[PLUTO-security] Log preoccupanti
Piviul
pluto a flanet.org
Mer 15 Dic 2004 18:10:26 CET
Ciao a tutti, avrò sicuramente sbagliato dal momento che mi trovo dei
"new ! syn" nei log che non dovrebbero esserci...
La rete schematicamente si può così riassumere:
INTERNET
|
BRIDGE
|
DMZ (172.16.0.0/28)
|
FIREWALL
|
LAN (192.168.0.0/24)
Ora mi sono trovato dei log sul FIREWALL di pacchetti che non dovrebbero
essere entrati nella DMZ poiché li avrebbe dovuti bolccare il BRIDGE.
Eccovi i log del FIREWALL dove ovviamente 172.16.0.3 è quella che nello
script di consifugurazione che troverete più sotto si chiama $INET_IFACE.
> Dec 1 09:01:03 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=11101 PROTO=TCP SPT=80 DPT=1535 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:03 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=43375 PROTO=TCP SPT=80 DPT=1536 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:03 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=44911 PROTO=TCP SPT=80 DPT=1534 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:03 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=45679 PROTO=TCP SPT=80 DPT=1533 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:03 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=37240 PROTO=TCP SPT=80 DPT=1532 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:03 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=39544 PROTO=TCP SPT=80 DPT=1530 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:04 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=54048 PROTO=TCP SPT=80 DPT=1535 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:04 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=37923 PROTO=TCP SPT=80 DPT=1530 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:04 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=38435 PROTO=TCP SPT=80 DPT=1532 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:04 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=52771 PROTO=TCP SPT=80 DPT=1533 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:04 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=53027 PROTO=TCP SPT=80 DPT=1534 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:04 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=53283 PROTO=TCP SPT=80 DPT=1536 WINDOW=8190 RES=0x00 ACK FIN URGP=0
> Dec 1 09:01:05 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=0 PROTO=TCP SPT=80 DPT=1530 WINDOW=0 RES=0x00 RST URGP=0
> Dec 1 09:01:05 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=0 PROTO=TCP SPT=80 DPT=1536 WINDOW=0 RES=0x00 RST URGP=0
> Dec 1 09:01:06 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=0 PROTO=TCP SPT=80 DPT=1532 WINDOW=0 RES=0x00 RST URGP=0
> Dec 1 09:01:06 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=0 PROTO=TCP SPT=80 DPT=1534 WINDOW=0 RES=0x00 RST URGP=0
> Dec 1 09:01:06 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=0 PROTO=TCP SPT=80 DPT=1535 WINDOW=0 RES=0x00 RST URGP=0
> Dec 1 09:01:06 rh-proxy kernel: New not syn: IN=eth1 OUT= MAC=00:a0:c9:a2:95:3c:00:0c:ce:93:5b:f1:08:00 SRC=207.68.178.238 DST=172.16.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=0 PROTO=TCP SPT=80 DPT=1533 WINDOW=0 RES=0x00 RST URGP=0
Ecco lo script di configurazione del BRIDGE:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp ! --syn -m physdev --physdev-in $INET_IFACE -m state --state NEW -j LOG --log-level info --log-prefix "New Not Syn: "
>
> iptables -A FORWARD -m physdev --physdev-in $INET_IFACE -m state --state NEW -j DROP
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m physdev --physdev-in $LAN_IFACE -m state --state NEW -j ACCEPT
Ed ecco lo script di configurazione del FIREWALL:
> iptables -N bad_tcp_packets
> iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> iptables -A bad_tcp_packets -i $INET_IFACE -p tcp ! --syn -m state --state NEW -j LOG --log-level alert --log-prefix "New not syn: "
> iptables -A bad_tcp_packets -i $LAN_IFACE -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "New not syn: "
> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>
> # default policies
> iptables -F INPUT
> iptables -P INPUT DROP
> iptables -F OUTPUT
> iptables -P OUTPUT DROP
>
> iptables -t nat -F PREROUTING
> iptables -t nat -P PREROUTING ACCEPT
>
> iptables -F FORWARD
> iptables -P FORWARD DROP
> iptables -A FORWARD -p TCP -j bad_tcp_packets
> iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
> iptables -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m limit --limit 3/minute --limit-burst 7 -j LOG --log-level info --log-prefix "IPT FORWARD packet died: "
> iptables -A FORWARD -j DROP
>
>
> iptables -t nat -F POSTROUTING
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
>
> iptables -t nat -A OUTPUT -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
>
> iptables -A INPUT -p tcp -j bad_tcp_packets
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i $LAN_IFACE -p udp --dport 67 -j ACCEPT
> iptables -A INPUT -i $INET_IFACE -m limit --limit 3/minute --limit-burst 7 -j LOG --log-level info --log-prefix "IPT INPUT packet died: "
> iptables -A INPUT -j DROP
Avete qualche idea di cosa sia successo il 1 dicembre scorso alle 9:01?
mi devo preoccupare? tenete conto che da 8 mesi sono gli unici log
trovati su FIREWALL di questo tipo.
Grazie mille
Piviul
Maggiori informazioni sulla lista
pluto-security