Topic: Pls help - seven days of port scans/DOS

[tbcomputing]

Help

For seven days I've had lines like this:

Nov 26 18:29:36 tbc01 kernel: denylog:IN=eth1 OUT= MAC=00:a0:24:cf:4e:4a:00:90:d0:0b:0e:e2:08:00 SRC=200.193.77.37 DST=81.154.14.0 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=48650 DF PROTO=TCP SPT=50654 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0

in my log files.

I hadn't noticed until today when everything stopped to a crawl.

So far 6.01.01 seems to have resisted everything, but I'd love to stop it.

Is it purely machine generated or could I have upset someone to start it.

Any security gurus here

PLEASE

TIA

Tony

[guest22]

Hi Tony,

you're right, SME Server blocks it as it supossed to do. But there is nothing you can do about the stupid actions of stupid people...

Don't worry, simply ignore it.

RequestedDeletion

[tbcomputing]

Thanks for that. The reassurance helps....but I'd really like to stick the whole lot up the ar** of the person who did it....and I'm not a violent man!

Tony

[NickR]

You should expect to see plenty of scans of ports 135-139 & 445 as these are the ports Windross uses to discover nearby computers running Windross.  
It's lazy admins who are responsible for allowing this noise out onto the 'net, but it's not harmful as such.

[tbcomputing]

Thanks for that too.

Perhaps the log line I posted was not a good example. I've had every port in the known universe scanned muliple times for seven days, usually 4-5 scans per minute - surely I shouln't expect that...should I?

Tony

[NickR]

IME, yes, you should expect plenty of scans from all over the planet.  Scans are OK, it's vulnerable services you need to be concerned about.  Don't run anything on the external interface that you don't actually need (FTP & SSH being 2 obvious ones).

[tbcomputing]

OK Thanks for that, just checked and those services are as I thought turned off. Would still be interested to know how many scans others are getting on a daily basis. I'm going to analyse my log and post the number for a 24 hour period.

Anyone else willing to do the same, say from midnight Saturday to midnight Sunday?

Tony

[NickR]

1,990 on my server here and 590 on a random other server located at a client on a different ISP. It's really very dependent on what the script-kiddies are up to this week, how noisy machines on your bit of the 'net are, etc.

My advice is: don't drive yourself mad trying to read anything into these scans - install snort if you want a better overview of what's trying to get in and have a read of http://isc.sans.org/index.php on a regular basis to see what's happening.  As you'll note from the map on the right in that URL, 445 traffic is big in Europe, but not nearly so much elsewhere.

[Reinhold]

Tony,

3576 in the timeframe you asked for...
about half DPT=135 the other half DPT=445
happens if you are in a newbie branch of your 2MBit provider <sigh>.

What you can do is change iptable to drop (so no message is written)
and/or handle things via Snort/Acid...

What YOU should NOT DO is WORRY about stuff SME does find and reject ... it just fills your hardisk space .-)
AFAI am concerned there's serious doubt "Bill" will ever fix these newbie traps :-/

Regards
Reinhold

[tbcomputing]

Hi

Are you all sure nobody's got it in for me?

7114 entries in the log for the same period.

Tony

[Reinhold]

Are you all sure nobody's got it in for me?

Be assured that the log entries, all 7k of them, prove that "this guy" did not gain entry <grin>
...that's what they say.

If you still worry:
disable external access (ftp,ssh),
install rkhunter
backup your stuff (regularly) on write only media

relax a bit - 135+445s dummy stuff

Regards
Reinhold

[tbcomputing]

OK, I give in, and thanks to you all for your patience.

The services are disabled, I back up to tape, and I'll look at rkhunter.

Thanks again, and thread closed as far as I'm concerned

Tony

[Mac_servicer]

check this thread

http://forums.contribs.org/index.php?topic=18911.msg74742#msg74742

They have noted the db config to switch off Logging

 

p.s. we had over 200 entries per Hour!

[SSBN]

There are a few things you can do if you are really concerned. But they require a bit of work.

Free Solution
1: Set up a smoothwall box. http://www.smoothwall.org/
2: Install this add-on. http://community.smoothwall.org/forum/viewtopic.php?t=3965

This will black list people who port scan or violet snort rules and ban/drop their ip for 5 or so days.  But be ware of fails positives and lots of them if you don’t modify your snort rules.
All smoothwall mods are here http://community.smoothwall.org/forum/viewtopic.php?t=2873

Not so Free.
1: Go to www.astaro.com and download there free firewall. It has intrusion diction included and a nice web consul to configure it. But it is limited to 10 internal ip’s. The pay-for version is not expensive and is less limited depending what you buy.

[Knuddi]

There is also a snort contrib that runs directly on your SME server.

http://vanhees.homeip.net/index.php?module=ContentExpress&func=display&ceid=19

[BoZz]

There are some bad dudes around so don't try to get them back? I own and run a ISP in Australia and had a hack attack a few years ago. we track him down and trashed his PC    A day later started 3 months of DOS attack that all but used our 45mb link    Nearly sent me to the wall   Best to let them play and go away so you can live to surf another day  

Brett

[Brave Dave]

Why don't you get on to your upstream providor

a few years back I had someone going crazy with DNS on my Telstra OnRamp - and it was pay by the megabyte - 19c

I got onto telstra and they blocked it upstream

[drywalldude]

I found Ipcop to be easy to install and effective on my network. It is more functional as a gateway firewall than the contribs server and it takes the load off my web/mail server heres some shots :

http://www.ericswww.com/rpm_bay/ipcop_contribs.PNG
http://www.ericswww.com/rpm_bay/ipcop_graph.PNG
http://www.ericswww.com/rpm_bay/ipcopnetwork.png

[drywalldude]

The ipcop setup is on a old ausus 400mhz AMD with 4 nics(wifi support on blue!! ) also if you look in the addons there is something about intergration with Dans Gaurdian that may assist with your problem.

Ah finaly found something to do with that old piece of junk in the closet.

[CharlieBrady]

This will black list people who port scan or violet snort rules and ban/drop their ip for 5 or so days.

Note that because source IP addresses are forgeable, this allows  a pretty easy DoS. Any of your server's real customers can be black listed, just by an attacker faking a scan apparently coming from their IP address.

[SMEmike]

Have a look at myNetWatchman.com, they collect log information from firewalls around the Internet and automatically notify ISPs whose members are sourcing excessive port scans.

I did find this older howto to integrate the myNetWatchman client into SME 5.2.  Don't know if it is still valid.

- http://www.wellsi.com/sme/mnwclient/mnwclient.html

The idea is a great one, but I have not yet used myself.

SMEmike.