IPCOP - Block Port Scanning from Inside
This is a discussion on IPCOP - Block Port Scanning from Inside within the Linux Security forums, part of the System Security and Security Related category; I have been warned today that a machine inside my network is port scanning another machine outside my network. How ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-27-2004
|
|||
|
|||
IPCOP - Block Port Scanning from Inside
I have been warned today that a machine inside my network is port
scanning another machine outside my network. How can I use IPCOP and IPTables to block this particular type of outbound traffic? I have had no luck locating the machine to shut it down. I would like the firewall to block it soI can be sure that unpatched or infected machines do not cause this again. I am using IPCOP v1.3 with all fixes applied. Thanks! Please see the sample log emailed to me below: (IP addresses removed and replaced with "My IP" and "Their IP") EDT(GMT-4) May 21 20:04:05 My IP:2759 -> Their IP:2745 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2759 -> Their IP:2745 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2768 -> Their IP:1025 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2768 -> Their IP:1025 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2769 -> Their IP:445 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2769 -> Their IP:445 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2776 -> Their IP:3127 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2776 -> Their IP:3127 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2777 -> Their IP:6129 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2777 -> Their IP:6129 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2782 -> Their IP:1433 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2782 -> Their IP:1433 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2783 -> Their IP:5000 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2783 -> Their IP:5000 SYN ******S* EDT(GMT-4) May 21 20:04:05 My IP:2785 -> Their IP:80 SYN ******S* EDT(GMT-4) May 21 20:04:11 My IP:2785 -> Their IP:80 SYN ******S* EDT(GMT-4) May 21 13:40:00 My IP:3039 -> Their IP:2745 SYN ******S* EDT(GMT-4) May 21 13:40:06 My IP:3039 -> Their IP:2745 SYN ******S* EDT(GMT-4) May 21 13:40:00 My IP:3041 -> Their IP:1025 SYN ******S* EDT(GMT-4) May 21 13:40:06 My IP:3041 -> Their IP:1025 SYN ******S* 
|
|
05-27-2004
|
|||
|
|||
|
Re: IPCOP - Block Port Scanning from Inside
"Todd" <tussery@wesleyancollege.edu> wrote in message
news:56b37542.0405261423.14687e2b@posting.google.c om... > I have been warned today that a machine inside my network is port > scanning another machine outside my network. How can I use IPCOP and > IPTables to block this particular type of outbound traffic? I have had > no luck locating the machine to shut it down. I would like the > firewall to block it soI can be sure that unpatched or infected > machines do not cause this again. I am using IPCOP v1.3 with all fixes > applied. Maybe I'm missing something here, but surely if you know the ip of the scanning box you can locate it through various means (MAC addresses maybe) and you should be addressing the behaviour of the person running that box? If the person running that box is innocent then the box may be compromised and should be removed from you network anyway? Egress filtering should be adopted as a matter of policy anyway. -- Regards Luke -- If ignorance is bliss, why does management always look so unhappy?
|
|
05-27-2004
|
|||
|
|||
|
Re: IPCOP - Block Port Scanning from Inside
Todd wrote:
> I have been warned today that a machine inside my network is port > scanning another machine outside my network. How can I use IPCOP and > IPTables to block this particular type of outbound traffic? I have had > no luck locating the machine to shut it down. I would like the > firewall to block it soI can be sure that unpatched or infected > machines do not cause this again. I am using IPCOP v1.3 with all fixes > applied. > > Thanks! > > Please see the sample log emailed to me below: (IP addresses removed > and replaced with "My IP" and "Their IP") > > EDT(GMT-4) May 21 20:04:05 My IP:2759 -> Their IP:2745 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2759 -> Their IP:2745 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2768 -> Their IP:1025 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2768 -> Their IP:1025 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2769 -> Their IP:445 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2769 -> Their IP:445 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2776 -> Their IP:3127 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2776 -> Their IP:3127 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2777 -> Their IP:6129 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2777 -> Their IP:6129 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2782 -> Their IP:1433 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2782 -> Their IP:1433 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2783 -> Their IP:5000 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2783 -> Their IP:5000 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2785 -> Their IP:80 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2785 -> Their IP:80 SYN ******S* > EDT(GMT-4) May 21 13:40:00 My IP:3039 -> Their IP:2745 SYN ******S* > EDT(GMT-4) May 21 13:40:06 My IP:3039 -> Their IP:2745 SYN ******S* > EDT(GMT-4) May 21 13:40:00 My IP:3041 -> Their IP:1025 SYN ******S* > EDT(GMT-4) May 21 13:40:06 My IP:3041 -> Their IP:1025 SYN ******S* It is possible your system is participating in an idle system attack, and is not actually scanning the host. See http://www.insecure.org/nmap/idlescan.html for details.
