Hi folks, I'm looking for a way to stop any calls to a single ip-address..
I want to block any calls to 194.73.73.90 port 25, because it keeps triggering isdn-dialups. ( I think I have an very unwanted guest in my system) I tried adding a rule to the diald.filter, but diald.filter does not seem to like individual ip addresses, and last night I failed to find any hints on how to achieve this. This is probably one of these, yes it a developpers issue, no it ain't, but it would be at least usefull to be able to block nuisance ip's Any other hints of how to achieve this, would also be helpfull. For the why's, read the attached story. thanks, kees
This might be off-topic. My appologies. But imho I think this is a developpers issue. Sometimes you stumble accidently over things, that you wished you had not seen. This might be one. Of course, I hope I'm wrong.. Every story has a beginning, so here goes: Location: England, ISP: British Telecom, Connection: ISDN Does it effect e-smith systems: NO, but it can effect it's users phonebills. Long ago, BT offered people a package called BT-anytime with 24*7 access for a fixed price per month. Needless to say a lot of smart people signed up for the service and for a while it was working great. Then of course BT started to realize that they were loosing money on the service. (not really, but they were pretending to). Eventually, they started to explain that 'anytime' did not mean anytime, but anytime within a 24 hour period, not longer that 2 hours. This was a major pain, but since most smart people were using gateways in one form or another, it just meant dialing in every two hours. Of course, this still did not discourage the majority of smart people. There next move was to take the 35000 heaviest users ( like me, in the evenings form 1800-2400, mostly online, either me or the kids etc..) and give them a new 'improved access' service. Funny enough, they forgot to assign enough ip addresses, and most people could not get on line at all. That was still not enough, because even though they offcially claimed that 6 hours a day was not a problem, in reality they wanted to get rid of us asap. One of the requirements of the service was, that you would use their dialup software. That the word linux did not appear in that software will not surprise us. This is where things are starting to get wrong. I did install the dialing software once, to see what it was calling etc, but since I do not use a modem, it could not dial. Once I had the settings I needed, I put them in my Outlook Express (mail.btinternet.com 194.73.73.90). I needed their smtp mailserver to send mail..... ( me, innocent me..) Then a month or so after their improved service took effect, they kept yelling at and threatening me, because I was 'abusing' the system ? Now at the time I was using another Linux isdn firewall, and no-way could they get in. They tried long and hard, portscanning etc etc, but all they found was a black hole. ( of course they could simlpe measure traffci on their side, I would think?) End of november they kicked me of the service (me and 35000 others.. Funny we don't hear about these things in the news??) because of 'abuse'. Now, I never disputed the fact I was using a router, to connect more than one user to the net at the same time ( specifically not allowed by the terms of their contract..) but I felt safe enough behind my firewall, and I knew that all they could do was disconnect me, but technically I can simply not see, what difference it makes, whether I have 1 or 100 users. I have one measly 64k connection that runs at max 7.5kbyte/sec. Try telling the bright-spots on the other end of the line.. I always had access to a normal ISP, but I pay for local access. Therefore I have to keep close eye on what goes out & why. Recently I've been working on the ISDN integration into the e-smith system. (small part, just testing..) Thanks to all the folks at Mitel it now works great, too good actually.. I noticed initially that even though there was no activity on my network, the e-smith box was calling home all the time, and I also noticed that everytime it called, it tried to connect to a timeserver. This lead me to believe, that the ntpd service was to blame, because it seemed also, that when I turned off ntpd, that the system did not call out. Charlie said he blocked ntpd form doing this, so I have to dig further. Nowhere in my messages files do I find any indication that port /37 (ntpd) triggers a call. It's just that when watching tail-f /var/log/messages you see that the first thing that happens is that ntpd uses the connection to check the time. Ntpd uses the fact that the connection is up to check the time, and is not the cause of it. Last night I left the box on all night and this morning I found this: (tail end of grepped /var/log/messages, this had been going on alnight!) Note: the only live box on my net was my NT-server. (194.73.73.90 is mail.btinternet.com. port 25 is smtp.) Dec 16 08:13:09 isdn diald[879]: Trigger: tcp 192.168.0.1/61180 194.73.73.90/25 Dec 16 08:17:41 isdn diald[879]: Trigger: tcp 194.73.73.90/25 192.168.0.1/61180 Dec 16 08:25:00 isdn diald[879]: Trigger: tcp 192.168.0.1/61182 194.73.73.90/25 Dec 16 08:28:09 isdn diald[879]: Trigger: tcp 192.168.0.1/61182 194.73.73.90/25 Dec 16 08:32:39 isdn diald[879]: Trigger: tcp 194.73.73.90/25 192.168.0.1/61182 Dec 16 08:35:00 isdn diald[879]: Trigger: tcp 192.168.0.1/61184 194.73.73.90/25 Dec 16 08:37:59 isdn diald[879]: Trigger: tcp 194.73.73.90/25 192.168.0.1/61184 Dec 16 08:40:00 isdn diald[879]: Trigger: tcp 192.168.0.1/61185 194.73.73.90/25 Dec 16 08:43:09 isdn diald[879]: Trigger: tcp 192.168.0.1/61185 194.73.73.90/25 Dec 16 08:47:38 isdn diald[879]: Trigger: tcp 194.73.73.90/25 192.168.0.1/61185 Dec 16 08:50:00 isdn diald[879]: Trigger: tcp 192.168.0.1/61187 194.73.73.90/25 Dec 16 08:52:58 isdn diald[879]: Trigger: tcp 194.73.73.90/25 192.168.0.1/61187 Dec 16 08:55:00 isdn diald[879]: Trigger: tcp 192.168.0.1/61188 194.73.73.90/25 Dec 16 10:05:00 isdn diald[879]: Trigger: tcp 192.168.0.1/61204 194.73.73.90/25 And from /accounting.log Sun Dec 16 08:17:47 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:17:52 