Topic: Where do I top up my box with more PINGs...

[Robert Harlow]

...as the darned thing has sent out so many recently that it surely must be running out;~/

SME5.6u4 server/gateway - staticIP - rural wireless broadband

Have Guardian/Snort/ACID on board now, the number of foreign countries using/abusing my pinger is, frankly, ludicrous. I am unable to get the combo to block the icmp pinger fraternity. Yes, it does block the occasional scan and IDA idiocy etc etc. But it never takes any action to quell the persistent pingers:-(

I have been attempting to turn OFF the ping responder but still maintain whatever ping functionality that System Monitor needs to produce its gateway charts. The production of particular chart is an absolute necessity.

Searching the database has revealed nothing edifying. The nearest I get is an inappropriate spiel on the use of ipchains and DENY. For some unknown reason my box does not like the ipchains command or the DENY attribute but laps up the iptables command and DROP attribute. Please tailor any advice accordingly!

Have tried the following to quash my box's unfortunate propensity to be ingratiatingly helpful to all my Dutch, Israeli, Russian, French or Romanian incoming/probing ping requests...

/sbin/iptables -A INPUT --destination mystaticIP/32 --protocol icmp --icmp-type echo-request -j DROP -i eth1

...but seemingly this is ineffective. So I have also tried (permanently) blocking the IPs of the most persistent offenders, the never-let-up zombie that ACID keeps identifying, using...

/sbin/iptables -A INPUT -t filter -j DROP -s zombieIP

...but an hour later I see the same damn IPs appearing on the ACID report lines:-|

Why can't I get my SME box to quit responding to probing pings?

best wishes, Robert

[Dan Brown]

Your box doesn't like ipchains because it's running a 2.4 series kernel.  ipchains belonged to 2.2.

A quick google search of "iptables block icmp" came up with a page that looks helpful:

http://www.linuxquestions.org/questions/archive/4/2002/06/2/22708

[Robert Harlow]

VERY helpful Dan, had not thought that Google would have a SME-compatible workaround:-) Have undone my existing icmp-type command line using -D and now having a go with those four ACCEPT clauses and the associated jump clause. Will advise results dreckly...

best wishes, Robert

[Robert Harlow]

ACID report lines seem a *bit* more sparse than I have seen of late, probably need a bit more time to evaluate. There's one ICMP PING CyberKit 2.2 Windows line listed, perhaps the report was in a buffer somewhere or something.

Absolute disaster for the System Monitor's gateway (packet loss and latency), it looks completely knackered and wholly unusable. The production of the gateway packet loss and latency graphs is pretty much a necessity here:-|

best wishes, Robert

[RayG]

SME 5.6 uses iptables instead of ipchains. The INPUT table routes incoming icmp traffic to the icmpIn table.

You can get a better idea of what pings are coming in with:

iptables -L icmpIn -v                   (that's a capital "L" and lower case "v")

That will show the number of packets and bytes for each of the incoming icmp types the machine is set up to handle.

You can see what your outbound icmp traffic looks like with:

iptables -L icmpOut -v


I have made a small mod to my masq configuration to DROP the Cyberkit 2.2 pings but leave the rest of icmp in tact. The Cyberkit pings are somewhat unique in that they are 92 bytes long and that makes them easy to filter based on length. If the pings used by your reporting package are unique enough, you will be able to pass them while blocking all other pings.

A more detailed description of the traffic your trying to stop would be helpfull in tailoring a solution.

[Robert Harlow]

Ray

With your command lines I see...
icmpIn 10MB echo-reply
icmpOut 12MB echo-request

Simplistically I would like to silence my box from responding to any ping requests whether they be benign or intrusive/probing. Would like all the error lines in ACID to be sporadic ie normal? instead of all these (apparent) alarm line entries. My box is not mainstream. It does not have to support all this ping activity that is going on!

Co-incidently the broadband guys have just *done something*. Earlier they were intending to install a new/spare router. Now all hell seems to have broken loose.

I will have to return to the earlier test in due course as even though I've normalised those iptables lines my System Monitor's gateway packet loss and latency graphs are still a disaster and my connectivity is distinctly strange and iffy. Shades of bedlam at the moment. I picked a very bad time to mess with server iptables:-|

best wishes, Robert

[RayG]

The joy of doing things the "e-smith way" is that you can simply delete your custom templates, rebuild the config file, and your back to factory defaults. Annoying system that I curse on a regular basis but it's saved my bacon on many occasions.

I'm not sure you can kill icmp completely and still get proper reporting from your bandwidth/latency monitor.

[Robert Harlow]

The broadband engineers have finished faffing about (for the moment) and I'm finally back in service.

That disasterous looking System Monitor gateway graph (packet loss/latency) was actually the portent of the broadband *episode* and not anything to do with the command lines that I had just input:-) Those five lines are now running once again and the graph is (seemingly) as it ought  to be... Progress!

Too soon to say whether it (alone) stops my ever-persistent pests' pings. It certainly hasn't stopped all the incoming ping requests, still have *ICMP PING CyberKit 2.2 Windows* logging lines appearing in ACID.

