Topic: Windows Cyberkit 2.2 pings

[RayG]

These worm (Nachi/Welchia/whatever) related pings, and my server's responce to them, have been bugging me. I don't like the idea of my server responding to the worm pings as the responce itself is just more useless bandwidth clutter and actually invites more traffic from the infected pc. I also didn't like the idea of cripling icmp as it does serve a usefull purpose. I couldn't find any documentation that dealt with this worm on SME so I decided to plow through it myself. What I ended up doing was:

1) Upgrade to SME 5.6 and the pure joy that is iptables
2) Extract the libipt_length.so library from a slightly older (1.2.5-2) copy of iptables
     (I'm not sure why mitel chose to exclude this gem but would love to know the reason)
3) Create and modify a custom template fragment to drop 92 byte echo requests and accept others
4) Comment out the snort rule that's logging these packets

Now I can look at the traffic with "iptables -L icmpIn -v" and see that the new rule is indeed dropping the 92 byte icmp echo requests at a rate about the same as snort is seeing the 'cyberkit 2.2' pings. That's a little more than 1 per second on my little part of the net. My box still responds appropriately to pings of other lengths. So I've dammed the flood from the worm du jour without breaking icmp.

While I'm satisfied with my work, I usually come up with solutions that others hate. Please tell me what's wrong with what I've done and maybe what I should have done instead.

[Robert Harlow]

Ray

Inventive:-) Interesting reading. Off hand do you know if there is a way of simple switching off my SME 5.6u4 server/gateway's ping? Previously I used an external hardware firewall and it was just a user setting. I am slightly uncomfortable with the level and persistence of pings at the moment and I see no particularly sound reason why my server and bandwidth is being so used.

best wishes, Robert

[RayG]

Robert,

I suspect you will find the bulk of the ping traffic your receiving is the same as mine. Probes from the Welchia worm.

You can get a peek at the incomming pings with "iptables -L icmpIn -v" and the responces with "iptables -L icmpOut -v". But if you want to whack ping all together check out:

http://forums.contribs.org/index.php?topic=8562.msg32055#msg32055
 
There are older threads that describe Nathan Fowlers instruction in detail but I can't seem to find them quickly.

In a nutshell:

Create a directory for the custom template fragment
mkdir -r /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Copy the template fragment
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowICMPIn /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn

Edit the new custom template fragment, deleting the ping services you don't want active. They should be fairly obvious once you look at the file.
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
pico 40AllowICMPIn

Rebuild the masq template
/sbin/e-smith/expand-template /etc/rd.c/init.d/masq

Restart masq
/etc/rc.d/init.d/masq restart

Look at your iptables listings again after doing this to confirm that the pings are being dumped and not replied to.

[Robert Harlow]

Ray

You seem like a light in the darkness:-) But it's still a bit dim here and that's just me I expect;~/

I tried the iptables -L stuff, it worked, but the results didn't mean much to me. BTW I installed ACID/snort/Gardian installed a day or two ago, that's how I came to know about all the pinging.

I had already seen that thread but Nathan's command line does not work at all well here. Some objection to ipchains, then I tried the same command using iptables but it still baulks. So I came to the forum...

My systems baulks at your mkdir -r line, it doesn't like the -r I think. I couldn't find out what -r did in the man mkdir either.

I used MC (OK I'm a coward) and see that I have the object of the mkdir command already. Moving on to the cp stuff and did that using MC. Now for the edit fragment... using pico I see only a blank file. Is that what you meant by being self-explanatory 'cos there's nothing in it to delete!

Told you I was a bit dim on this sort of stuff:~)

best wishes, Robert

[Robert Harlow]

Doh:-( Must of mistyped pico's target, I have the file now. Will now destroy a few things... standby:-)

best wishes, Robert

[Robert Harlow]

Rembmbering to correct your rc.d/rd.c typo, I hashed all the option lines and inserted yes (vice no) for stealth, save/wrote out of pico and ran the template expansion line getting...

[root@nas600 masq]# /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
WARNING in /etc/e-smith/templates-custom//etc/rc.d/init.d/masq/40AllowICMPIn: Possible attempt to put comments in qw() list at /etc/e-smith/templates-custom//etc/rc.d/init.d/masq/40AllowICMPIn line 15.
WARNING: Template processing succeeded for //etc/rc.d/init.d/masq: 1 fragment generated warnings
 at /sbin/e-smith/expand-template line 64
[root@nas600 masq]#

Running the masq restart and getting...

[root@nas600 masq]# /etc/rc.d/init.d/masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
done
[root@nas600 masq]#

FWIW this is now the contents of my template fragment file thing, that is what I used with the template expansion...

{
    use esmith::NetworksDB;

    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
      qw(
#          echo-request
#          echo-reply
#          destination-unreachable
#          source-quench
#          time-exceeded
#          parameter-problem
      ) );

    my $stealth = $masq{Stealth} || 'yes';
    if ($stealth eq 'yes')
    {
   $OUT .= <    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
    }

    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <    /sbin/iptables --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}

Will now sit with ACID and see what transpires!

best wishes, Robert

[Robert Harlow]

Don't think that template thing liked my # lines:-( Went back and deleted all the # lines and re-expanded. This time no errors reported and masq restarted OK. Now sitting and waiting...

best wishes, Robert

[Robert Harlow]

Oh dear:-| Of course. This kills the System Monitor graphical readout for the gateway latency/packet loss statistics and I rather do need these to bang the bandwidth providers over the heads when someone somewhat selfishly and unilaterally hogs all the bandwidth of the broadband pipe. Any idea which line or lines need to go back in to get the stats back?

best wishes, Robert

[RayG]

Sorry for the typo's and confusion. The section I would suggest modifying was the
"my @OKicmpTypes" area. That section lists the icmp types that are accepted. Those that are not accepted are denied.

Don't feel bad about using Midnight Commander. I just got turned on to it this weekend and it's pretty slick for some tasks. I'm not aware of ANY other application that can extract single files from .rpm's.

I'm not familiar with the tools your using to measure packet loss and latency. Those numbers can be easily measured with icmp echo requests so that may be how they're doing it.

It might be worthwhile to put masq back the way it was and post the snort warnings that you don't like. Maybe we can come up with a more refined way of dealing with them.

[Robert Harlow]

The System Monitor addon...
http://lordsfam.net/downloads/production/e-smith-sysmon/
...is what I use to monitor packet loss and latency. Wonderful product but currently is flooding my httpd/admin_error_log with shedloads of error lines and I don't know why nor can I find out.

I'll have to put masq back as it was but thank you for idea I will have a go when I get back with some of the permutations. Baseline is that System Monitor HAS to work so I can't just switch off ping responses in quite this manner.

As for snort and stuff I haven't a clue. It was put on a few days ago. I see many unnecessary pingers and I am lightly concerned.

Since I rebuilt the server over the weekend, due to increasing consternation with the state and size of the error logs, I haven't had much success in reducing the new logs! Looks like some of this stuff is just plain buggy and wants to stay that way;~/ May have to live with flooding logs and not be able to see new issues for the detritis.

Need to go out now, will come back to this later.

best wishes, Robert