Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Reinhold on October 08, 2003, 09:20:05 PM
-
"Houston I've got a problem..."
Somebody is trying to connect (break in)
to the Server&Gateway SME 6.03b via port "1412"
... PROTO=UDP SPT=1417 DPT=1412 LEN=15
(from several dial-in ips according to whois)
"1412" does not show up in all the lists I know.
(1) What significance does port 1412 have???
================================================
... and no solution...
(2) The SME logfile slowly overflows with this kind of garbage in addition to the
ubiquous DPT:135 worm-stuff so I decided to (finally) install Snort/Acid.
Using the Abe Loveless & Ari Novikoff contrib downloaded at Marari Network Solutions
(!!! THANKS GUYS !!!) everything went smooth ...
but now for the 2nd day in a row ... Acid is logging NOTHING at all !
Impressive show of "0"s in https://mysmeserver/acid/acid_main.php
I do believe that Snort looks at nothing and not to the external ip on eth1
Checking in "/etc/e-smith/template/etc/snort/snort.conf" and "/etc/snort/snort.conf"
I get the impression it cannot look for anything in this setup
$HOME_NET is defined by localnet,myinternalip,myexternalip
and then comes
EXTERNAL_NET !$HOME_NET ...
What does SNORT look at now?
HOW CAN I MAKE IT LOOK AT MY EXTERNAL IP ?
In the current situation I'd rather not make a security mistake even if chances seem small,
Could somebody point me how to set up Snort to look at externalip ?
... sorry for the long post...
Reinhold
---------------- /etc/e-smith/template/etc/snort/snort.conf ----
#-- added for SME template --#
var HOME_NET [127.0.0.1/32,{
my %conf;
tie %conf, 'esmith::config';
my $LocalIP = db_get(\%conf, 'LocalIP');
my ($A, $B, $C, $D) = split(/\./, $LocalIP);
my $mask = "$A\.$B\.$C\.0/24";
},{$ExternalIP}/32]
#----#
# Set up the external network addresses as well.
# A good start may be "any"
#var EXTERNAL_NET any
#-- added for SME template --#
var EXTERNAL_NET !$HOME_NET
#----#
--------------------------------------------------------------------
================= /etc/snort/snort.conf============================
=========== #-- added for SME template --#
var HOME_NET [127.0.0.1/32,192.168.0.0/24,myexternalip/32]
#----#
# Set up the external network addresses as well.
# A good start may be "any"
#var EXTERNAL_NET any
#-- added for SME template --#
var EXTERNAL_NET !$HOME_NET
===================================================================
-
Port 1412 is used by Kazaa. As Kazaa has a memory in it's client software it is possible that users still try to contact you after you stopped using Kazaa.
If you have never used Kazaa but have a dynamic external IP, it is possible that you get traffic from the previous user of that IP. (sorry, no experience with snort)
-
Hi Rob
Thanks for the reply - never used Kazaa and looking around didn't give me that info. I'll check around us few but I'm positively negative.
...IP hasn't changed for 3 month would that Kazaa built in memory last that long?
Reinhold
-
Hi Reinhold.
I too am having the same problem with it not logging, it is probably due to the fact that the RPM installs are for an earlier version of E-Smith.
I am going to try and get round to looking at it to see if i can work it out myself if i do i will let you know the answer but don't hold your breath as i am very busy at the moment, If in the meantime you manage to correct it please let me know.
Steve.
-
I have the same problem, when you check status of snort it says snort-mysql stopped even if it says ok when you start it.....
Jean-François
-
Got it to work, as explain in another post, I just installed new version of rpm for snort and snort rpm, made a copy of snort.conf, installed sme rpm and then replace snort.conf with the copy I made before.
I then changed user and password in snort.conf for mysql database.
Worked perfectly.
I didn't know that so many pepople were trying to hack my server ;) funny how many try windows stuff on my server.....
jean-François