Now trying the echo 1/0 idea promulgated in Dan's Google-sourced reference... and, nope, still getting report lines in ACID:~/

So, even both ideas running concurrently, my ACID logs still report these pointless ping requests and my box still wastes its resources responding. The only winners appear to be the pests getting their rocks off receiving ping responses from my box...(!?) What have I to do to stop this foolishness...

best wishes, Robert

[Robert Harlow]

Ray, you mentioned a minor mod to masq to specifically drop Cyberkit pings... Is this something I can attempt...? The absolute majority of the logging lines are listed as *ICMP PING CyberKit 2.2 Windows*.

best wishes, Robert

[RayG]

This is what I did to block the "Cyberkit 2.2" pings that are being generated by worm infected computers. I had posted a less detailed version looking for comments from those more experienced but didn't get any responce. None of this is original thinking. I've just compiled a LOT of reading into a masq modification done the e-smith way. Comments, suggestions, and flames are all welcom.

This mod requires an iptables module that was not included with version 1.2.5-3 used in SME 5.6. The module is included in the previuos version so I located and downloaded a copy of
iptables-1.2.5-2.i386.rpm. Once this rpm is on your SME box, use Midnight Commander to extract just /lib/iptables/libipt_length.so and copy it to the hard drive at /lib/iptables/libipt_length.so. Midnight Commander will let you browse and copy files in an rpm the same as you do in the rest of the file system.

If you havn't already, create a custom template directory for masq
    mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Copy the icmpin template fragment to the appropriate custom template directory
    cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

Edit the custom template fragment
    pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

Down about line 25 it says "foreach my $icmpType (@OKicmpTypes)".
Just above that line add the following as a single line:
    $OUT .= "\n    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF -m length --length 92 --jump DROP\n\n";

I also added a comment explaining the new rule because my memory isn't quite what it used to be
    $OUT .= "\n    # Rule added to block incoming pings from the Nachi/Welchia worm\n";

Save the file

Rebuild the masq configuration file
    /sbin/e-smith/expand-template /etc/rc.d/init.d/masq

Restart masq
    service masq restart

Snort will still detect the incoming "Cyberkit 2.2 pings" but you can stop that by commenting out the Cyberkit detection rule in /etc/snort/icmp.rules down about line 29. Restart snort with "service snortd restart". You can verify the 92 byte pings are being dropped with "iptables -L icmpIn -v" and you can verify your server is not responding to them with "iptables -L icmpOut -v". You will likely still see a few echo requests and replies as the point of this hack is to dull the worms roar without breaking icmp completely. At the time of this writing I have 42,705 dropped 92 byte echo requests and just 84 accepted echo requests. And the expected 84 echo replies of course.

[Robert Harlow]

Ray

All this looks really good but I can't replicate your initial step;~/

I already have the CD of the previous version of SME (5.5) but it does not seem to have the module you quoted.

Indeed SME-5.5 hasn't even got iptables but ipchains... something I picked up from Dan (due to kernel change). Please would you check your paragraph relating to the starting conditions ie that special module and its whereabouts?

Have tried rpmfinder but have drawn a blank there and their UK-based mirror seems unavailable at the moment.

So, a bit stumped. Currently downloading all the RH7.2 iso files in the hope that it is embedded in those editions...

best wishes, Robert

[Robert Harlow]

Downloaded both RH7.7 iso files - F3/view  in MC and then F7/search for the string libipt_length.so but found nothing.

Then tried the RH9 iso files and the F7/search string threw up a hit in the first iso file, so it may be worth my while bringing forward the burning of those iso files into CDs:-) Assuming this is successful do you forsee a problem using that library file ie from a more modern distribution?

best wishes, Robert

[RayG]

Sorry for the confusion. I meant the previous version of iptables. Google for iptables-1.2.5-2.i386.rpm and you should find several places to download from.

As far as I can tell, the dash versions are mostly just bug fixes so I figured there wouldn't be much harm in trying a module from a distribution that was just one dash rev lower. Iptables does complain if if you try to load a module from a different decimal rev like iptables-1.2.8 for example.

A better solution would be to compile libipt_length.so from the iptables-1.2.5-3.src.rpm but that's a bit beyond my abilities right now.

[Robert Harlow]

Ray

It's taken me all day to give up searching for a way for MC to extract that file from the rpm. I have also now d/l all three redhat-9 iso files and both redhat-7.2 files. Found an appropriate iptables area on the 1st disc of the RH9 set but think that it is too modern - as per your comment. Finally I found another way to extract the using a command line thing called rpm2cpio.

I have followed the rest of your instructions. After the point where masq restarts I get the following reported...

-----------------------------------------
[root@nas600 masq]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
/etc/init.d/masq: echo-request: command not found
/etc/init.d/masq: DROP: command not found
/etc/init.d/masq: worm: command not found
done
[root@nas600 masq]#
-----------------------------------------

Any comments?

best wishes, Robert

[Charlie Brady]

Robert Harlow wrote:

> Enabling IP masquerading: iptables v1.2.5: Unknown arg
> --icmp-type'

This usually means that you have "--icmp-type xxx" without a preceding "--protocol icmp".

From "man iptables":

   icmp
       This extension is loaded if --protocol icmp' is specified.  It provides
        the following option:

       --icmp-type [!] typename
              This allows specification of the ICMP type, which can be a
              numeric ICMP type, or one of  the
              ICMP type names shown by the command
               iptables -p icmp -h

Charlie