>Hi all,
>
>More security issues:
>
>Has anyone else out there been seeing repeated scans of their machines by
>multiple hosts on the wanadoo.fr network? (Typical ip addresses starting
>with 193.252, 193.253, 217.128 and others). Typical log entries look like:
>
>Dec 6 10:49:32 4C:avance300 ftpd[99600]: refused connect from 193.252.184.203
>Dec 7 22:53:34 4C:avance300 ftpd[114312]: refused connect from 193.252.203.57
>Dec 8 07:49:08 4C:avance300 ftpd[119693]: refused connect from 193.252.203.57
>Dec 10 08:33:43 4C:avance300 ftpd[116537]: refused connect from
>217.128.216.143
>Dec 11 00:16:18 4C:avance300 ftpd[120440]: refused connect from 217.128.242.38
>Dec 12 11:27:51 4C:avance300 ftpd[122484]: refused connect from 193.253.62.11
>Dec 12 17:24:01 4C:avance300 ftpd[124923]: refused connect from 193.253.62.11
>
>It is usually the ftp daemon, but occasionally the telnet daemon, in what
>looks
>like
>an attempt to exploit a buffer overflow. This activity has been ongoing for
>about
>a year, and the (now closed) incoming directory of our anonymous ftp server
>was used to distribute material that was, shall we say, not appropriate.
I filed complaints IU's IT security office about such probes
from wanadoo.fr, club-internet.fr, dip.t-dialin.net (Deutsche
Telekom Online Service, GmbH), and various European branches
of chello for well over a year. It has been so bad that I
have form e-mails and just inserted the latest log entries.
I got tired of it and put together some firewalls.
>Complaints to the network. admin have met with nothing but the usual automated
>replies.
Very true. They seem simply not to care at all that their
networks have been subverted. Some of these probes have
even come from ISP's name servers which means that an ISP's
DNS structure may be totally subverted. It is a nasty problem,
but they seem not to see beyond today's payment to tomorrow's
collapse. As far as I am concerned, I regard the administration
of the domains I've listed as actively hostile to proper
network operations.
>I have had far more problems with this network than all of the
>others put together.
Yes, wanadoo.fr seems to be the worst offender with
dip.t-dialin.net (Deutsche Telekom Online Service, GmbH) a
close second. I installed a firewall and a network intrusion
detection system (NIDS), and totally blocked the whole lot
of them at my firewall.
>Are most users out there using an actual firewall (machine) to protect
>their networks? I have been relying on a tcp wrapper program, but I am
>beginning to think that this is not sufficient.
TCP wrapper certainly is not. I hope that you also
installed the version of portmap that comes along
with that, but even that doesn't do the whole job.
It is a good second line of defense for after the
barbarians penetrate the firewall.
>Any recommendations on firewalls?
I'm running OpenBSD 2.8 with IP Filter and IP NAT {Please
don't give me any lectures on how evil NAT is. For one
thing, I find it easier to get FTP services working when
I can use the transparent proxy properly which pretty
much forces NAT.} For my spectrometer LAN, I wrote a set
of rules that I call, "Don't call us; we'll call you."
because it rejects all incoming connections while allowing
outgoing connections only on those services I specifically
want to allow out {i.e., no outgoing mail, no outgoing
portmapped services at all, lp only to a short list of
approved printers, no outgoing X, no spoofing of addresses,
etc.}. For the molecular graphics system I had to be more
liberal. I wrote a set of rules that rejects all incoming
traffic from everywhere except for a short list of acceptable
IP addresses and then only for a short list of approved
services while allowing outgoing connections on selected
services as above.
I highly recommend IP Filter because it does provide true
stateful filtering. Apparently Packet Filter (pf) that
replaced IP Filter (ipf) with OpenBSD 3.0 does as while
and allows one to define rule sets with variables so that
one only need define the variables to configure the rule
set to a new set of IP's. However, my only experience is
with ipf on OpenBSD 2.8. I do find that the rule sets are
easy to write. I also find that it is convenient to have
an OS that runs on multiple different types of machines
because I can take almost any machine being disposed of
and make a firewall out of it, e.g., I'm actually running
each snort based NIDS on a Macintosh IIvx and each firewall
on a Macintosh IIci, because those were what departments
were throwing out when I started. Total costs for these
firewalls were $40 Canadian for the CD's. You do need
about 200M of disk for the OS install, swap, and log files
space.
--
Bruce D. Ray, Ph.D.
bray_at_iupui.edu
Operations Director
NMR Center
IUPUI
Physics Dept.
402 N. Blackford St.
Indianapolis, IN 46202-3273
Received on Fri Dec 14 2001 - 10:51:41 MST