Message Board -  Archive

[ Login ] [ Create Account ]
[ Board List ] [ View Board ] [ Post Reply ]
  Author  Subject: Firewall Security...
Archive  

Posted on 09-10-2000 03:37 p.m. ET  reply

Original Poster: Scott Brady

All,

I received an email from LogChecker (more info below) informing me about the
following three lines from my firewall's log.

Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 10 07:42:25 belfast kernel: Packet log: input DENY eth1 PROTO=17
192.168.0.1:137 MY.IP.ADD:137 L=78 S=0x00 I=3586 F=0x0000 T=110
Sep 10 07:42:27 belfast kernel: Packet log: input DENY eth1 PROTO=17
192.168.0.1:137 MY.IP.ADD:137 L=78 S=0x00 I=4354 F=0x0000 T=110
Sep 10 07:42:28 belfast kernel: Packet log: input DENY eth1 PROTO=17
192.168.0.1:137 MY.IP.ADD:137 L=78 S=0x00 I=4610 F=0x0000 T=110

The packets are coming from, and heading to, port 137. For those of you who
don't know, that port is used for Netbios over IP by Windows (part of file
sharing etc.). The troubling part is the apparent source IP: 192.168.0.1.
That *does* happen to be the box's IP address on my LAN but I'm not running
Samba on that box. The other thing that comes to mind is if one of the
Windows boxen (or the other linux box I have Samba on) within the network
attempted to query the firewall and it was MASQ'ed. But, I don't have the
firewall listed in /etc/lmhosts so I don't see how any of them could have
known to probe it. Also, if it was MASQ'ing why would it come from a reserved
port?

If you take a look at the difference in the ID's of the first and second
packets it appears that 2 other packets were sent in that 2 second window.

Is this likely a forged packet? If someone could tell me if I'm full of it
and why I'd be most appreciative. Thanks.

For those of you who are interested, I installed LogChecker on the firewall
to report via email any strange activity. I have the box configured to email
all of root's mail over to my workstation. Cron runs the program every 60
seconds.

http://www.psionic.com/abacus/logcheck/

While I was at it, I also installed PortSentry to log activity such as port
scans. I did this out of curiosity more than anything else. I don't run any
services so this is more of a honeypot to see if I get scanned.

http://www.psionic.com/abacus/portsentry/

--
Scott Brady
scott at sbrady dot com

< Previous 1 Next >

Site Contents