Re: [CentOS] [OT] odd network question
On 06/08/2019 00:12, Jon LaBadie wrote: On Mon, Aug 05, 2019 at 09:31:56AM +0100, Giles Coochey wrote: On 05/08/2019 09:18, Pete Biggs wrote: I've found the default 10min bans hardly bother some attackers. So I've added the "recidive" feature of fail2ban. After the second 10min ban, the attacker is blocked for 1 week. Oh definitely. My systems are set to "3 bans and you're out" - a recidive ban is permanent after three other bans. I have large parts of some subnets in my ban list as attackers just move from one host to another as they get banned. P. I worked for a company some time back that had an association with a South African company who wanted to host some infrastructure in our data centre, the network admin there wanted a specific configuration for outbound source NAT from a certain host that would scroll through a list of source NAT IP addresses (think a whole /24) for every connection attempt, pretty sure it was for sending unsolicited emails, in any case the association with that company didn't last and I took redundancy after less than a year there. Now that would be a single firewall rule and a kernel ipset. Well, yes - I had a conversation with the guy, and he always had an answer, "oh if that happens I can do this", he said that with real pride - a real slippery lizard in my opinion and at the back of my head was, "maybe the people you're sending emails to just don't want to receive them! And that's why you're jumping through these countless hoops, if you actually had proper opt-in, with a working opt-out per default you might not need this awful hack", there are companies out there specifically selling IP addresses with good reputations to companies who ruin that IP range's reputation, once they reputation has been ruined I guess they get discarded, sold on to another company who only then finds out that they can't run a mail server on that range because its been added to every blocklist on the planet. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Mon, Aug 05, 2019 at 09:31:56AM +0100, Giles Coochey wrote: > > On 05/08/2019 09:18, Pete Biggs wrote: > > > I've found the default 10min bans hardly bother some attackers. > > > So I've added the "recidive" feature of fail2ban. After the > > > second 10min ban, the attacker is blocked for 1 week. > > > > > Oh definitely. My systems are set to "3 bans and you're out" - a > > recidive ban is permanent after three other bans. I have large parts > > of some subnets in my ban list as attackers just move from one host to > > another as they get banned. > > > > P. > > > I worked for a company some time back that had an association with a South > African company who wanted to host some infrastructure in our data centre, > the network admin there wanted a specific configuration for outbound source > NAT from a certain host that would scroll through a list of source NAT IP > addresses (think a whole /24) for every connection attempt, pretty sure it > was for sending unsolicited emails, in any case the association with that > company didn't last and I took redundancy after less than a year there. Now that would be a single firewall rule and a kernel ipset. jl -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Mon, Aug 05, 2019 at 09:00:23AM +0100, Giles Coochey wrote: > > On 05/08/2019 08:50, Jon LaBadie wrote: > > > > I've found the default 10min bans hardly bother some attackers. > > So I've added the "recidive" feature of fail2ban. After the > > second 10min ban, the attacker is blocked for 1 week. > > > Interesting, didn't know about that feature, but, oh, I just generally ban > for a whole week regardless, Ahh, but with recidive, the ban and unban are automatic. jl -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On 05/08/2019 09:18, Pete Biggs wrote: I've found the default 10min bans hardly bother some attackers. So I've added the "recidive" feature of fail2ban. After the second 10min ban, the attacker is blocked for 1 week. Oh definitely. My systems are set to "3 bans and you're out" - a recidive ban is permanent after three other bans. I have large parts of some subnets in my ban list as attackers just move from one host to another as they get banned. P. I worked for a company some time back that had an association with a South African company who wanted to host some infrastructure in our data centre, the network admin there wanted a specific configuration for outbound source NAT from a certain host that would scroll through a list of source NAT IP addresses (think a whole /24) for every connection attempt, pretty sure it was for sending unsolicited emails, in any case the association with that company didn't last and I took redundancy after less than a year there. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
