OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [suse-security] Portscan
From: Stephen Thompson (s.p.thompsonmindspring.com)
Date: Tue Feb 15 2000 - 09:05:04 CST


Hi.
I am relatively new to the list, and Linux in general.
I have tried to find out more about security in man files and a couple of
books, trying to make my machines more secure.

While i was online yesterday and today I have noticed in my console that I had
been portscanned. Sorry for the Spam on this, this is just what they sent.
Feb 14 10:57:59 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1764, 1765, 1766, 1767, 1768, 1769, 1770, 1771, 1772, ..., flags ??rp?u, TOS 10, TTL 114, started at 10:57:45
Feb 14 11:21:26 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1800, 1801, 1802, 1803, 1804, 1805, 1806, 1807, 1808, ..., flags ??rp?u, TOS 10, TTL 114, started at 11:21:12
Feb 14 11:30:56 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1819, 1820, 1821, 1822, 1823, 1824, 1825, 1826, 1827, ..., flags ??rp?u, TOS 10, TTL 114, started at 11:30:42
Feb 14 16:28:07 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1902, 1903, 1904, 1905, 1906, 1907, 1908, 1909, 1910, ..., flags ??rp?u, TOS 10, TTL 114, started at 16:27:55
Feb 14 16:50:44 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1925, 1926, 1927, 1928, 1929, 1930, 1931, 1932, 1933, ..., flags ??rp?u, TOS 10, TTL 114, started at 16:50:29
Feb 14 17:02:38 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1976, 1977, 1978, 1979, 1980, 1981, 1982, 1983, 1984, ..., flags ??rp?u, TOS 10, TTL 114, started at 17:02:23
Feb 14 17:33:54 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, ..., flags ??rp?u, TOS 10, TTL 114, started at 17:33:40
Feb 14 21:03:23 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 2052, 2053, 2054, 2055, 2056, 2057, 2058, 2059, 2060, ..., flags ??rp?u, TOS 10, TTL 114, started at 21:03:11
Feb 15 13:42:21 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 2120, 2121, 2122, 2123, 2124, 2125, 2126, 2127, 2128, ...

Now i have a small linux machine used to masquerade for the machines in our
local setup so we can use the internet together.
This is my ipchains setup at the moment (I know there is an SuSE packet filter
script, I just havent got to grips with it yet :(, but at least im trying to
find out the answers)

<start of shell script>
INTERNAL=192.168.0.0/24
        echo -n "Turning on packet filtering:"
        # Stop all the rules before we set up the new ones
        echo 0 > /proc/sys/net/ipv4/ip_forward

        # set the default policy to REJECT
        /sbin/ipchains -X
        /sbin/ipchains -F
        /sbin/ipchains -P input REJECT
        /sbin/ipchains -P output REJECT
        /sbin/ipchains -P forward REJECT

        # Attempt to stop spoofing
        ipchains -A input -s 192.168.0.0/24 -i ppp0 -j REJECT -l
        ipchains -A input -s 127.0.0.1 -i ppp0 -j REJECT -l

        # Set up the input

        # Allow loopback connections
        ipchains -A input -s 127.0.0.1 -j ACCEPT

        # Allow the internal net to the internal net
        ipchains -A input -s $INTERNAL -d $INTERNAL -j ACCEPT

        # Allow the internal net to the external net
        ipchains -A input -s 127.0.0.1 -d ! $INTERNAL -j ACCEPT
        ipchains -A input -s $INTERNAL -d ! $INTERNAL -j ACCEPT

        # Allow the external net to the internal net
        # the active FTP stuff here.
        ipchains -A input -p tcp -s ! $INTERNAL 20 -j ACCEPT
        ipchains -A input -p tcp -s ! $INTERNAL 21 -j ACCEPT
 
        # Deny all incoming SYN requests on TCP
        ipchains -A input -p tcp -s ! $INTERNAL ! -y -j ACCEPT
        ipchains -A input -p udp -s ! $INTERNAL -d ! $INTERNAL -j ACCEPT
        ipchains -A input -s ! $INTERNAL -d ! $INTERNAL -j REJECT

        # Set up the forwarding chain
        # Allow forwarding in the internal net
        ipchains -A forward -s $INTERNAL -d $INTERNAL -j ACCEPT

        # Masqurade the internal to the external net
        ipchains -A forward -s $INTERNAL -d ! $INTERNAL -j MASQ

        # Masqurade should take care of external to internal
        # this should stop non masquraded forwarding
         ipchains -A forward -s ! $INTERNAL -d $INTERNAL -j REJECT

        # Set up the output rules
        ipchains -A output -j ACCEPT

        ipchains -P input REJECT
        ipchains -P output REJECT
        ipchains -P forward REJECT

        echo 1 > /proc/sys/net/ipv4/ip_forward
<end of script>

All I want the external network to do is send ICQ packets inside. Otherwise stop
anything not a reply to a masqed packet.

My questions are as follows (and i know they may be foolish):

How did the person doing the portscan mannage to send thier packets to my
internal machine 192.168.0.51 directly ?
(I have noticed a lack of the same activity on the router which is 192.168.0.50
and i thought all my packets would look like they came from there)

How can I get more information about the scanner on that host. I have tried to
do the usual of host 216.77.42.93 and got no host, I've done a traceroute so I
know what machines it goes through. I've tried to telnet to a few ports to see
if they have any open to get the name of the place. I just want more
information so I can keep tabs on it and mail the admin about the activities.

Can anyone give me a few links to places to find out mroe about security in
general.

Thank you for your patience with this newbie.

Stephen Thompson

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com