Linux-Noob Forums - Security and Firewalls

Prevent and block scan? (w00tw00t, tmUnblock.cgi etc)

Fri, 26 Sep 2014 02:09:55 +0200

Hi, I have often these lines in /var/log/apache2/access.log:

185.27.36.67 - - [25/Sep/2014:12:25:46 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 393 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

58.241.61.162 - - [25/Sep/2014:12:30:57 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec HTTP/1.1" 404 431 "-" "ZmEu"

58.241.61.162 - - [25/Sep/2014:12:30:58 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 421 "-" "ZmEu"

58.241.61.162 - - [25/Sep/2014:12:30:59 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 401 580 "-" "ZmEu"

58.241.61.162 - - [25/Sep/2014:12:31:00 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 404 415 "-" "ZmEu"

58.241.61.162 - - [25/Sep/2014:12:31:00 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 419 "-" "ZmEu"

58.241.61.162 - - [25/Sep/2014:12:31:05 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 419 "-" "ZmEu"

211.24.56.24 - - [25/Sep/2014:14:53:55 +0200] "GET /tmUnblock.cgi HTTP/1.1" 400 431 "-" "-"

89.207.135.125 - - [25/Sep/2014:15:23:54 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 427 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

What is the best way to prevent this and block the scans?

Thank you very much in advance

squid proxy- aloow a site to go directl to internet,HELP!

Mon, 27 May 2013 10:06:03 +0200

hello, i need to make a site go directly to internet
without squid. The reason i need this. Since a school purchased full features from a
website. they opened the full features through their public ip.
The issue when using squid proxy users cant access full featured only demo.
if users configure their browser not to use squid proxy they can access full features
in the site.
i tried edit squid config and put these 2 lines but it didnt help, to allow this site
to go directly to internet :

acl direct-connect dstdomain *.sodmaya.co.il
cache deny direct-connect

acl sodmaya dstdomain .sodmaya.co.il
always_direct allow sodmaya

How can i solve this issue ? any ideas?

Not able to open tcp port in linux system

Tue, 29 May 2012 13:30:33 +0200

I am using RHEL 5

and my application is running in the system on port 11960. I need to connect to this port from application running on other system.

but the port is closed for other system

below are the information for my system

[root@ sysconfig]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp spt:11960 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@ sysconfig]# netstat -nap | grep 11960

tcp 0 0 127.0.0.1:11960 0.0.0.0:* LISTEN 2155/cm

[root@ sysconfig]# nmap -p 11960 23.x.x.x

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-05-29 06:45 EDT

Interesting ports on (23.x.x.x):

PORT STATE SERVICE

11960/tcp closed unknown

[root@ sysconfig]# nmap -p 11960 127.0.0.1

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-05-29 06:45 EDT

Interesting ports on localhost.localdomain (127.0.0.1):

PORT STATE SERVICE

11960/tcp open unknown

[root@domU-12-31-39-10-06-32 sysconfig]# tcptraceroute -p 11960 23.x.x.x

traceroute to 23.x.x.x (23.x.x.x), 30 hops max, 40 byte packets

1 ip-10-72-24-2.ec2.internal (10.72.24.2) 1.370 ms 1.322 ms 1.299 ms

2 ip-10-1-6-69.ec2.internal (10.1.6.69) 0.505 ms ip-10-1-8-69.ec2.internal (10.1.8.69) 0.501 ms 0.680 ms

3 ip-10-1-11-14.ec2.internal (10.1.11.14) 0.843 ms ip-10-1-7-14.ec2.internal (10.1.7.14) 0.833 ms ip-10-1-9-14.ec2.internal (10.1.9.14) 0.802 ms

4 216.182.224.209 (216.182.224.209) 0.785 ms 216.182.224.76 (216.182.224.76) 16.203 ms 216.182.232.48 (216.182.232.48) 0.737 ms

5 216.182.232.49 (216.182.232.49) 1.306 ms 1.285 ms 216.182.224.208 (216.182.224.208) 1.252 ms

6 23.x.x.x 2.679 ms 2.654 ms 2.629 ms

Firewall is off

tried

nc 23.x.x.x 11960

tried adding below when firewall was on

iptables -A INPUT -i eth0 -p tcp --sport 11960 -m state --state NEW ESTABLISHED -j ACCEPT

tried flushing the iptables "iptables -F"

can anyone suggest what should i check or what is the problem with this port.

is there anything that i need to add in /etc/services?

Regards,

Gaurav

squid/dansguardian problem

Thu, 27 Oct 2011 15:10:36 +0200

I'm trying to setup a squid proxy server in combination with dansguardian internet filter on my pc. I used this guide and I am able to

configure it all. Only problem I'm having is as soon as I change the IP tables(see below) I'm don't have internet access anymore.

