<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Re: [luau] Re: IPCHAINS Help</TITLE>
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Linux)">
<META NAME="CREATED" CONTENT="20011018;19521000">
<META NAME="CHANGEDBY" CONTENT="Ben Beeson">
<META NAME="CHANGED" CONTENT="20011018;20061300">
</HEAD>
<BODY>
<PRE>
<FONT SIZE=3>Brian,</FONT>
<FONT SIZE=3> The answer to your question is the scans are coming from arbitrary
ports and showing up on my port 53. My firewall logs have messages
like these:</FONT>
<FONT SIZE=3>portsentry[726]: attackalert: Unknown Type: Packet Flags: SYN: 1 FIN: 1
ACK: 0 PSH: 0 URG: 0 RST: 0 from host: 211.157.248.34/211.157.248.34 to
TCP port: 53</FONT>
<FONT SIZE=3>portsentry[726]: attackalert: Host 211.157.248.34 has been blocked via
wrappers with string: "ALL: 211.157.248.34 : DENY"</FONT>
<FONT SIZE=3>portsentry[726]: attackalert: Host 211.157.248.34 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 211.157.248.34
-j DENY -l"</FONT>
<FONT SIZE=3>portsentry[726]: attackalert: SYN/Normal scan from host:
210.97.3.254/210.97.3.254 to TCP port: 53</FONT>
<FONT SIZE=3>portsentry[726]: attackalert: Host 210.97.3.254 has been blocked via
wrappers with string: "ALL: 210.97.3.254 : DENY"</FONT>
<FONT SIZE=3>portsentry[726]: attackalert: Host 210.97.3.254 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 210.97.3.254
-j DENY -l"</FONT>
<FONT SIZE=3>So, I just wanted to take an extra step to keep them out in case my
PortSentry misses something. </FONT>
<FONT SIZE=3>Thanks,</FONT>
<FONT SIZE=3>Ben</FONT>
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 10/18/01, 6:19:18 AM, Brian Russo <brusso@phys.hawaii.edu> wrote
regarding [luau] Re: IPCHAINS Help:
> On Wed, Oct 17, 2001 at 06:55:56AM +0000, Ben Beeson wrote:
> > Dusty, Brian and Warren,
> > Thanks for your help. The answer to Warren's question is that
I am
> > seeing a few more port scans on port 53 from the far flung regions
of the
> I'm uncertain what you mean by "on port 53".
> src_port = 53?
> or
> dst_port = 53?
> If they're coming from src_port 53, to some arbitrary port on your
> side, you can permit src_port 53 only from the DNS servers you
> expect to use, and block all others.
> If they're coming from an arbitrary port, to dst_port 53, you can
> just block all incoming to 53 (assuming you dont have an externally
> visible NS)
> Blocking packets incoming to port 53, should not impact DNS.
> query:
> resnet4-32.housing.hawaii.edu.32825 > postoffice.netpath.net.domain:
10454+ A? carolina.com.
> response:
> postoffice.netpath.net.domain > resnet4-32.housing.hawaii.edu.32825:
10454* 1/2/0 A node60-197.netpath.net
> We can see that the outgoing query is made to the DNS server on it's
> port 53, and is src_port'd from 53 in the reply.
> Port 53 never comes into play on the client's side, an arbitrary
> port (32825 in thie case) is used.
> Keep in mind if you do block src_port 53, even permitting your ISP's
> nameserver's through, its possible that some applications could
> break, e.g. "dig @some.unpermitted.dns.server IN A foo.com" would
> break - note that dig some.unpermitted.dns.server IN A foo.com would
> not break..
> Anyway, its 6.17, I'm not allowed to be up this early, if something
> is unclear or just plain wrong, its probably my fault ;)
> - bri
> --
> Unix Staff, High Energy Physics Group <brusso@phys.hawaii.edu>
> Debian/GNU Linux! <A HREF="http://www.debian.org/">http://www.debian.org</A> <wolfie@debian.org>
> ---
> You are currently subscribed to luau as: beesond001@hawaii.rr.com
> To unsubscribe send a blank email to
$subst('Email.Unsub')</PRE>
</BODY>
</HTML>