Solved

SYNFLOOD and ICPMFLOOD problem Need a script please.

Posted on 2006-06-25
11
454 Views
Last Modified: 2008-02-01
Hi, I am having problem with synflood and icmp flood attacks on my webserver on port 80 icmp attacks are comming from program named SPRUT, it send multiply http connection and I cannot stop them. Can someone help me on that please with some automated script or so. I am running SUSE 9.3 Thanks in advance.
0
Comment
Question by:wooops
11 Comments
 
LVL 11

Expert Comment

by:kblack05
ID: 17018363
Analog to synflodd protection insert this in your firewall script before you
allow connections to port 80:
 
# Set your number of max. connections here!
CONNECTION_LIMIT="100"
 
iptables -A INPUT -p tcp --dport 80 --syn -m limit --limit  $CONNECTION_LIMIT/h \ -j LOG --log-prefix 'limit of $CONNECTION_LIMIT connections reached'

You can also edit the firewall to DROP these types of packets with

iptables -A INPUT -s <ip from which dos attack is coming> -j DROP

To find out which ipaddress the attack is coming from, you can use

netstat -apn | grep :80 | awk '{print $5}'| sort

and look for the highest ranked connection.

Let me know if this helps you...

~K Black

0
 
LVL 11

Expert Comment

by:kblack05
ID: 17018384
You can get several automated firewall packages. The firewall scripting is not so much limited to distro of Linux/Un*x, but upon versions of the iptables firewall binary itself.

One of the many good packages is gShield:

http://muse.linuxmafia.org/gshield/

They all have pretty comprehensive config files, and you should back up the default config before customizing it.

http://www.linuxguruz.com/iptables/

Regards,

~K Black
0
 

Author Comment

by:wooops
ID: 17022196
Ok, is this max conn per user or in global? My server is kinda busy and if i allow only 100 conn in global that will be a huge problem. Is this protection agains SYN flood or just for that progy that sends mass httprequests.
Can you put into the script SYN flood protection from botnets and UDP protection  please?
Thanks in advance.
Best regards.
0
 
LVL 18

Expert Comment

by:decoleur
ID: 17030440
try portsentry, it will blackhole specific IPs that are performing questionable behavior. It is quite easy to configure and install.

some links for configuration:
http://www.falkotimme.com/howtos/chkrootkit_portsentry/
http://www.securityfocus.com/infocus/1580

source:
http://sourceforge.net/projects/sentrytools/
0
 

Expert Comment

by:vigannn
ID: 17067448
try to limit the number of concurrent incoming TCP connections per one
client
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:wooops
ID: 17117374
Hi, and sorry all I've been In Spain for summer holidays, thanks for answers.
My server is still with problems and I installed portsentry but nothing seems to stop that program named "SPRUT"
vigannn if you know how to set my server to limit the number of concurrent incoming TCP connections per one
client i'll be more than thankfull. I really don't know how to stop simple windows program. If it was zombies, a lot of them its ok, noone can stop them, but I am angry couse this is just one win program and if someone have good upload almost every server will go down. So please I am desperate to get rid of this one.
Thank you all in advance.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17359296
Can you post the output of

lsof -i -P

Did you try the suggestions I gave in the previous posts?
0
 

Author Comment

by:wooops
ID: 17460370
Hi,
Sorry kblack05, i wasnt here too.

