IPCHAINS Help
Ben Beeson
beesond001 at hawaii.rr.com
Thu Oct 18 23:06:13 PDT 2001
Brian,
The answer to your question is the scans are coming from arbitrary ports
and showing up on my port 53. My firewall logs have messages like these:
portsentry[726]: attackalert: Unknown Type: Packet Flags: SYN: 1 FIN: 1
ACK: 0 PSH: 0 URG: 0 RST: 0 from host: 211.157.248.34/211.157.248.34 to
TCP port: 53
portsentry[726]: attackalert: Host 211.157.248.34 has been blocked via
wrappers with string: "ALL: 211.157.248.34 : DENY"
portsentry[726]: attackalert: Host 211.157.248.34 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 211.157.248.34
-j DENY -l"
portsentry[726]: attackalert: SYN/Normal scan from host:
210.97.3.254/210.97.3.254 to TCP port: 53
portsentry[726]: attackalert: Host 210.97.3.254 has been blocked via
wrappers with string: "ALL: 210.97.3.254 : DENY"
portsentry[726]: attackalert: Host 210.97.3.254 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 210.97.3.254 -j
DENY -l"
So, I just wanted to take an extra step to keep them out in case my
PortSentry misses something.
Thanks,
Ben
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 10/18/01, 6:19:18 AM, Brian Russo <brusso at phys.hawaii.edu> wrote
regarding [luau] Re: IPCHAINS Help:
> On Wed, Oct 17, 2001 at 06:55:56AM +0000, Ben Beeson wrote:
> > Dusty, Brian and Warren,
> > Thanks for your help. The answer to Warren's question is that I am
> > seeing a few more port scans on port 53 from the far flung regions of the
> I'm uncertain what you mean by "on port 53".
> src_port = 53?
> or
> dst_port = 53?
> If they're coming from src_port 53, to some arbitrary port on your
> side, you can permit src_port 53 only from the DNS servers you
> expect to use, and block all others.
> If they're coming from an arbitrary port, to dst_port 53, you can
> just block all incoming to 53 (assuming you dont have an externally
> visible NS)
> Blocking packets incoming to port 53, should not impact DNS.
> query:
> resnet4-32.housing.hawaii.edu.32825 > postoffice.netpath.net.domain:
10454+ A? carolina.com.
> response:
> postoffice.netpath.net.domain > resnet4-32.housing.hawaii.edu.32825:
10454* 1/2/0 A node60-197.netpath.net
> We can see that the outgoing query is made to the DNS server on it's
> port 53, and is src_port'd from 53 in the reply.
> Port 53 never comes into play on the client's side, an arbitrary
> port (32825 in thie case) is used.
> Keep in mind if you do block src_port 53, even permitting your ISP's
> nameserver's through, its possible that some applications could
> break, e.g. "dig @some.unpermitted.dns.server IN A foo.com" would
> break - note that dig some.unpermitted.dns.server IN A foo.com would
> not break..
> Anyway, its 6.17, I'm not allowed to be up this early, if something
> is unclear or just plain wrong, its probably my fault ;)
> - bri
> --
> Unix Staff, High Energy Physics Group <brusso at phys.hawaii.edu>
> Debian/GNU Linux! http://www.debian.org <wolfie at debian.org>
> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20011019/132c71b3/attachment-0001.htm>
More information about the LUAU
mailing list