------------------ > Dropped 4177 packets on interface eth0 > From 1.0.159.111 - 2 packets to udp(51001) > ------------------------------------ > all targeting port 51001 (from many different IP addresses). > > I haven''t explicitly opened this port on the router, > nor is it mentioned in my shorewall rules. > > I would have thought this packet would be unable > to get through the router? > Or are UDP packets usually treated differently to TCP packets?Assuming that logwatch is running on your Shorewall router, this simply indicates that the packets are being dropped and logged. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
I see that my machine is trying to send out mysterious packets frequently, and this is disturbing (Debian Testing, SW 4.5.5.3-1): [33989.889255] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53577 DPT=443 LEN=36 [34289.470433] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 DPT=443 LEN=53 [34294.463539] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 DPT=443 LEN=53 [34299.455311] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 DPT=443 LEN=36 What do I do about this? How do I determine whether I have a rootkit or trojan? Why in the world would someone keep sending me these, over and over: [34319.426452] Shorewall:Invalid:DROP:IN=wlan0 OUT= MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=69.171.228.70 DST=192.168.1.1 LEN=86 TOS=0x00 PREC=0x20 TTL=242 ID=46354 DF PROTO=TCP SPT=80 DPT=56842 WINDOW=0 RES=0x00 ACK RST URGP=0 [34472.030639] Shorewall:Invalid:DROP:IN=wlan0 OUT= MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=98.142.98.180 DST=192.168.1.1 LEN=1500 TOS=0x00 PREC=0x20 TTL=56 ID=35426 DF PROTO=TCP SPT=80 DPT=58076 WINDOW=54 RES=0x00 ACK URGP=0 ... and how in the world are these getting through three wifi routers in a chain to the destination machine, each with a firewall? And finally, what is the recommended monitoring method? I see there''s fwlogwatch, fail2ban, logwatch, and probably others. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/15/2012 07:19 AM, CACook@quantum-sci.com wrote:> > I see that my machine is trying to send out mysterious packets frequently, and this is disturbing (Debian Testing, SW 4.5.5.3-1): > > [33989.889255] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53577 DPT=443 LEN=36 > [34289.470433] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 DPT=443 LEN=53 > [34294.463539] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 DPT=443 LEN=53 > [34299.455311] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 DPT=443 LEN=36 > > What do I do about this? How do I determine whether I have a rootkit or trojan?Are you an OpenDNS subscriber by chance?> > Why in the world would someone keep sending me these, over and over: > > [34319.426452] Shorewall:Invalid:DROP:IN=wlan0 OUT= MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=69.171.228.70 DST=192.168.1.1 LEN=86 TOS=0x00 PREC=0x20 TTL=242 ID=46354 DF PROTO=TCP SPT=80 DPT=56842 WINDOW=0 RES=0x00 ACK RST URGP=0 > [34472.030639] Shorewall:Invalid:DROP:IN=wlan0 OUT= MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=98.142.98.180 DST=192.168.1.1 LEN=1500 TOS=0x00 PREC=0x20 TTL=56 ID=35426 DF PROTO=TCP SPT=80 DPT=58076 WINDOW=54 RES=0x00 ACK URGP=0 > ... and how in the world are these getting through three wifi routers in a chain to the destination machine, each with a firewall?Do yourself a favor and remove the logging specification from your DROP(Invalid) rule. Those are probably late-arriving RSTs from connections which have already been closed. They are nothing to worry about.> > And finally, what is the recommended monitoring method? I see there''s fwlogwatch, fail2ban, logwatch, and probably others. >I personally use fwlogwatch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wednesday, 15 August, 2012 07:56:06 Tom Eastep wrote:> Are you an OpenDNS subscriber by chance?Thanks. I do not subscribe to OpenDNS, but I do use their dnscrypt-proxy. I''ve just installed it and haven''t gotten it working yet. I find in the man page: "By default, dnscrypt-proxy sends outgoing queries to UDP port 443." Eureka! So I''ll open that port.> Do yourself a favor and remove the logging specification from your > DROP(Invalid) rule. Those are probably late-arriving RSTs from > connections which have already been closed. They are nothing to worry about.Can''t find a DROP(Invalid) in policy, shorewall.conf, or rules.> I personally use fwlogwatch.Then that''s my ticket. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/15/2012 07:56 AM, Tom Eastep wrote:>> >> Why in the world would someone keep sending me these, over and over: >> >> [34319.426452] Shorewall:Invalid:DROP:IN=wlan0 OUT= MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=69.171.228.70 DST=192.168.1.1 LEN=86 TOS=0x00 PREC=0x20 TTL=242 ID=46354 DF PROTO=TCP SPT=80 DPT=56842 WINDOW=0 RES=0x00 ACK RST URGP=0 >> [34472.030639] Shorewall:Invalid:DROP:IN=wlan0 OUT= MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=98.142.98.180 DST=192.168.1.1 LEN=1500 TOS=0x00 PREC=0x20 TTL=56 ID=35426 DF PROTO=TCP SPT=80 DPT=58076 WINDOW=54 RES=0x00 ACK URGP=0 >> ... and how in the world are these getting through three wifi routers in a chain to the destination machine, each with a firewall? > > Do yourself a favor and remove the logging specification from your > DROP(Invalid) rule. Those are probably late-arriving RSTs from > connections which have already been closed. They are nothing to worry about.As an alternative to removing the logging, you can disable netfilter window tracking by placing this in /etc/shorewall/init: echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep wrote:>> I''m running CentOS-6.3 with shorewall (and fail2ban), >> accessing the internet through a Billion router/modem. >> >> I''ve noticed recently a large number of logwatch entries like >> ------------------------------------ >> Dropped 4177 packets on interface eth0 >> From 1.0.159.111 - 2 packets to udp(51001) >> ------------------------------------ >> all targeting port 51001 (from many different IP addresses). >> >> I haven''t explicitly opened this port on the router, >> nor is it mentioned in my shorewall rules. >> >> I would have thought this packet would be unable >> to get through the router? >> Or are UDP packets usually treated differently to TCP packets? > > Assuming that logwatch is running on your Shorewall router, this simply > indicates that the packets are being dropped and logged.Sorry, I should have said that shorewall is _not_ running on the Billion router/modem , but on a CentOS server attached to the modem. So what puzzles - or I should say, surprises - me is that the UDP packets get through the router/modem, and are logged by the computer. But I guess this is a problem between me and Billion, and has nothing to do with shorewall. -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/