Attacks ? Router & Server kolimata - Security Problem

webmaster Chris Piskopos - Megatron cline200 at spark.net.gr
Wed Dec 15 00:18:55 EET 2004 

I grami poy exo einai adsl 384/128 me static ip(Sparknet Provider)

To mono poy mporesa na paratiriso, kai ayto mia fora mono, giati, synithos 
to exo katalavei pleon mono otan exei kolisei o router kai o server, kai 
tote den mporo na kano kati allo para mono restart kai sta 2:
evala to tcpdump kai kapoia stigmi moy edeixne..mmm.. pos na to po..oles 
sxedon tis portes..les kai kapoios apo ekso ekane scan port..!!?? Omos 
kyrios megaliteri kinisi exei i porta 32768, kai yparxei kinisi kai apo ekso 
pros ta mesa kai to antistrofo. Mesa sto Lan(exo 3 pc), den yparxei kapoia 
periergi i ypervoliki kinisi apo kapoio allo pc, peran toy sygkekrimenoy web 
server me ton router. Enas eine o server(o opoios kanei mono web 
services..tipota allo sxetika me to lan), kai eine aytos me to linux 
mandrake 10.1, ston opoio ayta poy pezoyn einai: Apache, Bind, Postfix, 
MailScanner, MySql,VsFtpd kai webmin.
To provlima pantos symbainei, gyro stis 2 - 3 fores thn evdomada, kai moy 
symbainei proti fora edv kai 1 mina peripoy, me to idi yparxon configuration 
toy server(o server leitoyrgei edo kai 9 mines,me to yparxon config, kai den 
eixa pote alote tetio provlima).Ara den nomizo oti einai thema 
configuration, alla vevaia den mporo na eime kai sigoyros ayti ti stigmi, 
giati akoma to psaxno, kai den exo vrei akoma lisi!

[root at atlas /]# netstat -taup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State 
PID/Program name
tcp        0      0 localhost.localdo:32768 *:*                     LISTEN 
2898/xinetd
tcp        0      0 *:32769                 *:* 
               LISTEN      -
tcp        0      0 *:nfs                   *:* 
               LISTEN      -
tcp        0      0 *:998                   *:*                     LISTEN 
2938/rpc.rquotad
tcp        0      0 localhost.localdo:10026 *:*                     LISTEN 
3121/master
tcp        0      0 *:mysql                 *:*                     LISTEN 
2515/mysqld
tcp        0      0 *:684                   *:*                     LISTEN 
2622/rpc.statd
tcp        0      0 *:pop3                  *:*                     LISTEN 
2898/xinetd
tcp        0      0 *:sunrpc                *:*                     LISTEN 
2523/portmap
tcp        0      0 *:10000                 *:*                     LISTEN 
3514/perl
tcp        0      0 *:ftp                   *:*                     LISTEN 
2898/xinetd
tcp        0      0 atlas.megatron.g:domain *:*                     LISTEN 
2809/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN 
2809/named
tcp        0      0 *:smtp                  *:*                     LISTEN 
3121/master
tcp        0      0 localhost.localdom:rndc *:*                     LISTEN 
2809/named
tcp        0      0 *:602                   *:*                     LISTEN 
2967/rpc.mountd
tcp        0      0 atlas.megatron.gr:pop3  192.168.1.35:4981 
TIME_WAIT   -
tcp        0      0 *:http                  *:*                     LISTEN 
3689/httpd2
tcp        0      0 *:ssh                   *:*                     LISTEN 
2860/sshd
tcp        0      0 *:https                 *:*                     LISTEN 
3689/httpd2
tcp        0      0 atlas.megatron.gr:ssh   ::ffff:192.168.1.3:4974 
ESTABLISHED 8895/0
udp        0      0 *:32768                 *:* 
2809/named
udp        0      0 *:nfs 
                      -
udp        0      0 *:32770 
                    -
udp        0      0 *:10000                 *:* 
3514/perl
udp        0      0 *:678                   *:* 
2622/rpc.statd
udp        0      0 *:681                   *:* 
2622/rpc.statd
udp        0      0 atlas.megatron.g:domain *:* 
2809/named
udp        0      0 localhost.locald:domain *:* 
2809/named
udp        0      0 *:pop3s                 *:* 
2938/rpc.rquotad
udp        0      0 *:sunrpc                *:* 
2523/portmap
udp        0      0 *:1023                  *:* 
2967/rpc.mountd
udp        0      0 *:32769                 *:* 
2809/named
[root at atlas /]#

Firewall exo mono ston router(Zyxel adsl modem router p600 series), poythena 
allou.

O Router einai setarismenos me SUA only

Boithisa katholoy me ta parapano? Exei kaneis kamia idea?
Eyxaristo, episis, ton k. Polychroni gia tin apantisi toy.


> Oxi mono ti grammi pou exeis, alla kai ti eidous kinisi einai auti pou
> paratireis? (pros poia mixanimata mesa sto LAN sou/pros poio port kathe
> mixanimatos, an exeis pano apo enan server?)
> (netstat -taup)
>
> Exeis firewall se kathe server sou mesa sto LAN? Me ti settings?
> (iptables -L)
>
> Ti settings exeis sto router? (SUA Mode?)
>
> Den mporeis na luseis ena security issue an den to katanoiseis
> pliros....
> Mipos omos stin periptosi sou den uparxei security issue, alla
> configuration issue?
>
>
>> On Tue, 14 Dec 2004 01:36:14 +0200, webmaster Chris Piskopos - Megatron
>> wrote:
>>
>> > exo to eksis parakato provlima:
>>
>> Δε λες και τι γραμμή έχεις με τον έξω κόσμο για να σε βοηθήσουν τα παιδιά
>> καλύτερα;
>
>
Kalispera sas,
exo to eksis parakato provlima:

Exo enan Web Server (Linux Mandrake 10.1 - Web Services: Http,Dns,Mail,Ftp) 
kai ena Adsl Modem Router Zyxel Prestige 600 series. To provlima, einai, oti 
ton teleyteo kero, exo entopisei ypervoliki kinisi - traffic, apo esko pros 
ta mesa(Wan to Lan), me apotelesma polles fores o router moy na kolaei !!! 
Anagazomai, kathe ligo kai ligaki, na kano reboot kai to router alla kai ton 
Server gia na erthoyn pali sta isa toys!

Kserei kaneis, ti symbainei? Pos mporo na prostateyto apo tetia attacks?(an 
einai attacks?! i kati allo?)
Entometaksi exo energopoisei kai to firewall toy router...alla den vlepo na 
boithaei se teties periptoseis!
Exeis kaneis kamia idea?

More information about the Linux-greek-users mailing list