Thank God for Firewalls

[ac_dispatcher]

Well I was doing some work on my firewall (named coyote). It is a Pentium75 with 16mb of ram. No Hard rive just a floppy. (http://www.coyotelinux.com).

 

Back to my point. I turned on some TCP logging. Check this out:

 

May 23 22:00:17 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.74.77.103 DST=XXX.23.87.188 LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=27759 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=28974

May 23 22:03:02 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=11993 DF PROTO=TCP SPT=1801 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0

May 23 22:03:05 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=12078 DF PROTO=TCP SPT=1801 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0

May 23 22:03:08 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.46 DST=XXX.23.87.188 LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=53919 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=32271

May 23 22:03:11 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=12399 DF PROTO=TCP SPT=1801 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0

May 23 22:03:30 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=65455 DF PROTO=TCP SPT=4649 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0

May 23 22:03:33 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=869 DF PROTO=TCP SPT=4655 DPT=6129 WINDOW=16384 RES=0x00 SYN URGP=0

May 23 22:03:33 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=874 DF PROTO=TCP SPT=4649 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0

May 23 22:03:35 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.188 DST=XXX.23.87.188 LEN=485 TOS=0x00 PREC=0x00 TTL=111 ID=40632 PROTO=UDP SPT=666 DPT=1026 LEN=465

May 23 22:03:35 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.188 DST=XXX.23.87.188 LEN=485 TOS=0x00 PREC=0x00 TTL=111 ID=40633 PROTO=UDP SPT=666 DPT=135 LEN=465

May 23 22:03:39 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=2312 DF PROTO=TCP SPT=4655 DPT=6129 WINDOW=16384 RES=0x00 SYN URGP=0

May 23 22:03:39 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=2314 DF PROTO=TCP SPT=4649 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0

May 23 22:03:39 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=2316 DF PROTO=TCP SPT=4654 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0

May 23 22:03:45 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=14118 DF PROTO=TCP SPT=2512 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0

May 23 22:03:48 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=14223 DF PROTO=TCP SPT=2512 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0

May 23 22:03:54 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=14513 DF PROTO=TCP SPT=2512 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0

May 23 22:04:10 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.78.95 DST=XXX.23.87.188 LEN=78 TOS=0x00 PREC=0x00 TTL=117 ID=7488 PROTO=UDP SPT=1745 DPT=137 LEN=58

 

OK its a lot of BLA BLA BLA. But notice this

 

DPT=2745 <<<< Thats my Firewall getting hit by the beagle virus

 

Bagle is mass-mailing email that besides using your address book, and other information on your computer to email copies of itself too, opens a backdoor on port 2745 which allows a hacker to upload a file and execute it automatically. Bagle also attempts to contact a number of web sites informing them of the infection. TCP port 2745 should be blocked by your firewall.

 

 

Notice -

 

DPT=6129 <<<< Used by the Dameware remote administration software.

There is a vulnerability within older versions of Dameware which can allow for unauthorized login and hence unauthorized use of Dameware for remote administration of a computer. Dameware was installed by some viruses for the purpose of remote administration of the infected system.

 

Last one -

 

DPT=3127 <<<< Used by the myDoom/Novarg virus as a backdoor port.

 

myDoom has been called the fastest spreading email virus yet recorded and attempted to DOS www.sco.com and www.microsoft.com. myDoom also installs a backdoor that listens on TCP port 3127 allowing a hacker to execute code remotely. TCP port 3127 traffic should be blocked by your firewall.

 

 

All that in four minutes!! If you ever meet anyone who does not have a firewall (and Windows) SLAP'UM

 

Stick with Linux --- Watch yourself out there

 

 

[moved from Everything Linux by spinynorman]

[alexpank]

Thanks for the tip, ac!

 

Now does anyone have any recommendations for firewalls for Mdk 9.0? Preferably something easy to setup and use (A-grade newbie material here, sir!)

[tyme]

Mandrake 9.0 should have the built-in firewall, go through Mandrake Control Center -> Internet -> Firewall (or it may be under Security, not sure what it was then).

 

You could also look for a package for firestarter, which is a good "real-time" firewall (like ZoneAlarm in Windows, sort of).

[DragonMage]

How good is coyote linux? I am looking for a firewall/router distro that is easy to manage (preferably via something like webmin) that is easy on a P133 and 4 gig of hd.

[ac_dispatcher]

I love useing it. If you have an old computer around you can put it to use. No hard drive used.

 

The Coyote page

http://www.coyotelinux.com/

 

The non complete NIC list

http://www.dalantech.com/ubbthreads/showfl...sb=5&o=&fpart=1

 

Coyote FAQ

http://rzero.com/coyote/faq.html#advanced

 

Now you can go out and spend 100-200 dollars and buy a good router. With this you use an old computer. It is very customizable. Works great. All you need is a floppy and 2 NICs.

 

 

You get control it from any browser. Just bring up

 

http://coyote:8180

 

Here is a screen shot

[fred_the_fish]

Ok, how would ip cop compare to coyote? Asking because I'm going home to me parents soon, and can use the old pc (AMD K6-200,64mb) as a dedicated firewall on our new ADSL line...

[ac_dispatcher]

I have not used ip cop. I know that the specs you list can do a coyote box. I use it for a DSL line ( PPPOE) A dedicated router/firewall.

 

One thing I found great was it comes with a set of pre configed iptables. Full stealth mode except ssh port (22). You can turn that of right from the web admin page.

 

You can block/open and foward ports without ever neeeing to learn iptables. Its all by web page.

Edited May 24, 2004 by ac_dispatcher

[DragonMage]

Ok.. I think Coyote is perfect for my needs.. Now if I can only find 2 floppy disks.. :D

[linux_learner]

some other good firewalls are: firestarter http://firestarter.sourceforge.net/ firestarter is a gui firewall. guarddog http://freshmeat.net/projects/guarddog/ guarddog is another gui firewall. arno's firewall http://rocky.molphys.leidenuniv.nl/ arno's firewall is an iptables script. ipkungfu http://www.linuxkungfu.org/ another iptables script.

[phunni]

arno's firewall is brilliant - fairly easy to use and effective

[jlc]

If you want to waste some script kiddies time, open up some windows ports to your linux box.

 

iptable -A INPUT -p tcp -m mport \
--dports 135,139,1025 -j TARPIT

 

 

[Windependent]

cybrjackle, i gotta love your avatar!

[jlc]

cybrjackle, i gotta love your avatar!

You don't "have" to.

 

:D

[gmac]

I received 111 spam e-mails today, normally it's only 60-70. My understanding is that most come from just a few sources. How come these guys seem to have no trouble with viruses etc shutting down their servers? Maybe we should be taking security advice from their IT people.

[ac_dispatcher]

If Im not mistaken Spammers use zombies and accounts stolen from others.

 

I do wonder how much "spam" they get