Re: Ipchains Question / Seeking Information.

From: Devdas Bhagat (dvb@users.sourceforge.net)
Date: 10/16/02 

Date: Wed, 16 Oct 2002 03:47:37 +0530
From: Devdas Bhagat <dvb@users.sourceforge.net>
To: Chris S <chris@jynx.net>

On 08/10/02 14:06 -0400, Chris S wrote:
> I'm getting a good amount of these DENY's in my logs, but I'm not sure
> exactly what they mean.
>
> Oct 7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6
> 216.178.84.110:80 65.56.237.226:2002 L=48 S=0x00 I=17224 F=0x4000 T=64 (#2)
<snip>
The SYN bit is not set, so it looks like this is a TCP response. There
was an old post about reading ipchains logs.
I can't recall which list it was on though (this
one/bugtraq/loganalysis/firewall-wizards).

> 216.178.84.110 Is the address binded to my webserver. To me it looks like my
> webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux
> worm) I could be wrong about this, but im not sure.
Or maybe a simple browser expecting a response?

> I have these lines for IPChains so i dont know how or if im infected.
> Chain input (policy ACCEPT):
> target prot opt source destination ports
> DENY tcp ----l- anywhere anywhere any ->
> 2002
> DENY udp ----l- anywhere anywhere any ->
> 2002
>
> Chain output (policy ACCEPT):
> target prot opt source destination ports
> DENY udp ----l- anywhere anywhere any ->
> 2002
> DENY tcp ----l- anywhere anywhere any ->
> 2002
You aren't looking for connections being initiated from your box, but
all connections to port 2002/tcp. I suggest that the tcp rules be
modified to look for the initial SYN bit set too, or you upgrade to
iptables.
You are probably looking at a webserver response to a perfectly normal
query.

Devdas Bhagat

Relevant Pages

  • Re: IAS/RADIUS server has passed an invalid value
    ... Is the connection actually matching the policy on which filters are ... log the name of the remote access policy which has been matched. ... Have only the IP filters configured on this policy. ... that in first case the ISA2004 logs the error ...
    (microsoft.public.windows.server.networking)
  • Re: Airbus pic
    ... They have a pretty reasonable policy with regard to that as well. ... traffic and we did monitor the logs. ... please explain why it's felony theft. ...
    (sci.electronics.design)
  • Re: [fw-wiz] Firewall policy generator, capture based - Any idea?
    ... I want to capture my Data Center traffic, with a NAM or Sniffer. ... Basically a packetflow capture based firewall rules generator. ... Put the firewall in place with a policy that allows all traffic to ... Analyze logs. ...
    (Firewall-Wizards)
  • Re: Win2k server, strange linux log files.. confused.? so am I.
    ... Anyway this is the main server ... > My linux pc has the following ports open - ssh, http, ftp and X. ... > snort logs each day and never got any bad messages. ... > the windows 2k server up to allow inbound TCP/IP connections - i.e to allow ...
    (comp.os.linux.security)
  • Hacked?
    ... Event Source: Security ... Domain Policy Changed: Password Policy modified ... according to the logs no one with authority to make such a change was logged ... with privelage to change local security policies was logged in at the time. ...
    (microsoft.public.inetserver.iis.security)