[KLUG Members] Re: Shorewall.log file analysis help
Adam Williams
members@kalamazoolinux.org
Tue, 26 Aug 2003 08:54:27 -0400
> >> SRC=203.121.145.128 The IP address of the packet source host
> >> DST=12.249.253.250 The IP address of the packet destination (eth0)
> >Both of these are public addresses. Do you expect to be routing between
> >two public networks?
> >> DPT=21 Destination Port number used by ftp listening daemon
> Adam,
> No, I do not plan on routing between two public networks. I wouldn't want to
> put any Internet backbone routers out of work :)
> On this broadband cable firewall/router, the routing occurs between the
> external network interface (eth0-12.249.253.0/24) and the internal network
> interface (eth1-192.168.5.0/24).
So, since one of the above addresses was you external interface I'd
wager someone either (a) is scanning for FTP servers or (b) fat-fingered
a DNS or host entry somewhere.
> In the firewall log file entry I broke down, the incoming ftp packet was
> dropped at the external interface. But the packet did have to be read by the
> firewall to know that it should be dropped. From what I have read, carefully
> crafted packets seem to be the vector used to exploit many vulnerabilities.
> If reading a packet containing malicious data in an IP header field can
> cause a buffer over run, I suspect my firewall could be compromised.
It can theoretically, people try to crack the stack, without depending
on any running service. But usually such a technique only allows them
to DOS the machine, not gain conrol (although their are exceptions). I
wouldn't worry about it unless you have other reasons to be supicious.
A current iptables firewall is pretty hard to breach.
> Your TCP/IP presentation to KLUG did include an explanation of the parameter
> window=XXXX, but I have not been able to find any good references concerning
> the significance of the rest of these mysterious IP fields. Consequently, I
> don't know which fields I should be watching closely in my log files.
You need the white hard-cover TCP/IP networking book with the red swirl
on the spine and cover. By Addison? I can't recall and don't have it
handy here. Unfortunately most TCP/IP books around are just worthless
"intro to IP networking" crap.