Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: jskline on June 18, 2005, 07:12:05 PM
-
Hi all!
Well; Today I was using a box with 6.01 on it, and copying a rather large number of files between my laptop and the server's home folder, and the thing just died. First I thought network cable loose or router, but turned out to be when I looked at the screen on the server, a whole lot of messages were scrolling by and I could not stop them. After several failed attempts to gain console over the thing, I wound up doing the cold boot option via RESET.
After it came back up, things appeared to be intact with the possible exception of the file system needing to be scanned.
Strange of note is that this effected nothing else on my network other than about the time this happened, my internet connectivity came to a grinding halt as well. My windows and other linux boxen appeared to suffer no ill effects when this happened.
Looking at my cheezy home router log showed these connect attempts;
Jun/18/2005 10:57:43
Drop TCP packet from WAN src:207.46.107.67:1863 dst:10.0.0.2:61133 Rule: Default deny
Jun/18/2005 10:57:30
Drop TCP packet from WAN src:207.46.107.67:1863 dst:10.0.0.2:61133 Rule: Default deny
Jun/18/2005 09:20:34
DHCP lease IP 192.168.123.104 to rabbit 00-B0-D0-6C-26-8A
Jun/18/2005 09:07:27
DHCP lease IP 192.168.123.104 to rabbit 00-B0-D0-6C-26-8A
Jun/18/2005 09:05:44
DHCP lease IP 192.168.123.104 to rabbit 00-B0-D0-6C-26-8A
Jun/18/2005 07:50:46
Drop TCP packet from WAN src:64.124.173.106:21 dst:10.0.0.2:60655 Rule: Default deny
Jun/18/2005 07:50:32
Drop TCP packet from WAN src:64.124.173.106:21 dst:10.0.0.2:60655 Rule: Default deny
Jun/18/2005 07:50:25
Drop TCP packet from WAN src:64.124.173.106:21 dst:10.0.0.2:60655 Rule: Default deny
Jun/18/2005 07:50:21
Drop TCP packet from WAN src:64.124.173.106:21 dst:10.0.0.2:60655 Rule: Default deny
Jun/18/2005 07:50:20
Drop TCP packet from WAN src:64.124.173.106:21 dst:10.0.0.2:60655 Rule: Default deny
Jun/18/2005 07:50:19
Drop TCP packet from WAN src:64.124.173.106:21 dst:10.0.0.2:60655 Rule: Default deny
Jun/18/2005 07:28:16
DHCP lease IP 192.168.123.104 to rabbit 00-B0-D0-6C-26-8A
Jun/18/2005 07:26:54
Drop TCP packet from WAN src:64.124.173.123:21 dst:10.0.0.2:60646 Rule: Default deny
Jun/18/2005 07:26:40
Drop TCP packet from WAN src:64.124.173.123:21 dst:10.0.0.2:60646 Rule: Default deny
Jun/18/2005 07:26:33
Drop TCP packet from WAN src:64.124.173.123:21 dst:10.0.0.2:60646 Rule: Default deny
Jun/18/2005 07:26:29
Drop TCP packet from WAN src:64.124.173.123:21 dst:10.0.0.2:60646 Rule: Default deny
Jun/18/2005 07:26:27
Drop TCP packet from WAN src:64.124.173.123:21 dst:10.0.0.2:60646 Rule: Default deny
Jun/18/2005 07:26:27
Drop TCP packet from WAN src:64.124.173.123:21 dst:10.0.0.2:60646 Rule: Default deny
Jun/18/2005 06:15:27
Drop TCP packet from WAN src:66.193.247.36:80 dst:10.0.0.2:60586 Rule: Default deny
Jun/18/2005 06:12:05
DHCP lease IP 192.168.123.104 to rabbit 00-B0-D0-6C-26-8A
Jun/18/2005 05:37:50
Drop TCP packet from WAN src:216.73.121.188:80 dst:10.0.0.2:60364 Rule: Default deny
Jun/18/2005 05:37:03
Drop TCP packet from WAN src:216.73.121.188:80 dst:10.0.0.2:60364 Rule: Default deny
Jun/18/2005 05:36:38
Drop TCP packet from WAN src:216.73.121.188:80 dst:10.0.0.2:60364 Rule: Default deny
Jun/18/2005 05:36:26
Drop TCP packet from WAN src:216.73.121.188:80 dst:10.0.0.2:60364 Rule: Default deny
Jun/18/2005 05:36:21
Drop TCP packet from WAN src:216.73.121.188:80 dst:10.0.0.2:60364 Rule: Default deny
Jun/18/2005 05:19:30
Drop TCP packet from WAN src:17.250.236.65:80 dst:10.0.0.2:60280 Rule: Default deny
Somehow, in that mix of attempts, one or more of those brought down the server. The only ports that are forwarded through to the server are 80, 443 and 53 since I need DNS handshaking. All other ports are supposed to be drop. This has been a stable box up to this. I am now wondering if there is a port somewhere that I might need to hard block on the SME (mentioned in the list), albeit all the port attempts above are probably like the IP's... spoofed.