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:19:11 2001 GMT: Disconnected. Call duration 79 seconds. IP transmitted 820 bytes and received 684 bytes. Sun Dec 16 08:25:00 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:25:06 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:27:34 2001 GMT: Disconnected. Call duration 148 seconds. IP transmitted 1228 bytes and received 760 bytes. Sun Dec 16 08:28:09 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:28:15 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:32:34 2001 GMT: Disconnected. Call duration 259 seconds. IP transmitted 1576 bytes and received 912 bytes. Sun Dec 16 08:32:46 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:32:51 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:34:10 2001 GMT: Disconnected. Call duration 79 seconds. IP transmitted 820 bytes and received 682 bytes. Sun Dec 16 08:35:00 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:35:06 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:37:34 2001 GMT: Disconnected. Call duration 148 seconds. IP transmitted 1228 bytes and received 836 bytes. Sun Dec 16 08:37:59 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:38:05 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:39:10 2001 GMT: Disconnected. Call duration 65 seconds. IP transmitted 820 bytes and received 684 bytes. Sun Dec 16 08:40:00 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:40:05 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:42:34 2001 GMT: Disconnected. Call duration 149 seconds. IP transmitted 1228 bytes and received 760 bytes. Sun Dec 16 08:43:09 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:43:15 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:47:34 2001 GMT: Disconnected. Call duration 259 seconds. IP transmitted 1500 bytes and received 912 bytes. Sun Dec 16 08:47:46 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:47:52 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:49:10 2001 GMT: Disconnected. Call duration 78 seconds. IP transmitted 820 bytes and received 684 bytes. Sun Dec 16 08:50:00 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:50:05 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:52:34 2001 GMT: Disconnected. Call duration 149 seconds. IP transmitted 1152 bytes and received 760 bytes. Sun Dec 16 08:52:58 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:53:05 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:54:10 2001 GMT: Disconnected. Call duration 65 seconds. IP transmitted 744 bytes and received 608 bytes. Sun Dec 16 08:55:01 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 08:55:06 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 08:56:47 2001 GMT: Disconnected. Call duration 101 seconds. IP transmitted 1016 bytes and received 836 bytes. Sun Dec 16 09:00:00 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 09:00:06 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 09:05:07 2001 GMT: Disconnected. Call duration 301 seconds. IP transmitted 912 bytes and received 912 bytes. Sun Dec 16 09:41:21 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 09:41:26 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 10:02:34 2001 GMT: Disconnected. Call duration 1268 seconds. IP transmitted 43547 bytes and received 378228 bytes. Sun Dec 16 10:02:49 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 10:02:55 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 10:04:10 2001 GMT: Disconnected. Call duration 75 seconds. IP transmitted 1932 bytes and received 3325 bytes. Sun Dec 16 10:05:00 2001 GMT: Calling site 194.134.224.2. Sun Dec 16 10:05:07 2001 GMT: Connected to site 194.134.224.2. Sun Dec 16 10:14:17 2001 GMT: Disconnected. Call duration 550 seconds. IP transmitted 4698 bytes and received 4586 bytes. 1: So... I must have mail.btinternet.com in my email settings somewhere. No, No chance at all. I never used the bt.internetaccount in any of my mail clients. 2: You left some BT software on the (NT-server)system: Now here it gets interesting. There is nothing, other than the dialing software, that came in a zip file..... You open the zipfile, find two executables, that you have to run to see what's it wants to dial. And what else ??? This is now the Big Question: What else did the BTfriendly people install?? I guess I won't find out. The only real solution is to reformat my system. 3: Something infected another piece of software, that picked up the btinternet address and that's calling home. If so, no known virusscanner finds it. Other than that, this is a pretty humble box, the only service that runs is seti@home and NortonAntivirus. I keep services to a minimum, because it's only a 200Mhz system. I tried to ping the mail.btinternet.com box, but it does not respond at the moment (11-17:30 local time). Therefore I think there are 2 possibilities: 1: Normally the BT thingy call's home every so often, and you would not notice, but because it's down, it gets upset and calls all the time. 2: It tries to call home all the time to report on what's happening, and that's how they kept tabs on my internet-access.. ( not very bright) 3: Something else is using a non-existing smtp server to try to call home. All kinds of trojans could do this. But would they be so daft as to pick a non-functioning smtp server ? I've got some tcpdump files, but until it makes a connection, I won't know what it's trying to send.. All this is not the result of or caused by using E-smith, rather it uncovered a (for me) serious problem, for which I'm gratefull. The answer to the question in the header therefore is: because it seems likely with the information I have available, that something somehow managed to install a bit of calling-home software on my system, and it just gave itself away, BigTime!! (also the 300 pound phonebill made me realise something was badly wrong!) So, why should you be worried? Maybe you should not. Maybe I'm just unlucky, but maybe, just maybe, your (not e-smith) boxes are sending stuff to your ISP, without you knowing it?? Whatever you think of this story, it pays to keep a very close eye on your logfiles if you are paying for the pleasure.
-- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