> > I've found the default 10min bans hardly bother some attackers. > So I've added the "recidive" feature of fail2ban. After the > second 10min ban, the attacker is blocked for 1 week. > Oh definitely. My systems are set to "3 bans and you're out" - a recidive ban is permanent after three other bans. I have large parts of some subnets in my ban list as attackers just move from one host to another as they get banned. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On 05/08/2019 08:50, Jon LaBadie wrote: I've found the default 10min bans hardly bother some attackers. So I've added the "recidive" feature of fail2ban. After the second 10min ban, the attacker is blocked for 1 week. Interesting, didn't know about that feature, but, oh, I just generally ban for a whole week regardless, yes, I realise that a typo might set it off for a actual user, but I have other methods of entry to unban if that happens, and we have a number of whitelisted IPs that cover most things like that for most use cases, and a VPN within the whitelist that can be used if the public services get locked out. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Sat, Aug 03, 2019 at 04:50:05PM +0100, Giles Coochey wrote:
>
> On 02/08/2019 19:38, Jon LaBadie wrote:
> > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote:
> > > Fred Smith wrote:
> > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:
> > >
>
> I've been using fail2ban for some time, I have a number of ports open to the
> Internet - SSH, SMTP, IMAPS, HTTP and HTTPS on my external subnet.
>
> This thread made me look at how fail2ban was doing, and I noticed that it
> wasn't particularly working too well for SSH, as I have turned off password
> authentication, so I edited the filters a little, and found it started
> filtering some more IPs. I found on my firewall that there were something
> like 500 active connection states to SSH - it looked like a scanning tool
> was just hanging and sending many connections, the same thing for about
> three remote IPs - I put a manual block on these at the firewall.
>
> The firewall has a block feature, which allows me to enter URLs which point
> to lists of IPs (Blocklists) and block traffic from those IPs at the
> firewall.
>
> It's designed to use these types of IP feeds: http://iplists.firehol.org/
>
> Well, there's nothing stopping me running a cron-job on my Centos boxes to
> do the following:
>
> iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' >
> /tmp/banned
>
> I can then transfer the banned file to a web-server and block the bad IP
> addresses completely from my network. I like this as if a system is
> brute-forcing my SSH server, I can now block it from all resources on the
> network, and stop the attempts even reaching the internal hosts.
I've found the default 10min bans hardly bother some attackers.
So I've added the "recidive" feature of fail2ban. After the
second 10min ban, the attacker is blocked for 1 week.
jon
--
Jon H. LaBadie j...@jgcomp.com
11226 South Shore Rd. (703) 787-0688 (H)
Reston, VA 20190 (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On 02/08/2019 19:38, Jon LaBadie wrote:
On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote:
Fred Smith wrote:
On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:
One thing I don't understand is how/why the firewall is DROPping so
many attempts on port 25 when it in fact has a port forward rule sending
port 25 on to my mailserver. How does it know, or why does it think that
some of them can be dropped at the outer barrier?
you, but thank you for taking a hundred thousand or so for all of us.
Hey, its the least I can do for all the good guys out there! :)
But that doesn't mean the same dratsabs aren't hitting all the rest
of you too.
I'm sure they are. Are you running fail2ban?
Several years back I switched from sendmail to postfix.
Not knowing what I was doing, I think I have it set to
say it will forward email following SASL authentication.
But as I had no intention of forwarding anything, I did
not set up any authentication methods. So anyone who
tries fails to authenticate.
With fail2ban in place I get 200-500 daily SASL "fail to
authenticate" instances. In contrast, several months ago
fail2ban either died or did not restart correctly. This
went unnoticed for about a week. During that time I got
1-32000 daily "failed to authenticate".
Jon
I've been using fail2ban for some time, I have a number of ports open to
the Internet - SSH, SMTP, IMAPS, HTTP and HTTPS on my external subnet.
This thread made me look at how fail2ban was doing, and I noticed that
it wasn't particularly working too well for SSH, as I have turned off
password authentication, so I edited the filters a little, and found it
started filtering some more IPs. I found on my firewall that there were
something like 500 active connection states to SSH - it looked like a
scanning tool was just hanging and sending many connections, the same
thing for about three remote IPs - I put a manual block on these at the
firewall.