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

iptables-save > /etc/sysconfig/iptables

I am able to restore it using the iptables.old file. I setup the whole configuration and all works without prolems.

So I have a feeling it has to do with the iptables. I can't find anything strange in the squid logs or the dansguardian logs.

Will continue to play around with it, hopefully I'll figure it out.

I have something that kind of worries me

Thu, 22 Sep 2011 20:11:30 +0200

I found a log file that kind of worries me, it's not my website log file but /var/log/secure. Is this something to worry about? Looks like someone is trying to break in:

(and I got quite a few more ip's trying to do the same thing or something similar)

Sep 18 03:46:12 localhost sshd[9004]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:46:41 localhost sshd[9005]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:46:41 localhost sshd[9005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:46:43 localhost sshd[9005]: Failed password for root from 96.44.148.170 port 60604 ssh2

Sep 18 03:46:43 localhost sshd[9006]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:47:11 localhost sshd[9007]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:47:11 localhost sshd[9007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:47:12 localhost sshd[9007]: Failed password for root from 96.44.148.170 port 35961 ssh2

Sep 18 03:47:12 localhost sshd[9008]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:47:41 localhost sshd[9009]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:47:41 localhost sshd[9009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:47:43 localhost sshd[9009]: Failed password for root from 96.44.148.170 port 39572 ssh2

Sep 18 03:47:43 localhost sshd[9010]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:48:12 localhost sshd[9011]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:48:12 localhost sshd[9011]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:48:14 localhost sshd[9011]: Failed password for root from 96.44.148.170 port 43168 ssh2

Sep 18 03:48:14 localhost sshd[9012]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:48:42 localhost sshd[9013]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:48:42 localhost sshd[9013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:48:44 localhost sshd[9013]: Failed password for root from 96.44.148.170 port 46797 ssh2

Sep 18 03:48:44 localhost sshd[9014]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:49:13 localhost sshd[9015]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:49:13 localhost sshd[9015]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:49:14 localhost sshd[9015]: Failed password for root from 96.44.148.170 port 50417 ssh2

Sep 18 03:49:15 localhost sshd[9016]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:49:44 localhost sshd[9017]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:49:44 localhost sshd[9017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:49:46 localhost sshd[9017]: Failed password for root from 96.44.148.170 port 54091 ssh2

Sep 18 03:49:46 localhost sshd[9018]: Received disconnect from 96.44.148.170: 11: Bye Bye

Security warning: crond

Thu, 05 May 2011 15:02:09 +0200

I've recently performed some analysis on a phpmyadmin-related vulnerability that downloads a bot onto an unsuspecting machine. I won't go into details, but sufficient to say that the bot masquerades as a "crond" process - looking at a normal process listing it is able to hide inconspicuously.

(I've witnessed this behaviour before, when the bot tried to masquerade as a httpd process - but was running /usr/local/bin/httpd rather than /usr/sbin/httpd so was more quickly spotted.)

On my servers, there should be only one crond process, root-owned. This bot tries to run under the apache account (httpd) or a normal user account for those that use suPHP. I wouldn't advise people to stop any crond process without properly analysing what those processes do, but a combination of "lsof -p PID" and "netstat -apn" ought to uncover any nefarious activity.

Just be warned! Thought I'd give people a heads-up here.

Issue connecting to mysql port 3306

Fri, 11 Dec 2009 23:45:26 +0100

I've been trying to create a connection to mysql on a Linux server from Windows XP with MySQL ODBC 3.51 Driver. After setting all of my credentials to test the connection I get the following error. "[MySQL][ODBC 3.51 Driver]Host is not allowed to connect to this MySQL server". After looking up the error most references I found were to firewalls so for testing I disabled my local firewall and retried but got the same error message. I wanted to make sure that the port was open on Linux so I ran netstat -nap on the server and it showed mysql was running on the expected port and listening. I also went to this site to check my port. http://www.yougetsignal.com/tools/open-ports/ and it stated that the port was open.

The mysql database is working fine when you are running queries locally but trying to connect from outside of the server is when you run into issues. I don't really know what other steps to take in debugging the problem; any ideas or suggestions would be appreciated. Thanks and let me know if you need any more details about the problem.

-Jeff

Smoothwall stuck

Sat, 04 Oct 2008 14:47:30 +0200

Dear admin,

i am using smoothwall aprox. last 8 months & that period I never feel any problem in it. but last few weeks I feel a problem frequently & that is the smoothwall stucks. & a problem I discover or u can say that the solution I adopt is change IP address of its RED interface & its working again properly. but my point of view its not a solution.

Nowadays, in our country, we face lot of power failure problem. that why my smoothwall server abnormly shut down 10 to 12 times daily. but this practice also starts a long time ago & i never felt this problem.

