Adam J Richardson wrote:

Modulok wrote:

I'm new to the admin game and this is somewhat of a subjective
question, so bear with me...

I run a small network on a home/office broadband connection and I'm
getting more than my fair share of un-solicited traffic (maybe) on
what I believed to be in the "private address range," as per RFC 1918.
I have ipfw(8) setup to block such traffic, but with the volume of
traffic being blocked it makes me wonder if I mis-configured something
or if the RFC is depricated or what not. All of my services work and
all of my clients can access everything they need to both locally and
remotely, but when I read through the ipfw(8) log files there is a
plethora of traffic attempting to connect from "the Internet" on
various ports from various addresses. Most in the 10.0.0.0/8 block.
This is normal, but how much is normal?

For example, here was an interesting one that's been hitting the log
files pretty hard today. Note: "em1" is my Internet-facing interface,
so the following is coming in from the Internet, (ipfw rule followed
by log entry):

03401 1233 30036 deny log logamount 25 ip from 10.0.0.0/8 to any

in via em1


    Aug 27 13:03:16  kernel: ipfw: 3401 Deny UDP 10.20.0.2:67
255.255.255.255:68 in via em1
    Aug 27 13:06:08  kernel: ipfw: limit 25 reached on entry 3401

It appears to be a dhcp or bootp broadcast...to the entire world? This
is just one of many seemingly ridiculous entries. Did I miss something
here? I'm new to the admin game, so I'm not sure what the 'norm' is as
far as frequency of un-solicited and often humorous traffic.
10.0.0.0/8 is where probably 98% of the un-solicited traffic comes
from. Is this just "normal"? If it's just me, I would almost feel
better than to think there are that many mis-configure servers out
there spewing out crap. What is "normal" for a small business
connection and what does one do when there are a lot of repeated
un-solicited connection attempts from a single source to your server?
I had one day where I got something like 25 attempts to connect to
port 22 (sshd) from a particular IP address somewhere in Romania (and
we're nowhere near there). Sorry for the somewhat vague question.

Just looking for general reassurances and advice, I suppose.
-Modulok-


Hi Modulok.

Try capturing and analysing the spoofed datagrams, to see if there are
any routable IPs hidden inside. If your service isn't being interrupted
by the spoofed datagrams, maybe you're being used as a reflection attack
server.

Is this the kind of thing you see?

Aug 26 23:09:31 ren kernel: ipfw: 4800 Deny UDP 10.124.0.1:67 255.255.255.255:68 in via sk1

If so it's probably generated by your cable modem or equivalent. I block them with no ill effect, but then I never ever want to run DHCP from my cable modem, which is what I believe they are related to. Nothing outside the hosts on your network is seeing it. Something with that source would never have got to the outside interface of your modem, unless your ISP is totally rubbish, afaik.

The only thing "being hit hard" is your logs; the actual network traffic should be negligible. You can pick a quiet time and monitor your interface with e.g. "systat -iostat 1" to verify that. If you're worried about your logs, then just put in a special rule for the source address(es) you see and just block without logging. Keep the rest of the bad network stuff and I bet you never log another packet! (Actually, I also see igmp from a 192.168 address, but that's it).

Connection attempts to port 22 are incredibly common. 25 attempts in a row is nothing. Lock down SSH by only allowing key-based connections if you can and enforce a password policy for those keys (the best by far), limit the users with AllowUsers directives if you can, limit the IP addresses which are allowed to connect if you can, then you have nothing to worry about. Some recommend moving SSH to a random port (e.g. 922) but I find that a pain and it wouldn't stop anything but an ignorant script kiddie who'd probably be floored anyway because their favourite linux exploit won't work :-) There's been plenty of discussion of this topic on this list in the past so try the archives for more info.

--Alex


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to