Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

I'm sending through my Linux Proxy / Gateway port scans to public ips

Posted on 2014-02-28
11
Medium Priority
?
345 Views
Last Modified: 2014-03-18
I got an email with this content:

>MYSERVERIP was observed probing AGUYWEBSITE for security holes. It
>has been blocked at our border routers. It may be compromised.
>
>For more info contact THEGUY
>Please include the entire subject line of the original message
>
>     THEGUY
>
>(time zone of log is PST, which is UTC-08:00, date is MMDD)
>log entries are from Cisco netflow, time is flow start time
>date.time         srcIP          srcPort dstIP          dstPort proto
>#pkts
>0225.13:47:49.302 MYSERVERIP   3876 HISSERVERIP        445    6
>2
>0225.14:03:35.086 MYSERVERIP   2875 HISSERVERIP      445    6
>2

-SNIP-

My LAN connects to the internet using a Debian Firewall / Gateway / Proxy.

How can I track down where's the problem?
0
Comment
Question by:ltpitt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39896578
Well first of all is there any reason why you would want to allow traffic destine for TCP port 445 out of your network?  That is used for MS networking which typically you don't do over the Internet.

If there is no reason to, then I would just block it.

However, to find out what might be doing that, just run tcpdump on your linux box capturing anything that has a destination of TCP port 445.

Best bet is to allow it to run for awhile so

nohup tcpdump -i "insideinterface" -s 0 tcp port 445 -w filename.cap &

Where "insideinterface" is the NIC that is on the "inside" of your proxy.  Do not include the quotes.

Let it run for awhile then kill the pid, and use Wireshark to look at the file
0
 
LVL 1

Author Comment

by:ltpitt
ID: 39896846
This is really what I needed!

Can you please suggest me how to block all ports but 80?

I will try the other suggestion but the 1st sounds the best idea.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39897203
Are you really running a proxy on the Linux box, like Squid, or is it just a "router/gateway" that is doing NAT'ing.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 1

Author Comment

by:ltpitt
ID: 39897239
Both.

Clients use squid for internet but also need to get to other services (pop3, smtp, other stuff)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39897257
O.K. going through squid will stop most other protocols/services.

For the other services you need to setup IP tables properly.   Can you post your iptables configuration?  If you have any public IP addresses directly on this Linux box make sure you hid them, just "x" out the first three octets.
0
 
LVL 1

Author Comment

by:ltpitt
ID: 39899235
Here's my firewall script:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Blacklist
iptables -A OUTPUT -d 82.112.106.19/24 -j DROP
iptables -A OUTPUT -d 149.20.56.0/24 -j DROP
iptables -A OUTPUT -d 38.102.150.27/24 -j DROP

Open in new window

0
 
LVL 57

Expert Comment

by:giltjr
ID: 39907242
What traffic MUST you allow through other than http/https?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39907279
Oh and is there any traffic that you must allow TO the Linux box.

 Example:  You will need to allow ssh to the Linux box, but you may not need to allow ssh through it.
0
 
LVL 1

Author Comment

by:ltpitt
ID: 39916304
Main problem is to allow users to use internet and email.

Of course problems will come and if you can be so kind to give an example about how to enable rules I'd be very thankful :)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39916322
By Internet I am assuming you mean to access web servers, http and https, which should be handled by Squid.

For e-mail, I would need to know more details.  What e-mail clients do they use and what type of e-mail servers?  Do they need pop3, imap, smtp?  Do any of them need to be encrypted.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 39916369
I revised this comment.

One thing you should be able to do is, change:# Allow outgoing connections from the LAN side.

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

To the following:
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m multiport  -dport x,y,z  -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j DROP


Where "x", "y", and "z" are destnation ports you want to allo.  Say you want to allow POP3, IMAP and SMTP, then you would have "-dport 25,110,143".

iptables -A FORWARD -i eth0 -o eth1 -p tcp -m multiport  -dport x,y,z  -j ACCEPT

This will allow new connections going to ports 25 (SMTP), 110 (POP3), or 143 (IMAP) out.

If you need to allow DNS resolution out add

iptables -A FORWARD -i eth0 -o eth1 -p udp  -dport 53  -j ACCEPT

Before the DROP rule.

The second rule will allow any established connections out.
The last will drop anything that is not one of the 3 ports or established.

This was done just off the top of my head, so please test.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question