The firewall has a block feature, which allows me to enter URLs which
point to lists of IPs (Blocklists) and block traffic from those IPs at
the firewall.
It's designed to use these types of IP feeds: http://iplists.firehol.org/
Well, there's nothing stopping me running a cron-job on my Centos boxes
to do the following:
iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' >
/tmp/banned
I can then transfer the banned file to a web-server and block the bad IP
addresses completely from my network. I like this as if a system is
brute-forcing my SSH server, I can now block it from all resources on
the network, and stop the attempts even reaching the internal hosts.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
> On Fri, Aug 02, 2019 at 02:43:30PM -0400, Fred Smith wrote: >> On Fri, Aug 02, 2019 at 02:38:05PM -0400, Jon LaBadie wrote: >> > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: >> > > Fred Smith wrote: >> > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: >> > > >> > > > One thing I don't understand is how/why the firewall is DROPping >> so >> > > > many attempts on port 25 when it in fact has a port forward rule >> sending >> > > > port 25 on to my mailserver. How does it know, or why does it >> think that >> > > > some of them can be dropped at the outer barrier? >> > > > >> > > >> you, but thank you for taking a hundred thousand or so for all of >> us. >> > > > >> > > > Hey, its the least I can do for all the good guys out there! :) >> > > > But that doesn't mean the same dratsabs aren't hitting all the >> rest >> > > > of you too. >> > > > >> > > I'm sure they are. Are you running fail2ban? >> > > >> > Several years back I switched from sendmail to postfix. >> > Not knowing what I was doing, I think I have it set to >> > say it will forward email following SASL authentication. >> > But as I had no intention of forwarding anything, I did >> > not set up any authentication methods. So anyone who >> > tries fails to authenticate. >> > >> > With fail2ban in place I get 200-500 daily SASL "fail to >> > authenticate" instances. In contrast, several months ago >> > fail2ban either died or did not restart correctly. This >> > went unnoticed for about a week. During that time I got >> > 1-32000 daily "failed to authenticate". >> >> I'm not using fail2ban, and am using sendmail (why? because >> I've spent years slowly accumulating options in my .mc file that >> kill off unwanted connections and other hate-the-spammer options.). >> I'm not getting such emails but most of the entries in /var/log/mail >> are due to such events. every now and then a legitimate email can >> be seen passing through. >> >> Oh, I also am now using (as of 2-3 years ago) milter-greylist, which >> made an enormous contribution to preventing spam emails. >> >> Fred > > I tried greylisting a while back and was surprised how many were > being rejected. But they were also getting through despite the > rejection at my end. > > I use a 3rd party as my backup MX email address. If I'm down, > they save up the email and forward it to me when I'm back up. > But the greylist rejected emails just tried the backup MX > address and got through that way. > > Should I ever have a backup MX that I administer, I will > definitely reinstate greylisting. If you have a stable environment and connections, you could also get rid of the backup MX completely. That's what we did and we're not alone. Of course if you have frequent service interruptions for whatever reason, that's not an option. Regards, Simon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
Can't help with the mystery port 48825. But I find your approach truly creative! -- Kay On 8/1/19 8:53 PM, Fred Smith wrote: I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :) My home router sends its logs to the rsyslog on my desktop system, and from there I can learn all kinds of interesting (or disturbing) things. I've written a really horrid shellscript (about 20 things piped together with a temp file in the middle) to give me the count of DROP events for specific incoming ports. (The "Description" field is lifted verbatim from /etc/services.) Count PortDescription - --- 140750 48825 12251 23 telnet 23/tcp 10043 445 microsoft-ds445/tcp 28691 tcpmux 1/tcp # TCP port service multiplexer 24789 discard 9/tcp sink null 21548080webcache8080/tcphttp-alt# WWW caching service 19905060sip 5060/tcp# SIP 15928089 14528545 13583389ms-wbt-server 3389/tcp# MS WBT Server 1275443 https 443/tcp # http protocol over TLS/SSL 127581 12585000commplex-main 5000/tcp# 124480 http80/tcp www www-http# WorldWideWeb HTTP 10228291 840 60001 834 7547cwmp7547/tcp# DSL Forum CWMP 821 1433ms-sql-s1433/tcp# Microsoft-SQL-Server 809 23233d-nfsd 2323/tcp# 3d-nfsd 764 personal-agent /tcp# Personal Agent This is