ac_dispatcher Posted May 24, 2004 Report Share Posted May 24, 2004 Well I was doing some work on my firewall (named coyote). It is a Pentium75 with 16mb of ram. No Hard rive just a floppy. (http://www.coyotelinux.com). Back to my point. I turned on some TCP logging. Check this out: May 23 22:00:17 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.74.77.103 DST=XXX.23.87.188 LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=27759 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=28974 May 23 22:03:02 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=11993 DF PROTO=TCP SPT=1801 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0 May 23 22:03:05 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=12078 DF PROTO=TCP SPT=1801 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0 May 23 22:03:08 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.46 DST=XXX.23.87.188 LEN=28 TOS=0x00 PREC=0x00 TTL=119 ID=53919 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=32271 May 23 22:03:11 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=12399 DF PROTO=TCP SPT=1801 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0 May 23 22:03:30 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=65455 DF PROTO=TCP SPT=4649 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0 May 23 22:03:33 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=869 DF PROTO=TCP SPT=4655 DPT=6129 WINDOW=16384 RES=0x00 SYN URGP=0 May 23 22:03:33 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=874 DF PROTO=TCP SPT=4649 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0 May 23 22:03:35 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.188 DST=XXX.23.87.188 LEN=485 TOS=0x00 PREC=0x00 TTL=111 ID=40632 PROTO=UDP SPT=666 DPT=1026 LEN=465 May 23 22:03:35 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.188 DST=XXX.23.87.188 LEN=485 TOS=0x00 PREC=0x00 TTL=111 ID=40633 PROTO=UDP SPT=666 DPT=135 LEN=465 May 23 22:03:39 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=2312 DF PROTO=TCP SPT=4655 DPT=6129 WINDOW=16384 RES=0x00 SYN URGP=0 May 23 22:03:39 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=2314 DF PROTO=TCP SPT=4649 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0 May 23 22:03:39 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.107.86 DST=XXX.23.87.188 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=2316 DF PROTO=TCP SPT=4654 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0 May 23 22:03:45 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=14118 DF PROTO=TCP SPT=2512 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0 May 23 22:03:48 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=14223 DF PROTO=TCP SPT=2512 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0 May 23 22:03:54 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.87.90 DST=XXX.23.87.188 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=14513 DF PROTO=TCP SPT=2512 DPT=2745 WINDOW=58944 RES=0x00 SYN URGP=0 May 23 22:04:10 coyote klogd: IN=ppp0 OUT= MAC= SRC=XX.23.78.95 DST=XXX.23.87.188 LEN=78 TOS=0x00 PREC=0x00 TTL=117 ID=7488 PROTO=UDP SPT=1745 DPT=137 LEN=58 OK its a lot of BLA BLA BLA. But notice this DPT=2745 <<<< Thats my Firewall getting hit by the beagle virus Bagle is mass-mailing email that besides using your address book, and other information on your computer to email copies of itself too, opens a backdoor on port 2745 which allows a hacker to upload a file and execute it automatically. Bagle also attempts to contact a number of web sites informing them of the infection. TCP port 2745 should be blocked by your firewall. Notice - DPT=6129 <<<< Used by the Dameware remote administration software. There is a vulnerability within older versions of Dameware which can allow for unauthorized login and hence unauthorized use of Dameware for remote administration of a computer. Dameware was installed by some viruses for the purpose of remote administration of the infected system. Last one - DPT=3127 <<<< Used by the myDoom/Novarg virus as a backdoor port. myDoom has been called the fastest spreading email virus yet recorded and attempted to DOS www.sco.com and www.microsoft.com. myDoom also installs a backdoor that listens on TCP port 3127 allowing a hacker to execute code remotely. TCP port 3127 traffic should be blocked by your firewall. All that in four minutes!! If you ever meet anyone who does not have a firewall (and Windows) SLAP'UM Stick with Linux --- Watch yourself out there [moved from Everything Linux by spinynorman] Quote Link to comment Share on other sites More sharing options...
alexpank Posted May 24, 2004 Report Share Posted May 24, 2004 Thanks for the tip, ac! Now does anyone have any recommendations for firewalls for Mdk 9.0? Preferably something easy to setup and use (A-grade newbie material here, sir!) Quote Link to comment Share on other sites More sharing options...
tyme Posted May 24, 2004 Report Share Posted May 24, 2004 Mandrake 9.0 should have the built-in firewall, go through Mandrake Control Center -> Internet -> Firewall (or it may be under Security, not sure what it was then). You could also look for a package for firestarter, which is a good "real-time" firewall (like ZoneAlarm in Windows, sort of). Quote Link to comment Share on other sites More sharing options...