|
|
05-27-2004
|
|||
|
|||
|
Re: IPCOP - Block Port Scanning from Inside
Todd wrote:
> I have been warned today that a machine inside my network is port > scanning another machine outside my network. How can I use IPCOP and > IPTables to block this particular type of outbound traffic? I have had > no luck locating the machine to shut it down. I would like the > firewall to block it soI can be sure that unpatched or infected > machines do not cause this again. I am using IPCOP v1.3 with all fixes > applied. > > Thanks! > > Please see the sample log emailed to me below: (IP addresses removed > and replaced with "My IP" and "Their IP") > > EDT(GMT-4) May 21 20:04:05 My IP:2759 -> Their IP:2745 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2768 -> Their IP:1025 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2769 -> Their IP:445 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2776 -> Their IP:3127 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2777 -> Their IP:6129 SYN ******S* > EDT(GMT-4) May 21 20:04:05 My IP:2782 -> Their IP:1433 SYN ******S* > EDT(GMT-4) May 21 20:04:11 My IP:2783 -> Their IP:5000 SYN ******S* From the ports listed it looks like the system may be a windows system that is infected with one or more of the viruses that are going around. -- Confucius: He who play in root, eventually kill tree. Registered with The Linux Counter. http://counter.li.org/ Slackware 9.1.0 Kernel 2.4.26 SMP i686 (GCC) 3.3.3 Uptime: 12 days, 4:00, 2 users, load average: 1.11, 1.04, 1.0
|
|
05-27-2004
|
|||
|
|||
|
Re: IPCOP - Block Port Scanning from Inside
> Maybe I'm missing something here, but surely if you know the ip of the
> scanning box you can locate it through various means (MAC addresses > maybe) and you should be addressing the behaviour of the person running > that box? > > If the person running that box is innocent then the box may be > compromised and should be removed from you network anyway? > > Egress filtering should be adopted as a matter of policy anyway. > > -- > Regards > Luke I do not know the IP of the scanning box. All the log shows is my external IP address. There are 450 machines behind the firewall. That is where I have the problem - finding the culprit. What would you use to locate such a machine? I have tried tcpdump, but the amount of traffic is overwhelming. My next thought is to use Ethereal on the outside of my firewall and look at traffic, but once again - I will get my external IP, not the machine with the problem. I would just rather be able to drop the traffic before it leaves. Thanks, Todd
|
|
05-27-2004
|
|||
|
|||
|
Re: IPCOP - Block Port Scanning from Inside
tussery@wesleyancollege.edu (Todd) writes:
[snip] >> Egress filtering should be adopted as a matter of policy anyway. Absolutely. > I do not know the IP of the scanning box. All the log shows is my > external IP address. There are 450 machines behind the firewall. That is > where I have the problem - finding the culprit. What would you use to > locate such a machine? I have tried tcpdump, but the amount of traffic is > overwhelming. My next thought is to use Ethereal on the outside of my > firewall and look at traffic, but once again - I will get my external IP, > not the machine with the problem. I would just rather be able to drop the > traffic before it leaves. Why not install snort on the NATting box, looking for port-scans in either direction? How about tcpdump-ing a lot of crap and running the results through etherape? Or you could run ntop and drill-down the bandwidth consumption a few ways, as well... ~Tim -- Our moments are rush and gone |piglet@stirfried.vegetable.org.uk All our pictures incomplete |http://pig.sty.nu/
|
|
05-27-2004
|
|||
|
|||
|
Re: IPCOP - Block Port Scanning from Inside
On Thu, 27 May 2004 08:15:11 -0500, Todd created an award-winning crop
circle <56b37542.0405270515.76f35eb1@posting.google.com >, which when translated into English means this: > > I do not know the IP of the scanning box. All the log shows is my > external IP address. There are 450 machines behind the firewall. That is > where I have the problem - finding the culprit. What would you use to > locate such a machine? I imagine that you could configure iptables to make a log of any attempts of your computers to connect to ports 2745, 1025, 445, or 5000. This would be done on the firewall machine.
|
Linear Mode
