Re: Attempt on smtpd / faking remote ip

To: debian-isp@lists.debian.org
Subject: Re: Attempt on smtpd / faking remote ip
From: Ralph Paßgang <ralph@debianbase.de>
Date: Sun, 4 Apr 2004 23:59:46 +0200
Message-id: <[🔎] 200404042359.46853.ralph@debianbase.de>
In-reply-to: <a06020402bc95a500343a@[192.168.0.10]>
References: <a06020401bc9578fbdcc4@[192.168.0.10]> <[🔎] 406FE982.6050907@net-lab.net> <a06020402bc95a500343a@[192.168.0.10]>

you should also filter out 127.0.0.0/8 on any network interface but "lo".

so that spoofing with localhost-adresses is not possible anymore.

( for example:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p ALL -j ACCPET
iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -o lo -p ALL -j ACCPET
iptables -A INPUT -s 127.0.0.0/8 -d 0/0 -p ALL -j REJECT
iptables -A OUTPUT -s 0/0 -d 127.0.0.0/8 -p ALL -j REJECT 
maybe the same for private addresses that aren't allowed to come in on your 
internet interface)

and for the mail script you use... check your weblog for the time you saw the 
misterous connections in postfix. If there was something you should see the 
hits the access.log

--Ralph

Am Sonntag 04 April 2004 13:52 schrieb Andreas Vent-Schmidt:
> Hi Andreas,
>
> thanks a lot for your hints.
>
> At 12:54 Uhr +0200 04.04.2004, Andreas John wrote:
> >It looks like your friend is trying to inject pakets into your smtp with
> >faked (spoofed) ips. In this particular case he sends as "localhost". I
> > guess ...
> >more likely that he tries to overflow postfix (unprobable) or procmail
> > (suid root? postfix in chroot?) or your viruskiller or or or .....
>
> It's very likely that you are right with this. Of course, postfix is in
> chroot.
>
> >Another possibility is that you have an http-server with a "formmail" in
> > this boxen. Mail via this from come from localhost. It's an usual manner
> > from spammers to exploit self-written mailforms by putting new header
> > lines (To and CC) into to subject line of the form. (I had a case where
> > they even put
>
> I know this kind of attack - but it's not that easy on the server in
> question: there is no standard "formmail.pl" or something like this.
> I believe that my PHP based contact (done myself) form is quite
> secure (there's no subject field or variable, all input is escaped
> and so on).
>
> >I don't want to spread fear, so
> >1.) Boot superrescue, knoppix or so
> >2.) Run chkrootkit (deb package is mostly a little old)
> >3.) If you run chkrotokit on Debian, chkrootkit reports one false
> > positive!
>
> It'll be done!
>
> Thanks again and have a good day!
> Andreas
>
> --
> procommerz - Internet fuer Unternehmen
> http://www.procommerz.de | 033925-90710
>
> Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com

Reply to:

Follow-Ups:
- Re: Attempt on smtpd / faking remote ip
  - From: Andreas Vent-Schmidt <a.vent@procommerz.de>

References:
- Attempt on smtpd / faking remote ip
  - From: Andreas Vent-Schmidt <a.vent@procommerz.de>
- Re: Attempt on smtpd / faking remote ip
  - From: Andreas John <aj@net-lab.net>
- Re: Attempt on smtpd / faking remote ip
  - From: Andreas Vent-Schmidt <a.vent@procommerz.de>

Prev by Date: Re: Attempt on smtpd / faking remote ip
Next by Date: Frontpage
Previous by thread: Re: Attempt on smtpd / faking remote ip
Next by thread: Re: Attempt on smtpd / faking remote ip
Index(es):
- Date
- Thread