Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Peter Pentchev (roamorbitel.bg)
Date: Fri Jun 29 2001 - 11:29:25 CDT
On Fri, Jun 29, 2001 at 11:16:52AM -0500, George.Gilesmcmail.vanderbilt.edu wrote:
> I do not agree. Here's why:
> the ipfw is on 10.0.0.2 and does not have a web server.
> 10.0.0.1 does.
> I see a lot of these style attacks, various ports, various services used on
> 10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2
> and the signature of the log is:
> attacker:port 10.0.0.1:port
> It makes me think that somehow a proxy attack is going on.
> The 10.x.x.x are not the actual addresses obviously.
Look. The ipfw logs (as you could easily test yourself) list the source
and destination addresses of a TCP or UDP packet as saddr:sport daddr:dport.
The log line you pasted clearly means that there was a TCP packet from
216.blah port 21602 (clearly ephemeral) to 10.0.0.1 port 80. Somebody
is trying to reach port 80 on 10.0.0.1.
If 10.0.0.1 is not directly reachable, then this might very well be
a packet translated by a NAT (a.k.a masquerading in the Linux world)
gateway. It might be a proxy attack, but this depends on the structure
of your network. All the log says is that 216.blah is trying to connect
to the webserver on 10.0.0.1, and that's a fact.
-- This sentence claims to be an Epimenides paradox, but it is lying.
> Peter > Pentchev To: George.Gilesmcmail.vanderbilt.edu > <roamorbitel cc: freebsd-securityfreebsd.org > .bg> Subject: Re: What is ipfw telling me ? > > 06/29/2001 > 10:04 AM > > > > > > On Fri, Jun 29, 2001 at 09:49:54AM -0500, > George.Gilesmcmail.vanderbilt.edu wrote: > > What is ipfw telling me ? > > > > The 216 host is attempting to break in, but how is it using port 80 on > the > > other machine ? > > > > ipfw: 2400 Deny TCP 18.104.22.168:21602 10.0.0.1:80 in via xl0 > > The host 22.214.171.124 is trying to connect to 10.0.0.1; the connection > attempt is from port 21602 (ephemeral, unique to this connection in > a certain timeframe) to port 80 on 10.0.0.1. That is, someone from > 126.96.36.199 is trying to browse the web on 10.0.0.1.
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message