DragonMage Posted May 24, 2004 Report Share Posted May 24, 2004 How good is coyote linux? I am looking for a firewall/router distro that is easy to manage (preferably via something like webmin) that is easy on a P133 and 4 gig of hd. Quote Link to comment Share on other sites More sharing options...
ac_dispatcher Posted May 24, 2004 Author Report Share Posted May 24, 2004 I love useing it. If you have an old computer around you can put it to use. No hard drive used. The Coyote page http://www.coyotelinux.com/ The non complete NIC list http://www.dalantech.com/ubbthreads/showfl...sb=5&o=&fpart=1 Coyote FAQ http://rzero.com/coyote/faq.html#advanced Now you can go out and spend 100-200 dollars and buy a good router. With this you use an old computer. It is very customizable. Works great. All you need is a floppy and 2 NICs. You get control it from any browser. Just bring up http://coyote:8180 Here is a screen shot Quote Link to comment Share on other sites More sharing options...
fred_the_fish Posted May 24, 2004 Report Share Posted May 24, 2004 Ok, how would ip cop compare to coyote? Asking because I'm going home to me parents soon, and can use the old pc (AMD K6-200,64mb) as a dedicated firewall on our new ADSL line... Quote Link to comment Share on other sites More sharing options...
ac_dispatcher Posted May 24, 2004 Author Report Share Posted May 24, 2004 (edited) I have not used ip cop. I know that the specs you list can do a coyote box. I use it for a DSL line ( PPPOE) A dedicated router/firewall. One thing I found great was it comes with a set of pre configed iptables. Full stealth mode except ssh port (22). You can turn that of right from the web admin page. You can block/open and foward ports without ever neeeing to learn iptables. Its all by web page. Edited May 24, 2004 by ac_dispatcher Quote Link to comment Share on other sites More sharing options...
DragonMage Posted May 25, 2004 Report Share Posted May 25, 2004 Ok.. I think Coyote is perfect for my needs.. Now if I can only find 2 floppy disks.. :D Quote Link to comment Share on other sites More sharing options...
linux_learner Posted May 25, 2004 Report Share Posted May 25, 2004 some other good firewalls are: firestarter http://firestarter.sourceforge.net/ firestarter is a gui firewall. guarddog http://freshmeat.net/projects/guarddog/ guarddog is another gui firewall. arno's firewall http://rocky.molphys.leidenuniv.nl/ arno's firewall is an iptables script. ipkungfu http://www.linuxkungfu.org/ another iptables script. Quote Link to comment Share on other sites More sharing options...
phunni Posted May 25, 2004 Report Share Posted May 25, 2004 arno's firewall is brilliant - fairly easy to use and effective Quote Link to comment Share on other sites More sharing options...
jlc Posted May 28, 2004 Report Share Posted May 28, 2004 If you want to waste some script kiddies time, open up some windows ports to your linux box. iptable -A INPUT -p tcp -m mport \ --dports 135,139,1025 -j TARPIT Quote Link to comment Share on other sites More sharing options...
Windependent Posted June 30, 2004 Report Share Posted June 30, 2004 cybrjackle, i gotta love your avatar! Quote Link to comment Share on other sites More sharing options...
jlc Posted July 1, 2004 Report Share Posted July 1, 2004 cybrjackle, i gotta love your avatar! You don't "have" to. :D Quote Link to comment Share on other sites More sharing options...
gmac Posted July 3, 2004 Report Share Posted July 3, 2004 I received 111 spam e-mails today, normally it's only 60-70. My understanding is that most come from just a few sources. How come these guys seem to have no trouble with viruses etc shutting down their servers? Maybe we should be taking security advice from their IT people. Quote Link to comment Share on other sites More sharing options...
ac_dispatcher Posted July 3, 2004 Author Report Share Posted July 3, 2004 If Im not mistaken Spammers use zombies and accounts stolen from others. I do wonder how much "spam" they get Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.