just the first screen of it, there are many more. The data compiled here is for the last month (rsyslog is keeping the current log plus four older logs). I find it disturbing that there were 12251 attempts at telnet during that time, 2154 on 8080, and so forth. either I'm some kind of special/hot target, or else everybody gets this kind of crap and may not even know it. But the one thing I mean to ask about here is the very first item, 140,750 attempts at port 48825. What the heck is port 48825? I can't find any reference to anything that uses it online, but for some reason it is extremely popular, at least amongst the turkeys trying to break into my network! A little more grepping: grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less reveals that of all the source addresses trying to poke at 48825, there are 193 unique addresses. Either this indicates a heck of a lot of sites having at my firewall, or that some few sites are all spoofing their addresses. I can sort of understand people whaling away at ports that may conceal gold, from their warped point of view, but I haven't a clue why so many people would be beating on some apparently unassigned and unused port. Anyone got any clues? Thanks in advance! Fred ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Fri, Aug 02, 2019 at 02:43:30PM -0400, Fred Smith wrote: > On Fri, Aug 02, 2019 at 02:38:05PM -0400, Jon LaBadie wrote: > > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > > > Fred Smith wrote: > > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > > > > > > One thing I don't understand is how/why the firewall is DROPping so > > > > many attempts on port 25 when it in fact has a port forward rule sending > > > > port 25 on to my mailserver. How does it know, or why does it think that > > > > some of them can be dropped at the outer barrier? > > > > > > > >> you, but thank you for taking a hundred thousand or so for all of us. > > > > > > > > Hey, its the least I can do for all the good guys out there! :) > > > > But that doesn't mean the same dratsabs aren't hitting all the rest > > > > of you too. > > > > > > > I'm sure they are. Are you running fail2ban? > > > > > Several years back I switched from sendmail to postfix. > > Not knowing what I was doing, I think I have it set to > > say it will forward email following SASL authentication. > > But as I had no intention of forwarding anything, I did > > not set up any authentication methods. So anyone who > > tries fails to authenticate. > > > > With fail2ban in place I get 200-500 daily SASL "fail to > > authenticate" instances. In contrast, several months ago > > fail2ban either died or did not restart correctly. This > > went unnoticed for about a week. During that time I got > > 1-32000 daily "failed to authenticate". > > I'm not using fail2ban, and am using sendmail (why? because > I've spent years slowly accumulating options in my .mc file that > kill off unwanted connections and other hate-the-spammer options.). > I'm not getting such emails but most of the entries in /var/log/mail > are due to such events. every now and then a legitimate email can > be seen passing through. > > Oh, I also am now using (as of 2-3 years ago) milter-greylist, which > made an enormous contribution to preventing spam emails. > > Fred I tried greylisting a while back and was surprised how many were being rejected. But they were also getting through despite the rejection at my end. I use a 3rd party as my backup MX email address. If I'm down, they save up the email and forward it to me when I'm back up. But the greylist rejected emails just tried the backup MX address and got through that way. Should I ever have a backup MX that I administer, I will definitely reinstate greylisting. Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Fri, Aug 02, 2019 at 02:38:05PM -0400, Jon LaBadie wrote: > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > > Fred Smith wrote: > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > > > > One thing I don't understand is how/why the firewall is DROPping so > > > many attempts on port 25 when it in fact has a port forward rule sending > > > port 25 on to my mailserver. How does it know, or why does it think that > > > some of them can be dropped at the outer barrier? > > > > > >> you, but thank you for taking a hundred thousand or so for all of us. > > > > > > Hey, its the least I can do for all the good guys out there! :) > > > But that doesn't mean the same dratsabs aren't hitting all the rest > > > of you too. > > > > > I'm sure they are. Are you running fail2ban? > > > Several years back I switched from sendmail to postfix. > Not knowing what I was doing, I think I have it set to > say it will forward email following SASL authentication. > But as I had no