Your mistake was in assuming the cable company would provide security for
ports < 1024. I would imagine that they only block those ports at the
head-end router. Other cable customers do not traverse this router, so they
aren't filtered. The cable internet provider uses the filters to prevent its
customers from using the cable connection in place of a T1 or a co-location
agreement to host their commercial web site. They could care less if their
own cable subscribers attack your box. They just don't want to cut into their
hosting revenues.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dimitri Avgoustakis
> Sent: Wednesday, February 11, 1998 11:05 PM
> To: [EMAIL PROTECTED]
> Subject: breach in my firewall ..
>
>
> 'lo ..
>
> Let me first explain my network situation,
> I have a Digital Alpha "Multia" which i use as a router/firewall,
> it has a cable-modem attached to eth0 and a pcmcia card to eth1 (for
> internal net). On the multia i have ipfwadm running, with masquerading.
>
> My cable company normally blocks all ports < 1024 to prevent customers
> from
> running any servers. But i often open my port above 1024 just to give some
> friends access to some local files. But i always close them, and keep the
> normal ports (<1024) running because noone has access to them anyway.
>
> When i woke up this morning and did my usual checks, i saw an anonymous
> FTP
> logon comming from somewhere inside the cable-provider network. Because
> this isn't supposed to happen (i close all port >1024 remember) I
> imediatly
> did an "ifdown eth0" -just because i'm a security freak- and took a close
> look into the situation.
>
> I first checked to see if i didn't forget to close FTP on port 21000 but i
> didn't (Unable to connect to remote host: Connection refused).
>
> Then i checked my firewall logs, and did a sweep on the IP. Now here's the
> strange thing:
>
> I saw a whole bunch of these:
>
> Feb 11 00:49:14 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1139
> 195.130.153.246:1121 L=48 S=0x00 I=6
> 157 F=0x0040 T=125
> Feb 11 00:49:14 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1139
> 195.130.153.246:1121 L=48 S=0x00 I=7
> 181 F=0x0040 T=125
>
> Every 4 packets the source port moved one up, but the destination port
> changed from 1121 to 2121 and then back to 1121, and then after 15 minutes
> of sending me these TCP packets:
>
> Feb 11 01:06:50 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1231
> 195.130.153.246:21 L=48 S=0x00 I=456
> 04 F=0x0040 T=125
> Feb 11 00:06:57 multia ftpd[9433]: ANONYMOUS FTP LOGIN FROM
> duisburg-144-188.kabel.pandora.be [195.130.144.188
> ], [EMAIL PROTECTED]
> Feb 11 01:40:14 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1331
> 195.130.153.246:21 L=48 S=0x00 I=502
> 93 F=0x0040 T=125
> Feb 11 00:40:16 multia ftpd[9446]: ANONYMOUS FTP LOGIN FROM
> duisburg-144-188.kabel.pandora.be [195.130.144.188
> ], [EMAIL PROTECTED]
>
> He was able to logon onto port 21 (blocked by cable provider) !
>
> Could anyone please give me an explanation for this, and could someone
> tell
> me what (legal) action i can take against him/her (i know i had anonymous
> ftp on .. but port 21 should have been blocked)
>
> Oh yeah, don't look at the timestamps in these logs, somehow i don't seem
> to mannage to get them synchronised :)
>
> Kind Regards,
> and sorry for the big mail,
>
> Dimitri Avgoustakis,
> now trying to ifup eth0 again :)
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