If u have any solution of this problem, kindly reply me.

thanx in advance.

ifykh

Default Passwords

Thu, 25 Sep 2008 09:05:13 +0200

I recently started a job at a small accounting firm and I'm the only person in the IT department. The person who setup our mail server has left the company. I know a little about linux and I learn something new everyday. I was going through the logs today I noticed that someone was trying to login into one or more of the default user accounts to read or send mail. I'm not sure if they were successful. So my question is what is the worst that can happen if I change all the passwords on the default accounts. I don't imagine the world will end but if I change some of the passwords and something stops working (like the email) I'll have 50 people crapping on my head.

I think my system has been compromised:

Quote:Users logging in through sshd: root:

10.10.2.57 (J_Bailey_Desktop): 2 times

spam:

58.213.125.25: 1 time

I have no idea what the password for the spam account is and spam's shell is set to bin/false so how could this have happened? I have disabled login for this account and added a rule to the firewall to reject packets from that IP address.

Below you can see most of the accounts were tried 19 times except spam which was tried 10 times.

Quote:--------------------- Dovecot Begin ------------------------

Dovecot disconnects:

Logged out: 299 Time(s)

no reason: 2 Time(s)

**Unmatched Entries**

dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN,

rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 10 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 19 Time(s)

dovecot: pop3-login: Aborted login (1 authentication attempts): user=,

method=PLAIN, rip=200.73.3.50, lip=192.168.4.200: 38 Time(s)

---------------------- Dovecot End -------------------------

I only have an A+ and a N+, this is starting to get a bit much for me. Any help would be appreciated.

Setup Openafs with kerberos on ubuntu heron

Wed, 28 May 2008 23:23:30 +0200

Hi

I've been reading up a lot on setting up a file server for linux desktops - I also have a mac. There are a lot of how to's on NFS but I can't find any for Openafs and kerberos. Can someone pls provide or point me in the right direction?

Thank you.

DEBIAN SSL BUG

Sun, 18 May 2008 20:14:55 +0200

As we have read, there is now a weakness in the random number generator used by OpenSSL.

I suggest users of any Debian and Debian based system read here.

wild iptable issues

Sat, 10 May 2008 07:10:47 +0200

Hey all, this being my first post please go easy on me:

I have the following problem, I want to route all requests to port 80 to port 8171 and 443 to 8143 (both internally from within my box and externally from other computers). The following is the configuration information on the iptables status:

Table: filter

Chain INPUT (policy ACCEPT)

num target prot opt source destination

Chain FORWARD (policy ACCEPT)

num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination

Table: nat

Chain PREROUTING (policy ACCEPT)

num target prot opt source destination

1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8171

2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8143

Chain POSTROUTING (policy ACCEPT)

num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination

1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8171

2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8143

Here is my configuration:

# Generated by iptables-save v1.3.5 on Thu May 8 18:29:01 2008

*nat

REROUTING ACCEPT [22:3658]

OSTROUTING ACCEPT [64:4788]

:OUTPUT ACCEPT [57:4368]

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8171

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8143

-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8171

-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8143

COMMIT

# Completed on Thu May 8 18:29:01 2008

# Generated by iptables-save v1.3.5 on Thu May 8 18:29:01 2008

*filter

:INPUT ACCEPT [21858:11609795]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [22001:18526588]

COMMIT

# Completed on Thu May 8 18:29:01 2008

Now the configuration for port 80 works fine and routs to 8171 when accessed from the box itself or from an outside computer. When I access 443 from an outside computer it correctly forwards to 8143. But when I try and access 443 from the box itself, it doesn't seem to route. What is wrong with my config???

please help........opening ports

Tue, 29 Apr 2008 13:41:25 +0200

Please can somebody help me. I'm trying to open ports 999, 1982 and 1983 but am not having much luck. I followed the post how to open ports and haven't been successful. I was told to make sure that your server TCP ports: 999, 1982, 1983 are fully open inbound and outbound and that destination IP address for those ports is 72.232.181.106.

I've been trying for ages to get these ports open, but haven't had any luck.

Syslog-ng triggers

Fri, 08 Feb 2008 17:18:30 +0100

I am looking for a way to get syslog-ng to trigger an event.

To be more specific: If I recieve a syslog-message with some speciel text e.g "thingy". I want the syslog-server to send an email.

Is this something that can be done using only syslog-ng and sendmail???

OpenSSL In Fedora 8

Sat, 22 Dec 2007 19:43:45 +0100

I'm trying to setup a radius server for some wireless clients, I want to use certificates for authentication. So I need to create a root certificate but I can't find the CA.pl script on Fedora 8. Does anyone know if it's called something else or if I have to download it because I've been looking for it for some time and I can't find it. I used the Fedora 8 live CD for my install if that makes any difference.

Thanks in advance for any help.