Re: IPChains rule.

From: Bruno Gimenes Pereti (pereti@ump.edu.br)
Date: 12/14/01 

From: "Bruno Gimenes Pereti" <pereti@ump.edu.br>
To: <security-discuss@linuxsecurity.com>
Date: Fri, 14 Dec 2001 17:48:05 -0200

Hi David,

Thank's for the answer.

> Did you check /var/log/messages, if not do a "less /var/log/messages"
> and look for syslog messages close to that time where the reboot
> happened. Also check /var/log/secure and /var/log/xferlog for clues
> of intrusion attempts.

Yes, I've checked all files in /var/log and not a clue. My xferlog is
/usr/local/etc/proftpd.xferlog and is also absolute normal. Proftpd have
only on user and this user can access only from my home IP.

> This line =>
> > -A input -p tcp -i eth0 -s myHome -d 0/0 22 -l -j ACCEPT
> generates this one =>
> > ACCEPT tcp ----l- myHome 0.0.0.0/0 * -> 22
>
> it says allow any to ssh to myHome

I think it's from myHome, isn't it?

> this one says
> > ACCEPT udp ------ my2NS 0.0.0.0/0 53 -> *
> allow DNS to talk to my computer using UDP from their port 53

The my2NS is out of my network and it access my network to get zone
information.

[...snip...]

> > Do I have to worry? Does anybody know what is this?
>
> If that is all you have for a ipchains script, then yes, worry.

No, I wrote only the first rule for reference. I was worried about the DNS.
My ipchains file is bigger than that.

> Go to freashmeat.net or google and search for a ipchains or
> better yet, use iptables.
>
> Installing AIDE or Tripwire (and using it) is a good way
> to find out if your computer has been compromised.
>

I have downloaded a wonderfull book, "securing and optimizing RedHat Linux".
I don't remember the autor's name. He wrote a new version talking about
iptables and I'll buy it when I finish the one I'm reading now.

Thank's again,

Bruno.

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.