intention of forwarding anything, I did > not set up any authentication methods. So anyone who > tries fails to authenticate. > > With fail2ban in place I get 200-500 daily SASL "fail to > authenticate" instances. In contrast, several months ago > fail2ban either died or did not restart correctly. This > went unnoticed for about a week. During that time I got > 1-32000 daily "failed to authenticate". I'm not using fail2ban, and am using sendmail (why? because I've spent years slowly accumulating options in my .mc file that kill off unwanted connections and other hate-the-spammer options.). I'm not getting such emails but most of the entries in /var/log/mail are due to such events. every now and then a legitimate email can be seen passing through. Oh, I also am now using (as of 2-3 years ago) milter-greylist, which made an enormous contribution to preventing spam emails. Fred -- Fred Smith -- fre...@fcshome.stoneham.ma.us - "For the word of God is living and active. Sharper than any double-edged sword, it penetrates even to dividing soul and spirit, joints and marrow; it judges the thoughts and attitudes of the heart." Hebrews 4:12 (niv) -- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > Fred Smith wrote: > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > > One thing I don't understand is how/why the firewall is DROPping so > > many attempts on port 25 when it in fact has a port forward rule sending > > port 25 on to my mailserver. How does it know, or why does it think that > > some of them can be dropped at the outer barrier? > > > >> you, but thank you for taking a hundred thousand or so for all of us. > > > > Hey, its the least I can do for all the good guys out there! :) > > But that doesn't mean the same dratsabs aren't hitting all the rest > > of you too. > > > I'm sure they are. Are you running fail2ban? > Several years back I switched from sendmail to postfix. Not knowing what I was doing, I think I have it set to say it will forward email following SASL authentication. But as I had no intention of forwarding anything, I did not set up any authentication methods. So anyone who tries fails to authenticate. With fail2ban in place I get 200-500 daily SASL "fail to authenticate" instances. In contrast, several months ago fail2ban either died or did not restart correctly. This went unnoticed for about a week. During that time I got 1-32000 daily "failed to authenticate". Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
Fred Smith wrote: > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > One thing I don't understand is how/why the firewall is DROPping so > many attempts on port 25 when it in fact has a port forward rule sending > port 25 on to my mailserver. How does it know, or why does it think that > some of them can be dropped at the outer barrier? > >> you, but thank you for taking a hundred thousand or so for all of us. > > Hey, its the least I can do for all the good guys out there! :) > But that doesn't mean the same dratsabs aren't hitting all the rest > of you too. > I'm sure they are. Are you running fail2ban? And you do know that the last time someone, as a test, might have been last year, put an open PC on the 'Net, it was 20 min before it was compromised? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On 02/08/2019 15:07, Fred Smith wrote: and I didn't even mention the huge number of failed attempts on port 25. /var/log/maillog is full of systems trying to send spam, or trying to DOS me with incompleted connection attempts, or just plain spamming with mail for addresses not at this system. The little light on the network switch serving this machine hardly ever stops blinking with all the traffic hitting it. One thing I don't understand is how/why the firewall is DROPping so many attempts on port 25 when it in fact has a port forward rule sending port 25 on to my mailserver. How does it know, or why does it think that some of them can be dropped at the outer barrier? Some spamming tools are just telnet with an expect script, lightweight and can be loaded onto embedded systems, e.g. other firewalls / modems etc... A downside of using these tools is that telnet sets the PUSH TCP flag, so many firewalls (e.g. Cisco ASA) have protocol inspection for SMTP and signals the connection as invalid. if it uses the PUSH TCP flag, which a proper SMTP daemon wouldn't use for that protocol (PUSH flags ask the server to service the sent data, even if it hasn't finished with a CR/LF) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > Fred Smith wrote: > > On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote: > > > >> > >>> This is just the first screen of it, there are many more. The data > >>> compiled here is for the last month (rsyslog is keeping the current log > >>> plus