Results from lsof -i -P

sc_serv   11962     root   43u  IPv4  3114823       TCP media.venet-networks.com                                             :8000->84-74-40-76.dclient.hispeed.ch:1057 (CLOSE_WAIT)
sc_serv   12133     root    4u  IPv4   222533       TCP *:7061 (LISTEN)
sc_serv   12133     root    5u  IPv4   222534       TCP *:7060 (LISTEN)
qmail-rem 12371   qmailr    3u  IPv4 13730520       TCP media.venet-networks.com                                             :51125->mta-v4.level3.mail.vip.re4.yahoo.com:25 (ESTABLISHED)
httpd2-pr 12380   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 12380   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 12380   wwwrun  291u  IPv6 13945465       TCP media.srv2.venet-network                                             s.com:80->144.138.102.149:1566 (ESTABLISHED)
httpd2-pr 12748   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 12748   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 12748   wwwrun  291u  IPv6 13754446       TCP media.srv2.venet-network                                             s.com:80->0-3pool240-216.nas6.duluth1.mn.us.da.qwest.net:62195 (ESTABLISHED)
httpd2-pr 12832   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 12832   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 12832   wwwrun  291u  IPv6 13776067       TCP media.srv2.venet-network                                             s.com:80->cpe-069-132-034-006.carolina.res.rr.com:2689 (ESTABLISHED)
httpd2-pr 12844   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 12844   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 12844   wwwrun  291u  IPv6 13925616       TCP media.srv2.venet-network                                             s.com:80->dialup-4.225.2.211.Dial1.Cincinnati1.Level3.net:4041 (ESTABLISHED)
httpd2-pr 12859   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 12859   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 12859   wwwrun  291u  IPv6 13968622       TCP media.srv2.venet-network                                             s.com:80->c-a23ae055.138-1-64736c10.cust.bredbandsbolaget.se:2269 (ESTABLISHED)
httpd2-pr 12868   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 12868   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 12868   wwwrun  291u  IPv6 13962780       TCP media.venet-networks.com                                             :80->dsl-201-98-60-64.prod-infinitum.com.mx:61482 (ESTABLISHED)
httpd2-pr 13252   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13252   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13361   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13361   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13361   wwwrun  291u  IPv6 13841199       TCP media.srv2.venet-network                                             s.com:80->adsl-152-22-87.dab.bellsouth.net:4343 (ESTABLISHED)
httpd2-pr 13468   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13468   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13468   wwwrun  291u  IPv6 13866175       TCP media.srv2.venet-network                                             s.com:80->CPE0015e9d492c9-CM001404e0b858.cpe.net.cable.rogers.com:60684 (ESTABLI                                             SHED)
httpd2-pr 13605   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13605   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13634   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13634   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13634   wwwrun  291u  IPv6 13919137       TCP media.venet-networks.com                                             :80->62.162.208.234:3210 (ESTABLISHED)
httpd2-pr 13643   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13643   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13643   wwwrun  291u  IPv6 13864864       TCP media.venet-networks.com                                             :80->62.162.208.234:3184 (ESTABLISHED)
httpd2-pr 13916   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13916   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13916   wwwrun  291u  IPv6 13875466       TCP media.srv2.venet-network                                             s.com:80->ncfre42.asia.info.net:40872 (ESTABLISHED)
httpd2-pr 13923   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 13923   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 13923   wwwrun  291u  IPv6 13818390       TCP media.srv2.venet-network                                             s.com:80->62.162.224.189:1383 (ESTABLISHED)
httpd2-pr 14114   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14114   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14114   wwwrun  291u  IPv6 13928903       TCP media.srv2.venet-network                                             s.com:80->server109.labinaservers.com:1697 (ESTABLISHED)
httpd2-pr 14139   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14139   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14139   wwwrun  291u  IPv6 13888901       TCP media.venet-networks.com                                             :80->62.162.208.234:3190 (ESTABLISHED)
httpd2-pr 14358   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14358   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14358   wwwrun  291u  IPv6 13854403       TCP media.srv2.venet-networks.com:80->200.162.72.8:63666 (ESTABLISHED)
httpd2-pr 14370   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14370   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14370   wwwrun  291u  IPv6 13953733       TCP media.srv2.venet-networks.com:80->adsl-152-22-87.dab.bellsouth.net:4381 (ESTABLISHED)
