[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Unusual logging

Our firewall rules have the following entries in it

$IPCHAINS -A input -s xxx.xx.xxx.x/24 -d $REMOTENET -j DENY -l
$IPCHAINS -A input -b -i $OUTERIF -p icmp -s xxx.xx.xxx.x/24 -d $OUTERNET -j
DENY -l
etc
etc
etc

Where xxx is the IP of a known hacker here on the Gold Coast, Queensland.
(There are actually 6 entries in relation to the IP ranges that they own,
they are an ISP as well) but none of these are a match for the IP that is
giving us this log entry. This is the first time an entry like this has been
made.

Is there a particular change you would make to these lines, being relatively
new to ipchains any help would be appreciated.

Regards
Pete

-----Original Message-----
From: Noah L. Meyerhans [mailto:frodo@morgul.net]
Sent: Friday, 22 March 2002 11:27 AM
To: Jay Kline
Cc: Debian Security List
Subject: Re: Unusual logging


On Thu, Mar 21, 2002 at 06:12:02PM -0600, Jay Kline wrote:
> What seems odd to me is the the yyy IP is originating from such a low port

> (3) which means the system is most likely not unix or windows (or at least

> not standard apps), unless using some specific application. Anyone know of

> one that does this?  

Errm, no, you are missing the fact that PROTO=1.  That means it's ICMP
traffic.  His iptables blocked a Destination Unreachable ICMP message.
Those get sent by Unix and non-Unix systems all the time, but typically
not by userland stuff.

Personally, I would label this a misconfigured firewall.  There are
others out there who do like to block such messages.  I don't see the
point.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

################################################################################
This Communication and any files transmitted with it are intended for
the named addressee only, are confidential in nature and may contain
legally privileged information. The copying or distribution of this
communication or any information it contains, by anyone other than the
addressee or the person responsible for delivering this communication
to the intended addressee, is prohibited. If you receive this communication
in error, please advise us by telephone, and then delete the communication.
You will be reimbursed for reasonable costs incurred in notifying us.
Before you open or use any attachments first check them for viruses and defects.
Our liability is limited to resupplying any affected attachments only.
################################################################################
Reply to: