Re: strange requests from Vanguard Securities: 53,137,138
On Sun, Aug 12, 2007 at 12:58:59PM -0400, George wrote:
> In browsing vanguard.com I find it slow, also they cause unexpected
> logging in my /var/log/messages file. To kill these I updated itpables
> to open said ports.
> # /opt/sbin/ziptables.vanguard input
> iptables -I INPUT -j ACCEPT -s 126.96.36.199/24 -p udp \
> -m multiport --ports 53,137,138
> iptables -L
> Why are they examining these ports? No one else is.
> Using a Thinkpad behind a router and my own iptables firewall. Debian
> Test and Sid environments.
You've made a few missteps here.
First, you have assumed that "vanguard.com" is the reason for the
activity on your firewall. If you look at the IP address for vanguard, you'll
see that it has nothing to do with the IP addresses that are hitting your firewall.
To see the IP address of a site, use "host":
$ host vanguard.com
vanguard.com has address 188.8.131.52
vanguard.com has address 184.108.40.206
vanguard.com mail is handled by 100 vanguard.com.s7a1.psmtp.com.
vanguard.com mail is handled by 200 vanguard.com.s7a2.psmtp.com.
vanguard.com mail is handled by 300 vanguard.com.s7b1.psmtp.com.
vanguard.com mail is handled by 400 vanguard.com.s7b2.psmtp.com.
Then, to see who is actually hitting your firewall, use "whois":
$ whois 220.127.116.11
Cablevision Systems Corp. CVNET (NET-167-206-0-0-1)
18.104.22.168 - 22.214.171.124
Cablevision CVNET-A7CEFB00 (NET-167-206-251-0-1)
126.96.36.199 - 188.8.131.52
So you have opened up ports for "Cablevision Systems Corp", when you
want to allow access to Vanguard. Not a good idea. "Cablevision Systems
Corp" is a company that provides broadband network access to homes, so
all these addresses are probably people's home computers.
Secondly, you opened up ports without knowing what they are for. To see
what the ports are for, search in the /etc/services file:
$ grep 53/ /etc/services
domain 53/tcp # name-domain server
$ grep 137/ /etc/services
netbios-ns 137/tcp # NETBIOS Name Service
$ grep 138/ /etc/services
netbios-dgm 138/tcp # NETBIOS Datagram Service
So those ports are for DNS and Microsoft networking. Both services that have a
lot of exploits for them.
The reason you are getting a lot of hits on those ports from those
addresses is because some "hackers" are trying to break into your
system, using known exploits against DNS and Microsoft networking. They
probably aren't succeeding, since you probably don't run a DNS server or
SAMBA. But if you do run one of those, you should be warned.
Finally, there is the idea that you simply opened up the ports to make
the messages in your log file go away. This is a very bad idea. The
firewall is there to stop you from getting hacked. The log file is
there to warn you that someone is trying to hack you. Opening up ports
to stop log file messages is kind of like removing your armour because
you don't like the loud "ping" sound of bullets bouncing off it.
I strongly suggest that you:
1) Close those ports in your firewall.
2) If you really don't like the log messages, then reconfigure your firewall to not
log dropped packets.
3) Use "/etc/services" to see what ports are for, and make sure you understand what
service is running on a port before you open it up.
4) Use "whois" to see the names behind an IP address, and make sure you know who is
behind an address before you open a hole in your firewall for that address.