Re: Hits just keep on coming! What does it mean?

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 07/14/03 

Date: Mon, 14 Jul 2003 17:17:00 GMT

"WayneC" <WC@nospam.net> said:
>I'm new to firewalls (just hooked up to cable and figured I should set one
>up), I have a Mandrake Linux (9.1) box serving as a router/firewall.

Ok, good.

>I'm using Firestarter as the firewall/nat manager. Eth0 is my external
>connection (in this case with an IP addy of 24.45.126.47) and eth1 is
>my internal connection running in the 192.168.0 range. All seems to be
>working well but I get these constant hits as follows:

... but you're not telling how you have configured your firewall - what
you're blocking, what you're allowing.

>in: eth0, port: 631, source: 24.45.126.47, destination: 255.255.255.255,
>protocol: udp, service: ipp

Hmm.. so, your computer sent a UDP broadcast (destination
255.255.255.255) message on its external interface, using port 631 as
the source. I guess this is the print server on your machine trying to
locate other IPP-capable print servers.

Questions:
- do you need to have a print server system running on that machine;
  if not, shut it down and disable it
- if print server is needed, try to limit it to non-Internet interfaces
- if can't limit the interfaces, then block this outgoing message by
  your firewall -- I hope you're already blocking any incoming traffic to
  this service

>in: eth0, port: 513, source: 24.45.126.47, destination: 255.255.255.255,
>protocol: udp, service: who

Your machine sending broadcast for "who" service (lists remote users on
all machines that happen to respond). This sounds rather strange, but
then, perhaps there's some program active on your system that tries to
gather this information.

>out: eth0, source: 24.45.126.47, destination: 224.0.0.251, protocol:
>igmp, service: unknown

Your machine sending some IGMP packet to a multicast address; perhaps
trying to register as a multicast recipient. Strange.

>in: eth0, port: 138, source: 24.45.126.47, destination: 24.45.127.255,
>protocol: udp, service: netbios-dgm

Your machine sending some NetBIOS (Windows networking) packet as a network
broadcast; could be NetBIOS registration packet.

Questions:
- do you need to provide Windows print/file services on this machine
- again, if not needed, stop and disable this service (samba)
- if needed, reconfigure samba not to use eth0 interface (can be done)
- check that you're filtering inbound traffic on this port

So, overall, it seems that _your_ machine is rather nosily trying to
find information about its Internet-side. The worst chance is that
your machine was hacked during the time it was on the network without
a firewall. The better chance is that there just are multiple services
running on the machine that all try to gather information. I would
be rather wary on these packets, and try to locate which program(s)
originate them -- and follow my above instructions for all those
programs (disable if not needed, reconfigure to avoid using the Internet
interface whenever possible, and filter the rest - and filter very
strictly the incoming; filtering outgoing isn't bad idea either, if
you just know what you can filter).

As for logging, I don't see much value in logging any of the packets
I allow at my firewall (logging happens at the service level, for the
services where I accept outside connections), and there's not much sense
logging all dropped packets either (there'd be just too much data) - so
I've disabled logging for some of the most commonly probed ports, like
80 (blocked, as I'm not running a webserver here).

(and the rationale for blocking ports where I don't even have a service
running: to make it more difficult for an attacker to set up services at
these ports -- and to protect me from my own application configuration
goof-ups - so, if I want to provide a service to the public, I must do it
by knowingly changing the firewall configuration) 

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Relevant Pages

  • Re: 2000 server solution
    ... Maybe you should start by looking up the RFC that defines firewall. ... is more than a buzzword and includes much more than simple packet header ... programmer the company hires publishes to that server. ... what does a packet filter in front of those two servers add to the ...
    (comp.security.firewalls)
  • RE: [fw-wiz] CERT vulnerability note VU# 539363
    ... so vendors shoot for the former. ... > In my opinion if a stateful firewall claims it can filter at rate X ... > a stateless packet filter is going to be vulnerable to these sort ...
    (Firewall-Wizards)
  • Re: NAT vs. True Firewalls
    ... > not just mean packet filter. ... A firewall can be made up of one or more ... > components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as ...
    (comp.security.firewalls)
  • Re: NAT vs. True Firewalls
    ... not just mean packet filter. ... A firewall can be made up of one or more ... components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as the ...
    (comp.security.firewalls)
  • Re: IPSEC
    ... > software firewall such as Sygate to have some logging. ... Ipsec is not meant to be a first line internet ... One weakness of a packet filtering firewall is that due to the ...
    (microsoft.public.win2000.general)