Of course I'm also wondering if the cheezy Dlink router/WIFI/switch that I use is to blame. I have a good SMC and a Linksys that I wonder if wouldn't be better choices in this capacity.
Anyone had this happen? Any suggestions as to how to thawart it :-?
Thanks.
Jeff
-
Assuming you use a server-only setup on a single network (192.168.123.x) my guess is the above entries are caused by the non-existent destination address 10.0.0.2
Even so, since the packets origate from WAN, and your server is behind the firewall, it should not have any interference. Perhaps your firewall was unable to handle the load, and had problems routing?
Edit: No, wait. There's to much time in between for that
Either something like that, or you have had two different problems. Perhaps you could look up some samba logs?
-
My router's firewall is supposed to have contained this sort of thing, and it looks like it did, but...
The 10.0.0.2 is the gateway address out to my LAn from a Cisco DSL modem. This goes to a router, then the router remaps to 192.168.123.x. I wanted simple C network as in some programming I do, it's just easier for me to think.
As for logs, the server literally went berserk and I was not even able to console into it to get control over it. I had to force a boot, and that usually truncates any log files with info. (already went looking for that).
Jeff
-
and that usually truncates any log files with info.
What a shame.. I have seen some nasty packets coming to our server, I guess the big difference is we use sme as our all in one (including firewall):
DSL->SME->hub->hosts
->WLAN->hosts
instead of (see if I get it right):
DSL->Routing FW->hosts
->SME
I have never seen our server do anything like that...
I wonder, is their anyway of determining the intended destination for those packets?
Maybe you could try an externally originating port scan and listen on your sme to see if anything is put through which should be blocked..?
For example: Shields up (http://"https://www.grc.com/x/ne.dll?bh0bkyd2")
(Good thing I checked, bloody ident was listening again...)
-
Well; Today I was using a box with 6.01 on it, and copying a rather large number of files between my laptop and the server's home folder, and the thing just died.
...
First I thought network cable loose or router, but turned out to be when I looked at the screen on the server, a whole lot of messages were scrolling by and I could not stop them.
What did they say?
After several failed attempts to gain console over the thing, I wound up doing the cold boot option via RESET.
Next time you might try pulling the network cable.
Of course I'm also wondering if the cheezy Dlink router/WIFI/switch that I use is to blame.
Wifi? Is it adequately secured?
-
The messages were scrolling past so fast as to be completely unreadable. I did pull the nic cable, and waited, but these just kept going on and on.
And yea, the WIFI has a monthly rotated key and such. It's quite well locked down for a residential access point.
I had not recently ran the SME as a gateway because I couldn't find anywhere that you can plug in rules to forward ports that I need for Ham radio use (Echolink). I can do this easily in any other router but when I tried it in the SME's configuration, I never was able to get it to pass 5198/5199 or 5200(tcp). The rule I needed was to pass these to all IP's on the lan, not just one.
-
Last night (saturday) I came home to find my server doing the same thing. Hard drives rattling, no internet connectivity and no dns to my inside network. I could not even log onto the console. As it happens it also needed a new battery so I took the backup and built a new server on a different machine, and restored the settings using the desktop restore. The new machine ran fine for all of two minutes before siezing up with the same errors.
I then did a clean install of 6.0.1, opened up the ssl to the outside for remote admin. added one user. all hell broke loose again.
Clean install again, no changes to system settings and the server is now up for three hours. I have yet to spend more than curious time on the logs. Looks like an attack on the ssl remote access to me so far.
Bill.
-
Ok. I took the server offline and installed another NIC card, and reconfigured it as a Server/Gateway again. DSL plugged straight into it, and output right to a 100/10 switch for my lan. NO WIFI attached right now as my WAP is a Linksys that is boxed right now.
Within minutes of going back online, a port scan ensued and shortly after this, was an attack on several unpriv ports, and especially ports 443 and everything secure-FTP and remote access. I have these turned off for the moment, but they're hitting it rather hard enough to knock my cheezy 256k connection down to ground zero. Going to call Qwest on Monday to have my connection booted up to the 1.5mb again, and suffer through the price increase.
Will be watching the logs to see what is up with this. I will leave it as a server/gateway for a while until I think something has been compromised or challenged.
Lets watch this thing.