Yeah, I'm trying to track down the offending box, but in the interim I
figured I'd block the port so that I can get my net access back. We run
our NAT farm not to skimp on OIT costs (although that's a fringe
benefit), but rather because our linux cluster works much more
efficiently while running on an isolated gigabit network. The number of
machines on our network also fluctuates wildly, so we need to have the
flexibility to add and remove computers at will without having to get
new IP addresses all the time.
I've been sort of thrust into the position of defacto lab sysadmin when
I'm slightly over my head, so I tend to stumble along from time to time,
but it usually works out in the end.
- Justin
[EMAIL PROTECTED] wrote:
OIT security does not turn off machine access for P2P violations, except for
non-responsive DMCA notifications, and then only in dorm situations. (And many
of us are on this list and happy to help with problems.)
We have recently begun blocking several Gnutella-based P2P programs (quite publicly) to protect users as DMCA complaints regarding those services had spiked. But this is a border block, not something that would send individual address bits to /dev/null.
So you're likely dealing with a machine that's compromised, not doing P2P. That should be remediated ASAP, not just blocked. We see machines of all sorts compromised these days, not just Windows, so the Macs and Linux boxen don't just get a pass when you're tracking it down. Malware tends to come equiped with adaptive methods these days, so you may end up playing whack-a-mole.
You should call OIT Security at x6-HACK
To find out exactly why it was blocked, and to find out more info which may allow you to identify the machine which is misbehaving.
This situation is the result of the use of unauthorized routers and switches being used to allow labs to be placed on the network without the assistance (or billing) of NTS. Billing issues aside, running your own little NAT farm will get the whole thing whacked when something in there misbehaves. We'll try to help resolve the issue (we always both log a block where we, the NOC and helpdesk can see it, and send a notification to the administrator of record for the address.) If you contact us.
Good luck.
Rob Maxwell
------Original Message------
From: Justin Walker
Sender: UM Linux User's Group
To: [email protected]
ReplyTo: Justin Walker
Sent: Apr 28, 2008 10:18 AM
Subject: [UM-LINUX] IPtables question
Evidently someone in the lab network is running (intentionally or
otherwise) some kind of p2p program, and OIT cut us off. They told me
the traffic is on port 6667, so I'm just going to block it with our
gateway server.
I'm trying to add a rule with IP tables, but I keep getting an error.
The command I'm trying to run is:
iptables -A FORWARD -p tcp --dport 6667 DROP
I get the error:
Bad argument `DROP'
Try `iptables -h' or 'iptables --help' for more information.
Does anyone know what I'm doing wrong?
- Justin
*******************************************************************************
Robert Maxwell, CISSP, GCFA
Lead Incident Handler OIT Security, University of Maryland
rmaxwell at umd dot edu
GnuPG Public Key: http://security.umd.edu/contact/Robert_Maxwell.asc
*******************************************************************************
