Date: Thu, 14 Dec 2000 12:36:43 -0500 From: Jonathan Pennington <john@coastalgeology.org> To: freebsd-questions@FreeBSD.ORG Subject: Possible Intrusion...? Message-ID: <20001214123643.A499@coastalgeology.org> In-Reply-To: <20001214083232.L16205@fw.wintelcom.net>; from bright@wintelcom.net on Thu, Dec 14, 2000 at 08:32:32AM -0800 References: <001d01c065c8$8ee65c20$4200a8c0@jesus> <20001214083232.L16205@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Got a possible intrusion, and a fairly bare logset. Although I firmly
subscribe to the school of "Never ascribe to malice what can
adequately be explained by stupidity," it seems that even I couldn't
have done this one.
Info:
4.1-RELEASE, CVSuped to -STABLE last night.
Config files follow at end, basic network interfaces:
tun0 pppoe interface
ed0 internal NIC with 1 win and 1+ *NIX boxen
ed1 external NIC connected to external DSL modem with dynamic
IP address
Did a make buildworld around 11:00pm, went to sleep while it was
crunching around midnight thirty. This morning I did make
installworld, and rebuilt a kernel, all without a hitch. Reboot my
system and look at the logs to find strangeness.
(Comments in brackets: <>)
------------- /var/log/security --------------
Dec 13 18:51:55 bullwinkle /kernel: ipfw: 65435 Accept UDP 10.16.3.35:17072 66.20.127.77:6970 in via tun0
Dec 13 18:51:59 bullwinkle last message repeated 15 times
<Explained: happened when real audio was used on lan win computer>
Dec 13 18:55:25 bullwinkle /kernel: ipfw: 1100 Reset TCP 128.8.128.80:48960 66.20.127.77:113 in via tun0
Dec 13 19:12:15 bullwinkle /kernel: ipfw: 65435 Deny TCP 128.8.128.80:49068 66.20.127.77:113 in via tun0
Dec 13 19:12:25 bullwinkle last message repeated 2 times
<Explained: ident stuff, still working on this>
<Rest is unexplained>
Dec 13 21:55:31 bullwinkle tdetect: Traceroute Detector active on ed0
Dec 13 22:08:19 bullwinkle /kernel: ipfw: 65435 Deny TCP 213.26.2.2:23 66.20.126.15:23 in via tun0
Dec 14 01:21:11 bullwinkle /kernel: ipfw: 65435 Deny TCP 149.149.202.53:1953 66.20.126.15:27374 in via tun0
Dec 14 01:21:14 bullwinkle /kernel: ipfw: 65435 Deny TCP 149.149.202.53:1953 66.20.126.15:27374 in via tun0
Dec 14 03:16:46 bullwinkle /kernel: ipfw: 65435 Deny TCP 210.204.3.61:3466 66.20.126.15:23 in via tun0
Dec 14 03:16:49 bullwinkle /kernel: ipfw: 65435 Deny TCP 210.204.3.61:3466 66.20.126.15:23 in via tun0
Dec 14 07:58:35 bullwinkle tdetect: Traceroute Detector active on ed0
Dec 14 11:34:33 bullwinkle tdetect: Traceroute Detector active on ed0
----------- end -----------------
I can't think of a legitimate reason why there would be a traceroute
on my internal NIC (doesn't happen on an external traceroute, which I
was doing earlier), nor can I imagine why any computer would
innocently try to connect to port 23.
I've newly installed this system on a test drive, and am moving
(ie. re-installing from CD) onto a new drive shortly, so there's not
*too* much of a worry about info loss and I have a full backup of
$HOME and can copy and hand edit my /etc/*conf* files. I just want to
know if there's an innocent explaination for this. I don't have
TCPwrappers or any contrib security stuff installed yet, and the
firewall is very basic. That is all step two of the test after getting
a running configurable system (now complete).
Any info on this is appreciated, conf files follow. Incedentally,
/var/log/messages is empty for that period (FreeBSD doesn't "--Mark--"
logs?).
-J
---------------- /etc/rc.conf ---------------
### Basic network and firewall/security options: ###
#
hostname="bullwinkle.coastalgeology.org"
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
ifconfig_ed0="inet 192.168.10.1 netmask 255.255.255.0"
ifconfig_ed1="inet 10.0.0.1 netmask 255.0.0.0 -arp up"
# User ppp configuration.
ppp_enable="YES" # Start user-ppp (or NO).
ppp_mode="ddial" # Choice of "auto", "ddial", "direct" or "dedicated".
# For details see man page for ppp(8). Default is auto.
ppp_nat="NO" # Use PPP's internal network address translation or NO.
ppp_profile="Bellsouth.net" # Which profile to use from /etc/ppp/ppp.conf.
pppoed_enable="YES" # Run the PPP over Ethernet daemon.
pppoed_provider="Bellsouth.net" # Provider and ppp(8) config file entry.
pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled).
pppoed_interface="ed1" # The interface that pppoed runs on.
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
sshd_enable="YES" # Enable sshd
sshd_flags="" # Additional flags for sshd.
### Network routing options: ###
defaultrouter="NO" # Set to default gateway (or NO).
static_routes="" # Set to static route list (or leave empty).
gateway_enable="YES" # Set to YES if this host will be a gateway.
ipxgateway_enable="YES" # Set to YES to enable IPX routing.
ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon.
ipxrouted_flags="" # Flags for IPX routing daemon.
forward_sourceroute="YES" # do source routing (only if gateway_enable is set to "YES")
accept_sourceroute="YES" # accept source routed packets to us
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"
##############################################################
### System console options #################################
##############################################################
keyrate="fast"
keymap="us.dvorak"
blanktime="300" # blank time (in seconds) or "NO" to turn it off.
saver="logo" # screen saver: Uses /modules/${saver}_saver.ko
moused_enable="YES" # Run the mouse daemon.
moused_type="auto" # See man page for rc.conf(5) for available settings.
moused_port="/dev/psm0" # Set to your mouse port.
moused_flags="-3" # Any additional flags to moused.
allscreens_flags="" # Set this vidcontrol mode for all virtual screens
##############################################################
### Miscellaneous administrative options ###################
##############################################################
cron_enable="YES" # Run the periodic job daemon.
lpd_enable="YES" # Run the line printer daemon.
lpd_program="/usr/sbin/lpd" # path to lpd, if you want a different one.
lpd_flags="" # Flags to lpd (if enabled).
usbd_enable="YES" # Run the usbd daemon.
usbd_flags="" # Flags to usbd (if enabled).
sendmail_flags="-bd -q30m" # Flags to sendmail (if enabled)
dumpdev="NO" # Device name to crashdump to (or NO).
enable_quotas="NO" # turn on quotas on startup (or NO).
check_quotas="YES" # Check quotas on startup (or NO).
accounting_enable="NO" # Turn on process accounting (or NO).
ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup (or NO).
linux_enable="YES" # Linux binary compatibility loaded at startup (or NO).
svr4_enable="NO" # SysVR4 emulation loaded at startup (or NO).
osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup (or NO).
rand_irqs="NO" # Stir the entropy pool (like "5 11" or NO).
clear_tmp_enable="NO" # Clear /tmp at startup.
ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib"
# shared library search paths
ldconfig_paths_aout="/usr/lib/compat/aout /usr/X11R6/lib/aout /usr/local/lib/aout"
# a.out shared library search paths
kern_securelevel_enable="NO" # kernel security level (see init(8)),
kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure
update_motd="YES" # update version info in /etc/motd (or NO)
start_vinum="" # set to YES to start vinum
sendmail_enable="NO"
-------------------- end ---------------------
---------------- /etc/rc.firewall ----------------
############
# Setup system for firewall service.
# $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai Exp $
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
# set the command and any command line switches
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
############
# These rules are required for using natd. All packets are passed to
# natd before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
#
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
##### Firewall rules
# Written by Marc Silver (marcs@draenor.org)
# http://draenor.org/ipfw
# Freely distributable
#####
# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0
# Allow all data from my network card and localhost. Make sure you
# change your network card (mine was fxp0) before you reboot. :)
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via ed0
# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit tun0 setup
# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via tun0 established
# Everyone on the internet is allowed to connect to the following
# services on the machine. This example shows that people may connect
# to ssh, smtp and apache.
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow log tcp from any to any 22 setup
$fwcmd add pass tcp from any to any 25 setup
#$fwcmd add allow tcp from any 21 to any
# This sends a RESET to all ident packets.
#$fwcmd add reset log tcp from any to any 113 in recv tun0
# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to 205.152.0.20 53 out xmit tun0
$fwcmd add allow udp from any to 205.152.0.5 53 out xmit tun0
# Allow them back in with the answers... :)
$fwcmd add allow udp from 205.152.0.0/16 53 to any in recv tun0
$fwcmd add allow udp from 208.140.99.0/24 53 to 192.168.10.2/32 in recv tun0
# Allow ICMP (for ping and traceroute to work). You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add 65435 allow icmp from any to any
# Stop spoofing
$fwcmd add deny all from 192.168.10.0/24 to any in via tun0
# Allow IP fragments to pass through
$fwcmd add pass all from any to any frag
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via tun0 setup
# Allow tun0 out
$fwcmd add 65435 allow ip from any to any out xmit tun0
#Allow connection to RealPlayer
$fwcmd add 65435 allow log udp from any to any 6970 in via tun0
# Deny all the rest.
$fwcmd add 65435 deny log ip from any to any in via tun0
----------------- end -----------------------
----- ifconfig output (from today, different IP) ----
ed0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
inet6 fe80::220:78ff:fe13:5ba6%ed0 prefixlen 64 scopeid 0x1
ether 00:20:78:13:5b:a6
ed1: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::250:baff:fea2:9320%ed1 prefixlen 64 scopeid 0x2
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
ether 00:50:ba:a2:93:20
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ds0: flags=8008<LOOPBACK,MULTICAST> mtu 65532
faith0: flags=8000<MULTICAST> mtu 1500
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet6 fe80::220:78ff:fe13:5ba6%tun0 --> :: prefixlen 64 scopeid 0xd
inet 66.20.126.139 --> 66.20.126.1 netmask 0xff000000
Opened by PID 490
------------------end----------------------------
-------------- ipfw.today ------------------------
00200 0 0 deny ip from any to 127.0.0.0/8
65435 0 0 deny ip from 192.168.10.0/24 to any in recv tun0
65435 3 136 deny log logamount 100 tcp from any to any in recv tun0 setup
65435 0 0 deny log logamount 100 ip from any to any in recv tun0
---------------- end -----------------------------
Others available upon request. Thanks.
--
Jonathan Pennington | http://coastalgeology.org
Site Manager | Protection and stewardship
CoastalGeology.Org (CGO) | through public education.
john@coastalgeology.org | Join CGO, make a difference.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001214123643.A499>