four older logs). I find it disturbing that there were 12251 > >>> attempts at telnet during that time, 2154 on 8080, and so forth. > >>> either I'm some kind of special/hot target, or else everybody gets > >>> this kind of crap and may not even know it. > > >>> But the one thing I mean to ask about here is the very first item, > >>> 140,750 attempts at port 48825. What the heck is port 48825? I can't > >>> find any reference to anything that uses it online, but for some > >>> reason it is extremely popular, at least amongst the turkeys trying to > >>> break into my network! > >>> > >>> reveals that of all the source addresses trying to poke at 48825, > >>> there are 193 unique addresses. Either this indicates a heck of a lot > >>> of sites having at my firewall, or that some few sites are all > >>> spoofing their addresses. I can sort of understand people whaling away > >>> at ports that may conceal gold, from their warped point of view, but I > >>> haven't a clue why so many people would be beating on some apparently > >>> unassigned and unused port. > >>> > >> As you say 48825 is not a known port and too low to be a dynamic port. > >> I suspect it's a command/control port for a botnet - they aren't > >> particular renowned for their elegance and subtlety and so it might be > >> that your IP address (if it's a DSL line) in the past had been > >> compromised and was running a bot controller and all the bot workers on > >> hacked machines are trying to contact their controller to find out > >> what to do. Certainly all the monitoring sites I've looked at see > >> almost zero traffic on that port (zero = less than 10 packets a day). > > > > Nope, I've never had a DSL line. was dialup to a local ISP for some > > years until a cable company that would provide what I wanted (instead of > > insisting on selling me what I didn't want) ran fiber down the street, and > > was willing to sell me a static IP address. right now my memory fails me > > as to exactly when that was, but it may have been as much as 20 years ago, > > certainly at least 15. so I've had that address for long enough that there > > shouldn't be any botnets thinking that I am one of its command/control > > servers. > > > > but the amount of attempted traffic on that port certainly does seem like > > it could be a botnet banging on me. > > > >> Just be thankful that you have a working firewall in place! > >> > You want a perfectly silly... and perfectly believable thought? I've seen > attempts against our outward-facing servers these last 10 years... and > I've seen enough where the idiot script kiddies were so stupid that they > couldn't manage to read the directions enough to at least salt the > autogenerated name. The result was "user@" or a blank where there should > be a name. > > So, I'm wondering if someone botnet got screwed up... and it's going to > the *wrong* address for its command and control. If so, sorry it's hitting and I didn't even mention the huge number of failed attempts on port 25. /var/log/maillog is full of systems trying to send spam, or trying to DOS me with incompleted connection attempts, or just plain spamming with mail for addresses not at this system. The little light on the network switch serving this machine hardly ever stops blinking with all the traffic hitting it. One thing I don't understand is how/why the firewall is DROPping so many attempts on port 25 when it in fact has a port forward rule sending port 25 on to my mailserver. How does it know, or why does it think that some of them can be dropped at the outer barrier? > you, but thank you for taking a hundred thousand or so for all of us. Hey, its the least I can do for all the good guys out there! :) But that doesn't mean the same dratsabs aren't hitting all the rest of you too. Fred -- Fred Smith -- fre...@fcshome.stoneham.ma.us - I can do all things through Christ who strengthens me. -- Philippians 4:13 --- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On 02/08/2019 14:12, Fred Smith wrote: but the amount of attempted traffic on that port certainly does seem like it could be a botnet banging on me. One thing that you could try is to port forward that port to an actual listening port (think like running nc/netcat in listening mode). That way it will complete the TCP handshake and you can see what commands (if any) it sends, might be useful to record it with tcpdump / wireshark. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
