From owner-freebsd-questions Thu Dec 14 9:17: 0 2000 From owner-freebsd-questions@FreeBSD.ORG Thu Dec 14 09:16:52 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mail3.lig.bellsouth.net (mail3.lig.bellsouth.net [205.152.0.51]) by hub.freebsd.org (Postfix) with ESMTP id 2C8E137B400 for ; Thu, 14 Dec 2000 09:16:52 -0800 (PST) Received: from coastalgeology.org (adsl-20-126-139.chs.bellsouth.net [66.20.126.139]) by mail3.lig.bellsouth.net (3.3.5alt/0.75.2) with SMTP id MAA12231 for ; Thu, 14 Dec 2000 12:16:50 -0500 (EST) Received: (qmail 723 invoked by uid 1000); 14 Dec 2000 17:36:43 -0000 Date: Thu, 14 Dec 2000 12:36:43 -0500 From: Jonathan Pennington To: freebsd-questions@FreeBSD.ORG Subject: Possible Intrusion...? Message-ID: <20001214123643.A499@coastalgeology.org> Reply-To: Jonathan Pennington Mail-Followup-To: Jonathan Pennington , freebsd-questions@FreeBSD.ORG References: <001d01c065c8$8ee65c20$4200a8c0@jesus> <20001214083232.L16205@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001214083232.L16205@fw.wintelcom.net>; from bright@wintelcom.net on Thu, Dec 14, 2000 at 08:32:32AM -0800 X-Warning: Bill Gates Controls The Matrix Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Got a possible intrusion, and a fairly bare logset. Although I firmly subscribe to the school of "Never ascribe to malice what can adequately be explained by stupidity," it seems that even I couldn't have done this one. Info: 4.1-RELEASE, CVSuped to -STABLE last night. Config files follow at end, basic network interfaces: tun0 pppoe interface ed0 internal NIC with 1 win and 1+ *NIX boxen ed1 external NIC connected to external DSL modem with dynamic IP address Did a make buildworld around 11:00pm, went to sleep while it was crunching around midnight thirty. This morning I did make installworld, and rebuilt a kernel, all without a hitch. Reboot my system and look at the logs to find strangeness. (Comments in brackets: <>) ------------- /var/log/security -------------- Dec 13 18:51:55 bullwinkle /kernel: ipfw: 65435 Accept UDP 10.16.3.35:17072 66.20.127.77:6970 in via tun0 Dec 13 18:51:59 bullwinkle last message repeated 15 times Dec 13 18:55:25 bullwinkle /kernel: ipfw: 1100 Reset TCP 128.8.128.80:48960 66.20.127.77:113 in via tun0 Dec 13 19:12:15 bullwinkle /kernel: ipfw: 65435 Deny TCP 128.8.128.80:49068 66.20.127.77:113 in via tun0 Dec 13 19:12:25 bullwinkle last message repeated 2 times Dec 13 21:55:31 bullwinkle tdetect: Traceroute Detector active on ed0 Dec 13 22:08:19 bullwinkle /kernel: ipfw: 65435 Deny TCP 213.26.2.2:23 66.20.126.15:23 in via tun0 Dec 14 01:21:11 bullwinkle /kernel: ipfw: 65435 Deny TCP 149.149.202.53:1953 66.20.126.15:27374 in via tun0 Dec 14 01:21:14 bullwinkle /kernel: ipfw: 65435 Deny TCP 149.149.202.53:1953 66.20.126.15:27374 in via tun0 Dec 14 03:16:46 bullwinkle /kernel: ipfw: 65435 Deny TCP 210.204.3.61:3466 66.20.126.15:23 in via tun0 Dec 14 03:16:49 bullwinkle /kernel: ipfw: 65435 Deny TCP 210.204.3.61:3466 66.20.126.15:23 in via tun0 Dec 14 07:58:35 bullwinkle tdetect: Traceroute Detector active on ed0 Dec 14 11:34:33 bullwinkle tdetect: Traceroute Detector active on ed0 ----------- end ----------------- I can't think of a legitimate reason why there would be a traceroute on my internal NIC (doesn't happen on an external traceroute, which I was doing earlier), nor can I imagine why any computer would innocently try to connect to port 23. I've newly installed this system on a test drive, and am moving (ie. re-installing from CD) onto a new drive shortly, so there's not *too* much of a worry about info loss and I have a full backup of $HOME and can copy and hand edit my /etc/*conf* files. I just want to know if there's an innocent explaination for this. I don't have TCPwrappers or any contrib security stuff installed yet, and the firewall is very basic. That is all step two of the test after getting a running configurable system (now complete). Any info on this is appreciated, conf files follow. Incedentally, /var/log/messages is empty for that period (FreeBSD doesn't "--Mark--" logs?). -J ---------------- /etc/rc.conf --------------- ### Basic network and firewall/security options: ### # hostname="bullwinkle.coastalgeology.org" firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="simple" # Firewall type (see /etc/rc.firewall) ifconfig_ed0="inet 192.168.10.1 netmask 255.255.255.0" ifconfig_ed1="inet 10.0.0.1 netmask 255.0.0.0 -arp up" # User ppp configuration. ppp_enable="YES" # Start user-ppp (or NO). ppp_mode="ddial" # Choice of "auto", "ddial", "direct" or "dedicated". # For details see man page for ppp(8). Default is auto. ppp_nat="NO" # Use PPP's internal network address translation or NO. ppp_profile="Bellsouth.net" # Which profile to use from /etc/ppp/ppp.conf. pppoed_enable="YES" # Run the PPP over Ethernet daemon. pppoed_provider="Bellsouth.net" # Provider and ppp(8) config file entry. pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled). pppoed_interface="ed1" # The interface that pppoed runs on. sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_enable="YES" # Enable sshd sshd_flags="" # Additional flags for sshd. ### Network routing options: ### defaultrouter="NO" # Set to default gateway (or NO). static_routes="" # Set to static route list (or leave empty). gateway_enable="YES" # Set to YES if this host will be a gateway. ipxgateway_enable="YES" # Set to YES to enable IPX routing. ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon. ipxrouted_flags="" # Flags for IPX routing daemon. forward_sourceroute="YES" # do source routing (only if gateway_enable is set to "YES") accept_sourceroute="YES" # accept source routed packets to us natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic" ############################################################## ### System console options ################################# ############################################################## keyrate="fast" keymap="us.dvorak" blanktime="300" # blank time (in seconds) or "NO" to turn it off. saver="logo" # screen saver: Uses /modules/${saver}_saver.ko moused_enable="YES" # Run the mouse daemon. moused_type="auto" # See man page for rc.conf(5) for available settings. moused_port="/dev/psm0" # Set to your mouse port. moused_flags="-3" # Any additional flags to moused. allscreens_flags="" # Set this vidcontrol mode for all virtual screens ############################################################## ### Miscellaneous administrative options ################### ############################################################## cron_enable="YES" # Run the periodic job daemon. lpd_enable="YES" # Run the line printer daemon. lpd_program="/usr/sbin/lpd" # path to lpd, if you want a different one. lpd_flags="" # Flags to lpd (if enabled). usbd_enable="YES" # Run the usbd daemon. usbd_flags="" # Flags to usbd (if enabled). sendmail_flags="-bd -q30m" # Flags to sendmail (if enabled) dumpdev="NO" # Device name to crashdump to (or NO). enable_quotas="NO" # turn on quotas on startup (or NO). check_quotas="YES" # Check quotas on startup (or NO). accounting_enable="NO" # Turn on process accounting (or NO). ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup (or NO). linux_enable="YES" # Linux binary compatibility loaded at startup (or NO). svr4_enable="NO" # SysVR4 emulation loaded at startup (or NO). osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup (or NO). rand_irqs="NO" # Stir the entropy pool (like "5 11" or NO). clear_tmp_enable="NO" # Clear /tmp at startup. ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib" # shared library search paths ldconfig_paths_aout="/usr/lib/compat/aout /usr/X11R6/lib/aout /usr/local/lib/aout" # a.out shared library search paths kern_securelevel_enable="NO" # kernel security level (see init(8)), kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure update_motd="YES" # update version info in /etc/motd (or NO) start_vinum="" # set to YES to start vinum sendmail_enable="NO" -------------------- end --------------------- ---------------- /etc/rc.firewall ---------------- ############ # Setup system for firewall service. # $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai Exp $ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi # set the command and any command line switches fwcmd="/sbin/ipfw" ${fwcmd} -f flush ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 ##### Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable ##### # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via ed0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect # to ssh, smtp and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow log tcp from any to any 22 setup $fwcmd add pass tcp from any to any 25 setup #$fwcmd add allow tcp from any 21 to any # This sends a RESET to all ident packets. #$fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 205.152.0.20 53 out xmit tun0 $fwcmd add allow udp from any to 205.152.0.5 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 205.152.0.0/16 53 to any in recv tun0 $fwcmd add allow udp from 208.140.99.0/24 53 to 192.168.10.2/32 in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Stop spoofing $fwcmd add deny all from 192.168.10.0/24 to any in via tun0 # Allow IP fragments to pass through $fwcmd add pass all from any to any frag # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via tun0 setup # Allow tun0 out $fwcmd add 65435 allow ip from any to any out xmit tun0 #Allow connection to RealPlayer $fwcmd add 65435 allow log udp from any to any 6970 in via tun0 # Deny all the rest. $fwcmd add 65435 deny log ip from any to any in via tun0 ----------------- end ----------------------- ----- ifconfig output (from today, different IP) ---- ed0: flags=8943 mtu 1500 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 inet6 fe80::220:78ff:fe13:5ba6%ed0 prefixlen 64 scopeid 0x1 ether 00:20:78:13:5b:a6 ed1: flags=88c3 mtu 1500 inet6 fe80::250:baff:fea2:9320%ed1 prefixlen 64 scopeid 0x2 inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255 ether 00:50:ba:a2:93:20 lp0: flags=8810 mtu 1500 ds0: flags=8008 mtu 65532 faith0: flags=8000 mtu 1500 gif0: flags=8010 mtu 1280 gif1: flags=8010 mtu 1280 gif2: flags=8010 mtu 1280 gif3: flags=8010 mtu 1280 lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 tun0: flags=8051 mtu 1492 inet6 fe80::220:78ff:fe13:5ba6%tun0 --> :: prefixlen 64 scopeid 0xd inet 66.20.126.139 --> 66.20.126.1 netmask 0xff000000 Opened by PID 490 ------------------end---------------------------- -------------- ipfw.today ------------------------ 00200 0 0 deny ip from any to 127.0.0.0/8 65435 0 0 deny ip from 192.168.10.0/24 to any in recv tun0 65435 3 136 deny log logamount 100 tcp from any to any in recv tun0 setup 65435 0 0 deny log logamount 100 ip from any to any in recv tun0 ---------------- end ----------------------------- Others available upon request. Thanks. -- Jonathan Pennington | http://coastalgeology.org Site Manager | Protection and stewardship CoastalGeology.Org (CGO) | through public education. john@coastalgeology.org | Join CGO, make a difference. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message