httpd2-pr 14374   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14374   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14911   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14911   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14911   wwwrun  291u  IPv6 13902261       TCP media.venet-networks.com:80->62.162.208.234:3202 (ESTABLISHED)
httpd2-pr 14933   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14933   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14933   wwwrun  291u  IPv6 13935990       TCP media.venet-networks.com:80->62.162.208.234:3220 (ESTABLISHED)
httpd2-pr 14934   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14934   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14934   wwwrun  291u  IPv6 13917829       TCP media.venet-networks.com:80->62.162.208.234:3208 (ESTABLISHED)
httpd2-pr 14936   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14936   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14936   wwwrun  291u  IPv6 13967762       TCP media.venet-networks.com:80->c-21eae055.754-1-64736c20.cust.bredbandsbolaget.se:3848 (ESTABLISHED)
httpd2-pr 14938   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14938   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14938   wwwrun  291u  IPv6 13891183       TCP media.srv2.venet-networks.com:80->dialup-4.225.2.211.Dial1.Cincinnati1.Level3.net:4031 (ESTABLISHED)
httpd2-pr 14939   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14939   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14939   wwwrun  291u  IPv6 13930398       TCP media.venet-networks.com:80->62.162.208.234:3214 (ESTABLISHED)
httpd2-pr 14945   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14945   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14945   wwwrun  291u  IPv6 13935041       TCP media.venet-networks.com:80->62.162.208.234:3218 (ESTABLISHED)
httpd2-pr 14952   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14952   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14952   wwwrun  291u  IPv6 13887366       TCP media.srv2.venet-networks.com:80->ncfre42.asia.info.net:41049 (ESTABLISHED)
httpd2-pr 14960   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 14960   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 14960   wwwrun  291u  IPv6 13937376       TCP media.srv2.venet-networks.com:80->pool-68-162-9-20.nwrk.east.verizon.net:50535 (ESTABLISHED)
httpd2-pr 15043     root    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15043     root    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15200   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15200   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15200   wwwrun  291u  IPv6 13887391       TCP media.srv2.venet-networks.com:80->cpe-74-72-46-187.nyc.res.rr.com:2487 (ESTABLISHED)
httpd2-pr 15201   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15201   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15201   wwwrun  291u  IPv6 13898062       TCP media.venet-networks.com:80->62.162.208.234:3194 (ESTABLISHED)
httpd2-pr 15363   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15363   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15370   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15370   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15445   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15445   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15538   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15538   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15538   wwwrun  291u  IPv6 13917964       TCP media.srv2.venet-networks.com:80->adsl-19-42-251.asm.bellsouth.net:50835 (ESTABLISHED)
httpd2-pr 15560   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15560   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15560   wwwrun  291u  IPv6 13963925       TCP media.venet-networks.com:80->dsl-201-98-60-64.prod-infinitum.com.mx:61492 (ESTABLISHED)
httpd2-pr 15722   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15722   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15788   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15788   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15788   wwwrun  291u  IPv6 13924555       TCP media.srv2.venet-networks.com:80->adsl196-23-57-217-196.adsl196-10.iam.net.ma:61296 (ESTABLISHED)
httpd2-pr 15789   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15789   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15789   wwwrun  291u  IPv6 13920267       TCP media.srv2.venet-networks.com:80->server109.labinaservers.com:1685 (ESTABLISHED)
httpd2-pr 15794   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15794   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15794   wwwrun  291u  IPv6 13966946       TCP media.srv2.venet-networks.com:80->static.host94030.sulanet.net:21416 (ESTABLISHED)
httpd2-pr 15795   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15795   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15795   wwwrun  291u  IPv6 13963569       TCP media.srv2.venet-networks.com:80->202.137.118.26:2327 (ESTABLISHED)
httpd2-pr 15798   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15798   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15798   wwwrun  291u  IPv6 13922122       TCP media.srv2.venet-networks.com:80->nc66-138-3-66.netcommander.com:3365 (ESTABLISHED)
httpd2-pr 15799   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15799   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 15799   wwwrun  291u  IPv6 13965983       TCP media.srv2.venet-networks.com:80->pool-71-105-33-42.lsanca.dsl-w.verizon.net:2332 (ESTABLISHED)
httpd2-pr 15800   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 15800   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16014   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16014   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16014   wwwrun  291u  IPv6 13951812       TCP media.srv2.venet-networks.com:80->86.41.213.115:62771 (ESTABLISHED)
