[plug] detecting internet attacks on a Fedora box

William Kenworthy billk at iinet.net.au
Tue Nov 21 22:03:31 WST 2006


You can expect probes every few minutes - the majority are targetted at
doze machines but many are unix for known vulnerabilities.

Run a firewall, turn off all services that you are not using and make
sure all updates are in place.  This is a minimum for an exposed
internet facing box.  You may have some protection from a builtin
firewall on most newer ADSL modems - if its been enabled (yes came
across a place where this had been done so #1 son could allow his mate
across the rd to connect direct to hi machine on the hose LAN (3
machines)!)

Its a jungle out there ... 

I'm not a redhat user, but isnt fedora 4 getting a bit old?

BillK


On Tue, 2006-11-21 at 20:30 +0800, dbuddrige at wasp.net.au wrote:
> Hi all,
> 
> I've been on broadband for a couple of months, with my stock 
> fedora-core-4 machine.  At first I used to turn off the machine after 
> each night, but of late, I've just left it running.
> 
> Is there any way to detect whether there are any internet attacks going 
> on against my machine?  How would I even know that someone had 
> attempted to compromise my machine?  I've not really much of a clue on 
> this particular subject.
> 
> I ran Ethereal overnight on my ppp0 connection, with my email client 
> exited, and my web-browser exited [I'm using a CDMA modem which uses 
> the mobile-phone network to connect], and it did log some internet 
> traffic, a sample is given below [the full dump is about 41,000 lines 
> long, but I don't know whether it is innocent or not.
> 
> Can anyone shed any light on this, or can suggest a tool that will tell 
> me easily whether someone is attempting to attack my machine, or has 
> even compromised it?
> 
> thanks
> 
> David.
> 
> 
> No.     Time        Source                Destination           Protocol Info
>       1 0.000000    CPE-60-230-38-88.vic.bigpond.net.au 
> CPE-60-230-2-86.vic.bigpond.net.au TCP      3678 > microsoft-ds [SYN] 
> Seq=0 Ack=0 Win=53760 Len=0 MSS=1320 WS=3 TSV=0 TSER=0
> 
> Frame 1 (80 bytes on wire, 80 bytes captured)
>     Arrival Time: Nov 20, 2006 23:18:33.371696000
>     Time delta from previous packet: 0.000000000 seconds
>     Time since reference or first frame: 0.000000000 seconds
>     Frame Number: 1
>     Packet Length: 80 bytes
>     Capture Length: 80 bytes
>     Protocols in frame: sll:ip:tcp
> Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
> Internet Protocol, Src Addr: CPE-60-230-38-88.vic.bigpond.net.au 
> (60.230.38.88), Dst Addr: CPE-60-230-2-86.vic.bigpond.net.au 
> (60.230.2.86)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 64
>     Identification: 0xc524 (50468)
>     Flags: 0x04 (Don't Fragment)
>         0... = Reserved bit: Not set
>         .1.. = Don't fragment: Set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 45
>     Protocol: TCP (0x06)
>     Header checksum: 0xe619 (correct)
>     Source: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
>     Destination: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
> Transmission Control Protocol, Src Port: 3678 (3678), Dst Port: 
> microsoft-ds (445), Seq: 0, Ack: 0, Len: 0
>     Source port: 3678 (3678)
>     Destination port: microsoft-ds (445)
>     Sequence number: 0    (relative sequence number)
>     Header length: 44 bytes
>     Flags: 0x0002 (SYN)
>         0... .... = Congestion Window Reduced (CWR): Not set
>         .0.. .... = ECN-Echo: Not set
>         ..0. .... = Urgent: Not set
>         ...0 .... = Acknowledgment: Not set
>         .... 0... = Push: Not set
>         .... .0.. = Reset: Not set
>         .... ..1. = Syn: Set
>         .... ...0 = Fin: Not set
>     Window size: 53760
>     Checksum: 0x754c (correct)
>     Options: (24 bytes)
>         Maximum segment size: 1320 bytes
>         NOP
>         Window scale: 3 (multiply by 8)
>         NOP
>         NOP
>         Time stamp: tsval 0, tsecr 0
>         NOP
>         NOP
>         SACK permitted
> 
> No.     Time        Source                Destination           Protocol Info
>       2 0.000301    CPE-60-230-2-86.vic.bigpond.net.au 
> CPE-60-230-38-88.vic.bigpond.net.au ICMP     Destination unreachable 
> (Host administratively prohibited)
> 
> Frame 2 (108 bytes on wire, 108 bytes captured)
>     Arrival Time: Nov 20, 2006 23:18:33.371997000
>     Time delta from previous packet: 0.000301000 seconds
>     Time since reference or first frame: 0.000301000 seconds
>     Frame Number: 2
>     Packet Length: 108 bytes
>     Capture Length: 108 bytes
>     Protocols in frame: sll:ip:icmp:ip:tcp
> Linux cooked capture
>     Packet type: Sent by us (4)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
> Internet Protocol, Src Addr: CPE-60-230-2-86.vic.bigpond.net.au 
> (60.230.2.86), Dst Addr: CPE-60-230-38-88.vic.bigpond.net.au 
> (60.230.38.88)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; 
> ECN: 0x00)
>         1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 92
>     Identification: 0x1748 (5960)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 64
>     Protocol: ICMP (0x01)
>     Header checksum: 0xc01f (correct)
>     Source: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
>     Destination: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
> Internet Control Message Protocol
>     Type: 3 (Destination unreachable)
>     Code: 10 (Host administratively prohibited)
>     Checksum: 0x9fa2 (correct)
>     Internet Protocol, Src Addr: CPE-60-230-38-88.vic.bigpond.net.au 
> (60.230.38.88), Dst Addr: CPE-60-230-2-86.vic.bigpond.net.au 
> (60.230.2.86)
>         Version: 4
>         Header length: 20 bytes
>         Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>             0000 00.. = Differentiated Services Codepoint: Default (0x00)
>             .... ..0. = ECN-Capable Transport (ECT): 0
>             .... ...0 = ECN-CE: 0
>         Total Length: 64
>         Identification: 0xc524 (50468)
>         Flags: 0x04 (Don't Fragment)
>             0... = Reserved bit: Not set
>             .1.. = Don't fragment: Set
>             ..0. = More fragments: Not set
>         Fragment offset: 0
>         Time to live: 45
>         Protocol: TCP (0x06)
>         Header checksum: 0xe619 (correct)
>         Source: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
>         Destination: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
>     Transmission Control Protocol, Src Port: 3678 (3678), Dst Port: 
> microsoft-ds (445), Seq: 3459739248, Ack: 0
>         Source port: 3678 (3678)
>         Destination port: microsoft-ds (445)
>         Sequence number: 3459739248    (relative sequence number)
>         Header length: 44 bytes
>         Flags: 0x0002 (SYN)
>             0... .... = Congestion Window Reduced (CWR): Not set
>             .0.. .... = ECN-Echo: Not set
>             ..0. .... = Urgent: Not set
>             ...0 .... = Acknowledgment: Not set
>             .... 0... = Push: Not set
>             .... .0.. = Reset: Not set
>             .... ..1. = Syn: Set
>             .... ...0 = Fin: Not set
>         Window size: 53760
>         Checksum: 0x754c (correct)
>         Options: (24 bytes)
>             Maximum segment size: 1320 bytes
>             NOP
>             Window scale: 3 (multiply by 8)
>             NOP
>             NOP
>             Time stamp: tsval 0, tsecr 0
>             NOP
>             NOP
>             SACK permitted
> 
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
-- 
William Kenworthy <billk at iinet.net.au>
Home!



More information about the plug mailing list