Avatar of ltpitt
ltpitt asked on

I'm sending through my Linux Proxy / Gateway port scans to public ips

I got an email with this content:

>MYSERVERIP was observed probing AGUYWEBSITE for security holes. It
>has been blocked at our border routers. It may be compromised.
>
>For more info contact THEGUY
>Please include the entire subject line of the original message
>
>     THEGUY
>
>(time zone of log is PST, which is UTC-08:00, date is MMDD)
>log entries are from Cisco netflow, time is flow start time
>date.time         srcIP          srcPort dstIP          dstPort proto
>#pkts
>0225.13:47:49.302 MYSERVERIP   3876 HISSERVERIP        445    6
>2
>0225.14:03:35.086 MYSERVERIP   2875 HISSERVERIP      445    6
>2

-SNIP-

My LAN connects to the internet using a Debian Firewall / Gateway / Proxy.

How can I track down where's the problem?
Linux Networking

Avatar of undefined
Last Comment
giltjr

8/22/2022 - Mon
giltjr

Well first of all is there any reason why you would want to allow traffic destine for TCP port 445 out of your network?  That is used for MS networking which typically you don't do over the Internet.

If there is no reason to, then I would just block it.

However, to find out what might be doing that, just run tcpdump on your linux box capturing anything that has a destination of TCP port 445.

Best bet is to allow it to run for awhile so

nohup tcpdump -i "insideinterface" -s 0 tcp port 445 -w filename.cap &

Where "insideinterface" is the NIC that is on the "inside" of your proxy.  Do not include the quotes.

Let it run for awhile then kill the pid, and use Wireshark to look at the file
ASKER
ltpitt

This is really what I needed!

Can you please suggest me how to block all ports but 80?

I will try the other suggestion but the 1st sounds the best idea.
giltjr

Are you really running a proxy on the Linux box, like Squid, or is it just a "router/gateway" that is doing NAT'ing.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
ltpitt

Both.

Clients use squid for internet but also need to get to other services (pop3, smtp, other stuff)
giltjr

O.K. going through squid will stop most other protocols/services.

For the other services you need to setup IP tables properly.   Can you post your iptables configuration?  If you have any public IP addresses directly on this Linux box make sure you hid them, just "x" out the first three octets.
ASKER
ltpitt

Here's my firewall script:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Blacklist
iptables -A OUTPUT -d 82.112.106.19/24 -j DROP
iptables -A OUTPUT -d 149.20.56.0/24 -j DROP
iptables -A OUTPUT -d 38.102.150.27/24 -j DROP

Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
giltjr

What traffic MUST you allow through other than http/https?
giltjr

Oh and is there any traffic that you must allow TO the Linux box.

 Example:  You will need to allow ssh to the Linux box, but you may not need to allow ssh through it.
ASKER
ltpitt

Main problem is to allow users to use internet and email.

Of course problems will come and if you can be so kind to give an example about how to enable rules I'd be very thankful :)
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
giltjr

By Internet I am assuming you mean to access web servers, http and https, which should be handled by Squid.

For e-mail, I would need to know more details.  What e-mail clients do they use and what type of e-mail servers?  Do they need pop3, imap, smtp?  Do any of them need to be encrypted.
ASKER CERTIFIED SOLUTION
giltjr

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question