Arno-iptables-firewall--------Tons of connection attempts

securitybreach · 2007-11-23 02:35:14

I recently installed and configured Arno firewall. I do not have a router and have a high-speed connection. Well now when tail my /var/log/everything.log I get tons of connection attempts that are getting blocked. All of my apps work fine and bittorrent rules are defined:

Nov 22 22:33:22 DarkStar Stealth scan (UNPRIV)?: IN=eth0 OUT= MAC=00:a0:d1:4a:a2:d8:00:13:5f:05:a1:05:08:00 SRC=207.210.0.181 DST=72.188.41.251 LEN=576 TOS=0x00 PREC=0x00 TTL=110 ID=62538 DF PROTO=TCP SPT=61161 DPT=52450 WINDOW=16546 RES=0x00 ACK URGP=0 
Nov 22 22:33:26 DarkStar Stealth scan (UNPRIV)?: IN=eth0 OUT= MAC=00:a0:d1:4a:a2:d8:00:13:5f:05:a1:05:08:00 SRC=207.210.0.181 DST=72.188.41.251 LEN=64 TOS=0x00 PREC=0x00 TTL=110 ID=62591 DF PROTO=TCP SPT=61161 DPT=52450 WINDOW=16546 RES=0x00 ACK URGP=0 
Nov 22 22:33:27 DarkStar Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:a0:d1:4a:a2:d8:00:13:5f:05:a1:05:08:00 SRC=206.45.167.41 DST=72.188.41.251 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=30866 DF PROTO=TCP SPT=3966 DPT=46588 WINDOW=65535 RES=0x00 SYN URGP=0 
Nov 22 22:33:30 DarkStar Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:13:5f:05:a1:05:08:00 SRC=10.209.128.1 DST=255.255.255.255 LEN=337 TOS=0x00 PREC=0x00 TTL=255 ID=3589 PROTO=UDP SPT=67 DPT=68 LEN=317 
Nov 22 22:33:30 DarkStar Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:a0:d1:4a:a2:d8:00:13:5f:05:a1:05:08:00 SRC=206.45.167.41 DST=72.188.41.251 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=31288 DF PROTO=TCP SPT=3966 DPT=46588 WINDOW=65535 RES=0x00 SYN URGP=0 
Nov 22 22:33:40 DarkStar Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:13:5f:05:a1:05:08:00 SRC=10.209.128.1 DST=255.255.255.255 LEN=334 TOS=0x00 PREC=0x00 TTL=255 ID=3857 PROTO=UDP SPT=67 DPT=68 LEN=314 
Nov 22 22:33:47 DarkStar Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:13:5f:05:a1:05:08:00 SRC=10.209.128.1 DST=255.255.255.255 LEN=334 TOS=0x00 PREC=0x00 TTL=255 ID=4199 PROTO=UDP SPT=67 DPT=68 LEN=314 
Nov 22 22:33:56 DarkStar Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:13:5f:05:a1:05:08:00 SRC=10.209.128.1 DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=255 ID=4456 PROTO=UDP SPT=67 DPT=68 LEN=320......................

Should I be getting hit this much especially since all firewall test come up as stealth.

Thanks

securitybreach · 2007-11-23 02:49:41

PLEASE MOVE TO NETWORKING, SERVER, AND PROTECTION.
Thanks

Last edited by securitybreach (2007-11-23 02:51:12)

Purch · 2007-11-23 06:37:15

I have arno also in my box, which is connected directly to internet with an optical fiber connection. I have noticed that when I use file sharing programs (azureus or amule) the amount of hits in the iptables.log starts to build up. Anyway for comparison, here is what I got in the last five days.

$ cat /var/log/iptables.log | cut -d " " -f 5-7 | sort | uniq -c
    336 Connection attempt (PRIV):
   3070 Connection attempt (UNPRIV):
      1 Other-IP connection attempt:
   1395 Stealth scan (UNPRIV)?:
     10 UDP source port

$ cat /var/log/iptables.log | wc -l
4812

Securitybreach update you syslog-ng.conf so that all iptables messages goes to iptables.log. Here is an example.

#
# /etc/syslog-ng.conf
#

options {
  sync (0);
  time_reopen (10);
  log_fifo_size (1000);
  long_hostnames(off); 
  use_dns (no);
  use_fqdn (no);
  create_dirs (no);
  keep_hostname (yes);
  perm(0640);
  group("log");
};

source src {
  unix-stream("/dev/log");
  internal();
  file("/proc/kmsg");
};

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog.log"); };
destination cron { file("/var/log/crond.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kernel { file("/var/log/kernel.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination mail { file("/var/log/mail.log"); };
destination news { file("/var/log/news.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination debug { file("/var/log/debug.log"); };
destination messages { file("/var/log/messages.log"); };
destination errors { file("/var/log/errors.log"); };
destination everything { file("/var/log/everything.log"); };
destination iptables { file("/var/log/iptables.log"); };
destination acpid { file("/var/log/acpid.log"); };
destination console { usertty("root"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { program(syslog-ng); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kernel { facility(kern) and not filter(f_iptables); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_news { facility(news); };
filter f_ppp { facility(local2); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_iptables { match("IN=.*OUT="); };
filter f_acpid { match("acpid"); };

log { source(src); filter(f_acpid); destination(acpid); flags(final); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kernel); destination(kernel); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_news); destination(news); };
log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
#log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_err); destination(errors); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_everything); destination(everything); };
log { source(src); filter(f_iptables); destination(iptables); };

# Log everything to vc12
#log { source(src); destination(console_all); };

securitybreach · 2007-11-23 14:35:08

Hey thanks a lot.

You should see my values:

[comhack@DarkStar ~]$ cat /var/log/iptables.log | cut -d " " -f 5-7 | sort | uniq -c
    161 ABORTED IN=eth0 OUT=
  19029 Connection attempt (PRIV):
  33625 Connection attempt (UNPRIV):
    192 DROPPED IN= OUT=eth0
    103 DROPPED IN=eth0 OUT=
    393 ICMP-request: IN=eth0 OUT=
      6 LIMITED IN= OUT=eth0
      9 LIMITED IN=eth0 OUT=
    127 Stealth FIN scan:
     25 Stealth Null scan:
      4 Stealth SYN/RST scan:
   5147 Stealth scan (UNPRIV)?:
      2 TCP port 0
     13 UDP source port

Thanks

Last edited by securitybreach (2007-11-23 14:36:54)

VikM · 2007-11-23 15:08:34

DST=255.255.255.255 ... PROTO=UDP SPT=67 DPT=68 seems like innocent people searching for the dhcp server. It's nice to have a firewall to block connection attempts from the outside world to services on your computer (cups, xorg, ), but once set you can ignore it. Just internet background noise.

securitybreach · 2007-11-23 15:14:43

Thanks

Arch Linux

#1 2007-11-23 02:35:14

Arno-iptables-firewall--------Tons of connection attempts

#2 2007-11-23 02:49:41

Re: Arno-iptables-firewall--------Tons of connection attempts

#3 2007-11-23 06:37:15

Re: Arno-iptables-firewall--------Tons of connection attempts

#4 2007-11-23 14:35:08

Re: Arno-iptables-firewall--------Tons of connection attempts

#5 2007-11-23 15:08:34

Re: Arno-iptables-firewall--------Tons of connection attempts

#6 2007-11-23 15:14:43

Re: Arno-iptables-firewall--------Tons of connection attempts

Board footer