Fred Smith wrote: > On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote: > >> >>> This is just the first screen of it, there are many more. The data >>> compiled here is for the last month (rsyslog is keeping the current log >>> plus four older logs). I find it disturbing that there were 12251 >>> attempts at telnet during that time, 2154 on 8080, and so forth. >>> either I'm some kind of special/hot target, or else everybody gets >>> this kind of crap and may not even know it. >>> But the one thing I mean to ask about here is the very first item, >>> 140,750 attempts at port 48825. What the heck is port 48825? I can't >>> find any reference to anything that uses it online, but for some >>> reason it is extremely popular, at least amongst the turkeys trying to >>> break into my network! >>> >>> reveals that of all the source addresses trying to poke at 48825, >>> there are 193 unique addresses. Either this indicates a heck of a lot >>> of sites having at my firewall, or that some few sites are all >>> spoofing their addresses. I can sort of understand people whaling away >>> at ports that may conceal gold, from their warped point of view, but I >>> haven't a clue why so many people would be beating on some apparently >>> unassigned and unused port. >>> >> As you say 48825 is not a known port and too low to be a dynamic port. >> I suspect it's a command/control port for a botnet - they aren't >> particular renowned for their elegance and subtlety and so it might be >> that your IP address (if it's a DSL line) in the past had been >> compromised and was running a bot controller and all the bot workers on >> hacked machines are trying to contact their controller to find out >> what to do. Certainly all the monitoring sites I've looked at see >> almost zero traffic on that port (zero = less than 10 packets a day). > > Nope, I've never had a DSL line. was dialup to a local ISP for some > years until a cable company that would provide what I wanted (instead of > insisting on selling me what I didn't want) ran fiber down the street, and > was willing to sell me a static IP address. right now my memory fails me > as to exactly when that was, but it may have been as much as 20 years ago, > certainly at least 15. so I've had that address for long enough that there > shouldn't be any botnets thinking that I am one of its command/control > servers. > > but the amount of attempted traffic on that port certainly does seem like > it could be a botnet banging on me. > >> Just be thankful that you have a working firewall in place! >> You want a perfectly silly... and perfectly believable thought? I've seen attempts against our outward-facing servers these last 10 years... and I've seen enough where the idiot script kiddies were so stupid that they couldn't manage to read the directions enough to at least salt the autogenerated name. The result was "user@" or a blank where there should be a name. So, I'm wondering if someone botnet got screwed up... and it's going to the *wrong* address for its command and control. If so, sorry it's hitting you, but thank you for taking a hundred thousand or so for all of us. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote: > > > This is just the first screen of it, there are many more. The data > > compiled here is for the last month (rsyslog is keeping the current > > log plus four older logs). I find it disturbing that there were 12251 > > attempts at telnet during that time, 2154 on 8080, and so forth. either > > I'm some kind of special/hot target, or else everybody gets this kind > > of crap and may not even know it. > > The raw internet is a very noisy, nasty place. That's why we have > firewalls! FYI, telnet (as you realise) is old, but the old machines > that are still running it are eminently and easily hackable - it may be > your IP has got on a list of old SGI boxes. 8080 probes are looking for > open web proxies, 5060 is looking for open voip systems and so on. > > > > > But the one thing I mean to ask about here is the very first item, > > 140,750 attempts at port 48825. What the heck is port 48825? I can't > > find any reference to anything that uses it online, but for some reason > > it is extremely popular, at least amongst the turkeys trying to break > > into my network! > > > > reveals that of all the source addresses trying to poke at 48825, > > there are 193 unique addresses. Either this indicates a heck of a lot > > of sites having at my firewall, or that some few sites are all spoofing > > their addresses. I can sort of understand people whaling away at ports > > that may conceal gold, from their warped point of view, but I haven't a > > clue why so many people would be beating on some apparently unassigned > > and unused port. > > > As you say 48825 is not a known port and too low to be a dynamic port. > I suspect it's a command/control port for a botnet - they aren't > particular renowned for their elegance and subtlety and so it might be > that your IP address (if it's a DSL line) in the past had been > compromised and was running a bot controller and all the bot