httpd2-pr 16016   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16016   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16016   wwwrun  291u  IPv6 13943842       TCP media.venet-networks.com:80->195.222.35.246:1764 (ESTABLISHED)
httpd2-pr 16017   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16017   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16017   wwwrun  291u  IPv6 13968117       TCP media.srv2.venet-networks.com:80->252-26.125-70.tampabay.res.rr.com:4818 (ESTABLISHED)
httpd2-pr 16023   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16023   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16023   wwwrun  291u  IPv6 13934594       TCP media.venet-networks.com:80->62.162.208.234:3216 (ESTABLISHED)
httpd2-pr 16028   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16028   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16042   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16042   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16054   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16054   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16059   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16059   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16061   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16061   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16061   wwwrun  291u  IPv6 13946860       TCP media.srv2.venet-networks.com:80->server109.labinaservers.com:1741 (ESTABLISHED)
httpd2-pr 16112   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16112   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16112   wwwrun  291u  IPv6 13968130       TCP media.srv2.venet-networks.com:80->202.56.131.130:2949 (ESTABLISHED)
httpd2-pr 16122   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16122   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16122   wwwrun  291u  IPv6 13936355       TCP media.venet-networks.com:80->62.162.208.234:3222 (ESTABLISHED)
httpd2-pr 16308   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16308   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16308   wwwrun  291u  IPv6 13959835       TCP media.srv2.venet-networks.com:80->pat3.rider.edu:12385 (ESTABLISHED)
httpd2-pr 16312   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16312   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16312   wwwrun  291u  IPv6 13952699       TCP media.srv2.venet-networks.com:80->crawl-66-249-65-133.googlebot.com:52174 (ESTABLISHED)
httpd2-pr 16358   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16358   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16358   wwwrun  291u  IPv6 13967729       TCP media.srv2.venet-networks.com:80->adsl-68-79-203-49.dsl.emhril.ameritech.net:1338 (ESTABLISHED)
httpd2-pr 16365   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16365   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16365   wwwrun  291u  IPv6 13967813       TCP media.srv2.venet-networks.com:80->relay1.froeling.com:4779 (ESTABLISHED)
httpd2-pr 16377   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16377   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16377   wwwrun  291u  IPv6 13965223       TCP media.srv2.venet-networks.com:80->10001269119.0000030759.acesso.oni.pt:2862 (ESTABLISHED)
httpd2-pr 16385   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16385   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16385   wwwrun  291u  IPv6 13951150       TCP media.srv2.venet-networks.com:80->64-13-124-178.anc.clearwire-dns.net:4776 (ESTABLISHED)
httpd2-pr 16517   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16517   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16517   wwwrun  291u  IPv6 13964332       TCP media.srv2.venet-networks.com:80->static.host94030.sulanet.net:21228 (ESTABLISHED)
httpd2-pr 16521   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 16521   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 16521   wwwrun  291u  IPv6 13962503       TCP media.venet-networks.com:80->dsl-201-98-60-64.prod-infinitum.com.mx:61481 (ESTABLISHED)
sshd      16559     root    3u  IPv6 13961531       TCP media.venet-networks.com:22->server109.labinaservers.com:1781 (ESTABLISHED)
httpd2-pr 20281     root    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 20281     root    4u  IPv6  6703606       TCP *:443 (LISTEN)
drwebd    30071    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30072    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30073    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30074    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30075    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30076    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30077    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30078    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30079    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30080    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30081    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30082    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30084    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30085    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30086    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
drwebd    30087    drweb    4u  IPv4    13562       TCP localhost:3000 (LISTEN)
httpd2-pr 32201   wwwrun    3u  IPv6  6703605       TCP *:80 (LISTEN)
httpd2-pr 32201   wwwrun    4u  IPv6  6703606       TCP *:443 (LISTEN)
httpd2-pr 32201   wwwrun  291u  IPv6 13968189       TCP media.srv2.venet-networks.com:80->adsl-33-114-84.shv.bellsouth.net:50663 (ESTABLISHED)

