/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Ken Rune Helland wrote:
> Hello, i have set up a firewall on to off SUSE linux with a 2.2.16 kernel.
>
> 1. I get a lot on hits on port 137 and 138 like this:
>
> Feb 2 16:29:13 firewall kernel: Packet log: input DENY eth1 PROTO=17
> xxx.xxx.xxx.xxx:896 yyy.yyy.yyy.yyy:137 L=78 S=0x00 I=52201 F=0x0000 T=103 (#7)
>
> Is this people searchin for open windows host or are they just
> stray windows pakages from windows machines (eth1 is the external nic and
> xxx.xxx.xxx.xxx is an external IP, yyy.yyy.yyy.yyy is the firewall external
> IP)?
>
> The packets seems to be comming from all aroud not only the subnet of the
> exsternal interface.
it's probably windows users connected to the same isp as you.
but it might be attackers looking for public shares.
> 2. I got htis curius entry:
>
> Feb 2 15:39:28 firewall kernel: Packet log: input DENY eth1 PROTO=6
> 172.16.9.78:80 yyy.yyy.yyy.yyy:62130 L=40 S=0x00 I=34904 F=0x4000 T=42 (#2)
>
> Is someone prying for a hole in the firewall? 172.16.9.78 is in the subnet
> of the inner nic (eth0) but it is unused.
you shouldn't have got that packet. it's probably a
misconfiguration somewhere or an attacker. ask your
isp why their routers are sending you packets addressed
to private ip addresses.
> 3. It seems the firwall logs both in /var/log/messages and /var/log/firewall.
> Is this normal? Can i prevent it ( i want the firewall entries just in
> /var/log/firewall) ? How?
look at /etc/syslog.conf which controls this.
> 4. I did the security check on www.vulnerabilities.org and it gave me a varning
> like
>
> Warning found on port general/icmp
>
> The remote host answers to an ICMP timestamp
> request. This allows an attacker to know the
> date which is set on your machine.
>
> This may help him to defeat all your
> time based authentifications protocols.
>
> Solution : filter out the icmp timestamp
> requests (13), and the outgoing icmp
> timestamp replies (14).
>
> Risk factor : Low
> CVE : CAN-1999-0524
>
> Shoud i block this? What woud the rule look like?
yes. nobody uses timestamp packets ever.
if they do, it's an attack.
> It might be relevant that the only service available from the external
> interface is ssh.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
