Re: Trying to figger this out
From: Luke Vogel (luke@bell-bird.com.au)
Date: 11/22/02
- Next message: Luke Vogel: "Re: How to bloc a web site ???"
- Previous message: Bryan Packer: "Re: Trying to figger this out"
- In reply to: Baho Utot: "Re: Trying to figger this out"
- Next in thread: David Means: "Re: Trying to figger this out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Luke Vogel <luke@bell-bird.com.au> Date: Fri, 22 Nov 2002 17:16:41 +1000
Baho Utot wrote:
>
> Luke Vogel wrote:
>
> > Baho Utot wrote:
> >>
> >> I have a web server on port 80 and have seen this in my log file. Can
> >> someone explain why the firewall ipchains rejected and denyed these?
> >
> > You need to look at your rule numbers 31 for the REJECTs, 24 for the
> > DENYs and 70 for last DENY. The rules are setup explicitly to do what
> > is asked of them.
> >
> > A whois lookup indicated that some of the packets are coming from an
> > address in the "Road Runner" name space, some of the others are from
> > WIDEOPENWEST OHIO ...
>
> How do you find this info out?
>
> >
> > Are you running a http web server?
> > These connection attempts may simply be worms looking for hosts running
> > vulnerable http servers.
>
> Yes I am running a web server and I have ipchains rules to allow access to
> the web server. I also allow access to http as clients. That is why I
> found this interesting. Upon investigation reveals these rules.
>
> 24 DENY TCP -y--l- anywhere anywhere
> socks -> any
>
> 31 REJECT tcp -y--l- anywhere anywhere 3066
> -> any
>
> 70 DENY udp ----l- anywhere anywhere any
> -> any
>
> I intended to block the socks port (1080) by rule 24,
> the mysql port (3306) by rule 31 (yes I got the port number wrong).
That's fine ...
> How can I block those ports without interfearing with the web server? I
> think what happened was that the tcp packets from those clients machines
> unfortunately picked a "bad port". The rule for socks and mysql ports is
> too broad.
No, it needs to be broad to catch the vast majority of anomalies.
> I think I will need to accept those ports if connecting to the
> web server or place the web server rules before the socks and mysql rules.
> (right?).
As you stated, the order of the rules can be very important.
A good approach is to:
1. Set policies of DENY/REJECT everything.
2. Deny banned traffic (spoofed/unreal addresses etc.).
3. Allow small holes for services that you intend to provide,
4. THEN place all your "special" and "sweeper/catch-all" rules to ensure
that you are catching and reporting as needed.
> The last one I don't get why udp traffic from port 80 to my port 1029 ?
http traffic is pretty well always tcp traffic. A stray udp packet may
be a scan or finger printing attempt ... hard to say.
-- Regards Luke ------ When I die, I want to die like my Grandmother who died peacefully in her sleep. Not screaming like all the passengers in her car. ------ C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html ------
- Next message: Luke Vogel: "Re: How to bloc a web site ???"
- Previous message: Bryan Packer: "Re: Trying to figger this out"
- In reply to: Baho Utot: "Re: Trying to figger this out"
- Next in thread: David Means: "Re: Trying to figger this out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