workers on > hacked machines are trying to contact their controller to find out what > to do. Certainly all the monitoring sites I've looked at see almost > zero traffic on that port (zero = less than 10 packets a day). Nope, I've never had a DSL line. was dialup to a local ISP for some years until a cable company that would provide what I wanted (instead of insisting on selling me what I didn't want) ran fiber down the street, and was willing to sell me a static IP address. right now my memory fails me as to exactly when that was, but it may have been as much as 20 years ago, certainly at least 15. so I've had that address for long enough that there shouldn't be any botnets thinking that I am one of its command/control servers. but the amount of attempted traffic on that port certainly does seem like it could be a botnet banging on me. > Just be thankful that you have a working firewall in place! Amen! -- Fred Smith -- fre...@fcshome.stoneham.ma.us - God made him who had no sin to be sin for us, so that in him we might become the righteousness of God." --- Corinthians 5:21 - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
> This is just the first screen of it, there are many more. The data > compiled here is for the last month (rsyslog is keeping the current > log plus four older logs). I find it disturbing that there were 12251 > attempts at telnet during that time, 2154 on 8080, and so forth. either > I'm some kind of special/hot target, or else everybody gets this kind > of crap and may not even know it. The raw internet is a very noisy, nasty place. That's why we have firewalls! FYI, telnet (as you realise) is old, but the old machines that are still running it are eminently and easily hackable - it may be your IP has got on a list of old SGI boxes. 8080 probes are looking for open web proxies, 5060 is looking for open voip systems and so on. > > But the one thing I mean to ask about here is the very first item, > 140,750 attempts at port 48825. What the heck is port 48825? I can't > find any reference to anything that uses it online, but for some reason > it is extremely popular, at least amongst the turkeys trying to break > into my network! > > reveals that of all the source addresses trying to poke at 48825, > there are 193 unique addresses. Either this indicates a heck of a lot > of sites having at my firewall, or that some few sites are all spoofing > their addresses. I can sort of understand people whaling away at ports > that may conceal gold, from their warped point of view, but I haven't a > clue why so many people would be beating on some apparently unassigned > and unused port. > As you say 48825 is not a known port and too low to be a dynamic port. I suspect it's a command/control port for a botnet - they aren't particular renowned for their elegance and subtlety and so it might be that your IP address (if it's a DSL line) in the past had been compromised and was running a bot controller and all the bot workers on hacked machines are trying to contact their controller to find out what to do. Certainly all the monitoring sites I've looked at see almost zero traffic on that port (zero = less than 10 packets a day). Just be thankful that you have a working firewall in place! P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On 02/08/2019 04:58, John Pierce wrote: On Thu, Aug 1, 2019 at 8:53 PM Fred Smith wrote: reveals that of all the source addresses trying to poke at 48825, there are 193 unique addresses. Either this indicates a heck of a lot of sites having at my firewall, or that some few sites are all spoofing their addresses. I can sort of understand people whaling away at ports that may conceal gold, from their warped point of view, but I haven't a clue why so many people would be beating on some apparently unassigned and unused port. distributed botnets its all noise. One of the nice things about IPv6, is that the address space is so vast and sparse, that it isn't feasible to scan it in the way IPv4 gets scanned, so if we ever get round to moving to IPv6 this sort of stuff will go away. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] odd network question
On Thu, Aug 1, 2019 at 8:53 PM Fred Smith wrote: > reveals that of all the source addresses trying to poke at 48825, > there are 193 unique addresses. Either this indicates a heck of a lot > of sites having at my firewall, or that some few sites are all spoofing > their addresses. I can sort of understand people whaling away at ports > that may conceal gold, from their warped point of view, but I haven't a > clue why so many people would be beating on some apparently unassigned > and unused port. > distributed botnets its all noise. -- -john r pierce recycling used bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