And NO i did not install gshield, to tell you the truth, I'm not sure how to do it, becouse in README file it says DO NOT TRY TO INSTALL REMOTELY.
And i have no access physically,
Problems are bigger and bigger, I dont know what to do anymore.
Now i run Suse 10.0 and if in my server 500 users are online, you can bearly open a site.
I dont know where problem lies, but if someone can help me I'll be more then thankfull.
0
 
LVL 11

Accepted Solution

by:
kblack05 earned 500 total points
ID: 17463511
It certainly looks like you've got your hands full...

While you _could_ use something like the "wondershaper" http://lartc.org/wondershaper/wondershaper-1.1a.tar.gz ( http://lartc.org/wondershaper/ )

It's probably better that you install a complete iptables script, modified to do what you want, such as jlevie's basic firewall:

[Note: If you are doing this remotely, probably a good idea to create a simple script that flushes iptables in case of an accidental lockout. After you save this script and 'chmod 755 scriptname' then you should crontab this script to run every 10 or 15 minutes. That way if you lock yourself off the server fooling with the firewall, in a few minutes it will be active again. Once you are sure you can deal with the firewall remotely then you can stop the cronjob after you're sure it's working]:
(I save this as /etc/iptables.off)

#!/bin/sh
#
# rc.flush-iptables - Resets iptables to default values.
#
# Copyright (C) 2001  Oskar Andreasson &lt;bluefluxATkoffeinDOTnet&gt;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

Now here's the firewall taken from jlevie here at EE:
(copy to /etc/iptables.sh and 'chmod 755 /etc/iptables.sh ; sh /etc/iptables.sh')
---------------REMEMBER TO SET THE IP IN THE SCRIPT BELOW TO YOUR IP--------
#!/bin/sh
#
# This is a simple, reasonably complete, local host based firewall suitable for
# protecting a host that might be exposed to malicous activity.
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-host') to change the rulesets, rather than modifying
# the running rules. That way I have a readable record of the firewall
# configuration.
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES and define my IP.
#
IPTABLES="/sbin/iptables"
IP1=10.0.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024-65534/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh frpm anywhere to this server
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything with
# something like:
#
#$IPTABLES -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
#$IPTABLES -A INPUT -s 10.0.0.2 -d $IP1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPTABLES -A INPUT -j firewalled

After you 'sh /etc/iptables.sh' you should use 'iptables -L' (patience) and see that the firewall is up...

Note you should probably also use "nmap" ( http://insecure.org/nmap/ ) to check what ports are being exported, such as: (example)

 nmap localhost

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-09-06 14:31 UTC
Interesting ports on localhost (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
37/tcp    open  time
80/tcp    open  http
113/tcp   open  auth
587/tcp   open  submission
953/tcp   open  rndc
10000/tcp open  snet-sensor-mgmt

Nmap finished: 1 IP address (1 host up) scanned in 0.384 seconds

From there I can see what ports are running, and turn services down if they look like trouble. You can always check what these numeric ports equate to at: http://www.grc.com/port_0.htm (just input the port number and click Jump)

You should also probably consider running chkrootkit on this box, it's looking pretty busy:

http://www.chkrootkit.org/

Regards,

~K Black
0
 

Author Comment

by:wooops
ID: 17616119
Hello kblack05
This did't help either, but thanks for you time. I'kk probably buy a router and that is expensive.
Kind regards,
Alen
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17619410
You could use the Linux box AS the router and firewall both at once, quite easy to do actually. Have a look at gShield. It has a straightforward config file, and once you understand the values it can be set up to do routing, NAT/PAT, and firewall security in a matter of minutes...

http://www.tucows.com/preview/48519
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now