[plug] detecting internet attacks on a Fedora box
William Kenworthy
billk at iinet.net.au
Tue Nov 21 22:03:31 WST 2006
You can expect probes every few minutes - the majority are targetted at
doze machines but many are unix for known vulnerabilities.
Run a firewall, turn off all services that you are not using and make
sure all updates are in place. This is a minimum for an exposed
internet facing box. You may have some protection from a builtin
firewall on most newer ADSL modems - if its been enabled (yes came
across a place where this had been done so #1 son could allow his mate
across the rd to connect direct to hi machine on the hose LAN (3
machines)!)
Its a jungle out there ...
I'm not a redhat user, but isnt fedora 4 getting a bit old?
BillK
On Tue, 2006-11-21 at 20:30 +0800, dbuddrige at wasp.net.au wrote:
> Hi all,
>
> I've been on broadband for a couple of months, with my stock
> fedora-core-4 machine. At first I used to turn off the machine after
> each night, but of late, I've just left it running.
>
> Is there any way to detect whether there are any internet attacks going
> on against my machine? How would I even know that someone had
> attempted to compromise my machine? I've not really much of a clue on
> this particular subject.
>
> I ran Ethereal overnight on my ppp0 connection, with my email client
> exited, and my web-browser exited [I'm using a CDMA modem which uses
> the mobile-phone network to connect], and it did log some internet
> traffic, a sample is given below [the full dump is about 41,000 lines
> long, but I don't know whether it is innocent or not.
>
> Can anyone shed any light on this, or can suggest a tool that will tell
> me easily whether someone is attempting to attack my machine, or has
> even compromised it?
>
> thanks
>
> David.
>
>
> No. Time Source Destination Protocol Info
> 1 0.000000 CPE-60-230-38-88.vic.bigpond.net.au
> CPE-60-230-2-86.vic.bigpond.net.au TCP 3678 > microsoft-ds [SYN]
> Seq=0 Ack=0 Win=53760 Len=0 MSS=1320 WS=3 TSV=0 TSER=0
>
> Frame 1 (80 bytes on wire, 80 bytes captured)
> Arrival Time: Nov 20, 2006 23:18:33.371696000
> Time delta from previous packet: 0.000000000 seconds
> Time since reference or first frame: 0.000000000 seconds
> Frame Number: 1
> Packet Length: 80 bytes
> Capture Length: 80 bytes
> Protocols in frame: sll:ip:tcp
> Linux cooked capture
> Packet type: Unicast to us (0)
> Link-layer address type: 512
> Link-layer address length: 0
> Source: <MISSING>
> Protocol: IP (0x0800)
> Internet Protocol, Src Addr: CPE-60-230-38-88.vic.bigpond.net.au
> (60.230.38.88), Dst Addr: CPE-60-230-2-86.vic.bigpond.net.au
> (60.230.2.86)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 64
> Identification: 0xc524 (50468)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 45
> Protocol: TCP (0x06)
> Header checksum: 0xe619 (correct)
> Source: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
> Destination: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
> Transmission Control Protocol, Src Port: 3678 (3678), Dst Port:
> microsoft-ds (445), Seq: 0, Ack: 0, Len: 0
> Source port: 3678 (3678)
> Destination port: microsoft-ds (445)
> Sequence number: 0 (relative sequence number)
> Header length: 44 bytes
> Flags: 0x0002 (SYN)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...0 .... = Acknowledgment: Not set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..1. = Syn: Set
> .... ...0 = Fin: Not set
> Window size: 53760
> Checksum: 0x754c (correct)
> Options: (24 bytes)
> Maximum segment size: 1320 bytes
> NOP
> Window scale: 3 (multiply by 8)
> NOP
> NOP
> Time stamp: tsval 0, tsecr 0
> NOP
> NOP
> SACK permitted
>
> No. Time Source Destination Protocol Info
> 2 0.000301 CPE-60-230-2-86.vic.bigpond.net.au
> CPE-60-230-38-88.vic.bigpond.net.au ICMP Destination unreachable
> (Host administratively prohibited)
>
> Frame 2 (108 bytes on wire, 108 bytes captured)
> Arrival Time: Nov 20, 2006 23:18:33.371997000
> Time delta from previous packet: 0.000301000 seconds
> Time since reference or first frame: 0.000301000 seconds
> Frame Number: 2
> Packet Length: 108 bytes
> Capture Length: 108 bytes
> Protocols in frame: sll:ip:icmp:ip:tcp
> Linux cooked capture
> Packet type: Sent by us (4)
> Link-layer address type: 512
> Link-layer address length: 0
> Source: <MISSING>
> Protocol: IP (0x0800)
> Internet Protocol, Src Addr: CPE-60-230-2-86.vic.bigpond.net.au
> (60.230.2.86), Dst Addr: CPE-60-230-38-88.vic.bigpond.net.au
> (60.230.38.88)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6;
> ECN: 0x00)
> 1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 92
> Identification: 0x1748 (5960)
> Flags: 0x00
> 0... = Reserved bit: Not set
> .0.. = Don't fragment: Not set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: ICMP (0x01)
> Header checksum: 0xc01f (correct)
> Source: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
> Destination: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
> Internet Control Message Protocol
> Type: 3 (Destination unreachable)
> Code: 10 (Host administratively prohibited)
> Checksum: 0x9fa2 (correct)
> Internet Protocol, Src Addr: CPE-60-230-38-88.vic.bigpond.net.au
> (60.230.38.88), Dst Addr: CPE-60-230-2-86.vic.bigpond.net.au
> (60.230.2.86)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 64
> Identification: 0xc524 (50468)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 45
> Protocol: TCP (0x06)
> Header checksum: 0xe619 (correct)
> Source: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
> Destination: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
> Transmission Control Protocol, Src Port: 3678 (3678), Dst Port:
> microsoft-ds (445), Seq: 3459739248, Ack: 0
> Source port: 3678 (3678)
> Destination port: microsoft-ds (445)
> Sequence number: 3459739248 (relative sequence number)
> Header length: 44 bytes
> Flags: 0x0002 (SYN)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...0 .... = Acknowledgment: Not set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..1. = Syn: Set
> .... ...0 = Fin: Not set
> Window size: 53760
> Checksum: 0x754c (correct)
> Options: (24 bytes)
> Maximum segment size: 1320 bytes
> NOP
> Window scale: 3 (multiply by 8)
> NOP
> NOP
> Time stamp: tsval 0, tsecr 0
> NOP
> NOP
> SACK permitted
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
--
William Kenworthy <billk at iinet.net.au>
Home!
More information about the plug
mailing list