On Wed, 2008-06-04 at 19:31 +0200, François Patte wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Le 04.06.2008 14:05, Simon Slater a écrit :
> | On Wed, 2008-06-04 at 10:05 +0200, François Patte wrote:
> |> -----BEGIN PGP SIGNED MESSAGE-----
> |> Hash: SHA1
> |>
> |> Le 04.06.2008 01:03, Simon Slater a écrit :
> |>
> |
>
> |>
> | These are the type of logs now. None of these are appearing in timeing
> | with requests to the Internet from the laptop:
> |
> | [root@ipex ~]# tail /var/log/messages
> | Jun 4 21:41:35 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
> | SRC=203.185.178.251 DST=59.101.218.205 LEN=48 TOS=0x00 PREC=0x00 TTL=104
> | ID=5893 DF PROTO=TCP SPT=63507 DPT=26958 WINDOW=8192 RES=0x00 SYN URGP=0
> | Jun 4 21:41:38 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
> | SRC=203.185.178.251 DST=59.101.218.205 LEN=48 TOS=0x00 PREC=0x00 TTL=104
> | ID=5938 DF PROTO=TCP SPT=63507 DPT=26958 WINDOW=8192 RES=0x00 SYN URGP=0
>
> Someone in Tahiti is scanning your computer.... No danger though!
I need to learn more about regular security checks and firewalling
before we get a DSL line. I spotted that IP, didn't know where it came
from, but at the moment I don't know what is dangerous & what isn't.
Any pointers to good reading?
>
> | [root@ipex ~]#
> |
> | However, when request to the Internet from the desktop:
> |
> | Jun 4 21:59:31 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
> | SRC=59.101.218.205 DST=203.63.53.112 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> | ID=3672 DF PROTO=TCP SPT=48673 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>
> no problem here: evry packet excaping from your desktop uses the
> "postrouting" chain.... And is logged by the rule.
>
> What is strange: we never see any request from the laptop: we should see
> some logged packets with SRC=laptop IP (192.168.0.6 as you said). What
> is the IP of eth0 on yor desktop? (ifconfig -a)
[root@ipex ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:10:5A:62:2A:A5
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::210:5aff:fe62:2aa5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:656494 errors:0 dropped:0 overruns:0 frame:0
TX packets:643373 errors:0 dropped:0 overruns:0 carrier:0
collisions:170 txqueuelen:1000
RX bytes:742986447 (708.5 MiB) TX bytes:58456211 (55.7 MiB)
Interrupt:10 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:172887 errors:0 dropped:0 overruns:0 frame:0
TX packets:172887 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13734343 (13.0 MiB) TX bytes:13734343 (13.0 MiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:59.101.168.194 P-t-P:210.8.1.253
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2495 errors:0 dropped:0 overruns:0 frame:0
TX packets:2785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:745377 (727.9 KiB) TX bytes:231918 (226.4 KiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@ipex ~]#
The fact that no http requests appear on the desktop is the funny
thing. That's why I started looking on the laptop side with Wireshark.
Here's a tcpdump from the desktop side when the laptop makes an
Internet request:
[root@ipex ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:27:07.948798 IP ipex.local.ipp > 192.168.0.255.ipp: UDP, length 180
09:27:10.858982 arp who-has ipex.local tell acer.local
09:27:10.859174 arp reply ipex.local is-at 00:10:5a:62:2a:a5 (oui
Unknown)
09:27:10.859317 IP acer.local.47327 > ipex.local.http: S
2804202937:2804202937(0) win 5840 <mss 1460,sackOK,timestamp 281565
0,nop,wscale 5>
09:27:10.859702 IP ipex.local.http > acer.local.47327: R 0:0(0) ack
2804202938 win 0
09:27:15.858221 arp who-has acer.local tell ipex.local
09:27:15.858400 arp reply acer.local is-at 00:16:d3:e3:69:30 (oui
Unknown)
09:27:38.949941 IP ipex.local.ipp > 192.168.0.255.ipp: UDP, length 180
8 packets captured
16 packets received by filter
0 packets dropped by kernel
[root@ipex ~]# tail /var/log/messages
Jun 5 09:16:35 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
SRC=125.211.218.58 DST=59.101.168.194 LEN=404 TOS=0x00 PREC=0x00 TTL=109
ID=28197 PROTO=UDP SPT=1216 DPT=1434 LEN=384
Jun 5 09:19:04 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=59.101.168.194 DST=203.8.183.1 LEN=62 TOS=0x00 PREC=0x00 TTL=64
ID=45556 DF PROTO=UDP SPT=34144 DPT=53 LEN=42
Jun 5 09:19:05 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=59.101.168.194 DST=210.10.73.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=13005 DF PROTO=TCP SPT=55113 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0
Jun 5 09:27:01 ipex kernel: eth0: Setting promiscuous mode.
Jun 5 09:27:01 ipex kernel: device eth0 entered promiscuous mode
Jun 5 09:27:01 ipex kernel: audit(1212622021.463:47): dev=eth0 prom=256
old_prom=0 auid=4294967295
Jun 5 09:27:07 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=59.101.168.194 DST=203.8.183.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64
ID=4560 DF PROTO=UDP SPT=34144 DPT=53 LEN=52
Jun 5 09:27:12 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
SRC=166.111.86.250 DST=59.101.168.194 LEN=404 TOS=0x00 PREC=0x00 TTL=105
ID=26754 PROTO=UDP SPT=3650 DPT=1434 LEN=384
Jun 5 09:27:41 ipex kernel: device eth0 left promiscuous mode
Jun 5 09:27:41 ipex kernel: audit(1212622061.185:48): dev=eth0 prom=0
old_prom=256 auid=4294967295
[root@ipex ~]#
I closed down the browsers on the desktop to remove any extra traffic.
This is typical of what happens when requesting the Internet from the
laptop. Looks like someone else is scanning this box. Hope this helps.
--
Regards,
Simon
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
