IPF Logging packets Every 2-10 Seconds.

fbsd_user fbsd_user at a1poweruser.com
Tue Jun 28 14:42:51 GMT 2005 


Like is told you before, all that junk you see hitting your
firewall is all attack or probing packets.
This is normal background noise.
You are not being attacked as a specific ip address target and
getting a different ip address is not going to stop this background
noise.


All most 98 percent of the attackers are script kiddies. Their
attacks are all most totally based on indiscriminate rolling through
a range of sequential IP address. (IE: They never use DNS to lookup
your domain name.) You were found by plain bad luck. They run
scripts that only address the know ports listened on by those
services. You use this knowledge to defend against this type of
attack.
The simplest defense is to change the port numbers these services
use. The /etc/services is where SSH, Telnet, and FTP port numbers
are defined and where you would change them at. For Apache web
server you specify the access port number in httpd.conf definitions.
Remote clients who want to access your public services on the
alternate port number will have to enter the alternate port number
as part of the login command.

After setting up alternate port numbers you can have your firewall
log all access to ports 21,22,23,or 80 and report the abuse to the
ISP owner of the sending IP address using the FreeBSD port ppars-1.0
Or if you don't want to use the automated Abuse reporting system you
can take the sending IP address from your firewall log and do manual
whois command to find the ISP owner of the offending IP address
along with the ISP's abuse reporting email address and send your own
email to them about their client sending you attack packets.




-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Stephan
Weaver
Sent: Tuesday, June 28, 2005 9:01 AM
To: fbsd_user at a1poweruser.com; freebsd-questions at freebsd.org
Subject: RE: IPF Logging packets Every 2-10 Seconds.


ok first off, i apologise.
second, thanks alot.

now, even if i disconnect my dsl modem and reconnect.
get a 'new' ip address from my isp.
i still get tons of packets.

Any way to source where this is originating from?


>From: "fbsd_user" <fbsd_user at a1poweruser.com>
>Reply-To: <fbsd_user at a1poweruser.com>
>To: "Stephan Weaver"
><stephanweaver at hotmail.com>,<freebsd-questions at freebsd.org>
>Subject: RE: IPF Logging packets Every 2-10 Seconds.
>Date: Mon, 27 Jun 2005 13:28:29 -0400
>
>The log shows that it's all packets try to penetrate your firewall.
>This is normal public internet traffic sent by people trying to
>break into your system. Your firewall is doing its job of blocking
>this unwanted junk just like you want it to do. If you don't want
to
>see this stuff in your log then remove the log keyword from your
>rules and it will stop logging that junk.
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Stephan
>Weaver
>Sent: Monday, June 27, 2005 11:19 AM
>To: freebsd-questions at freebsd.org
>Subject: IPF Logging packets Every 2-10 Seconds.
>
>
>Hello list,
>
>My IPF Firewall System is logging packets almost every 2 - 10
>seconds.
>I would like to narrow this problem down.
>
>firewall# cat /etc/ipf.rules
>block in all
>block out all
>
>pass in quick on lo0 all
>pass out quick on lo0 all
>
>pass out quick on vr0 from any to any keep state
>
>pass in quick on vr1 all
>pass out quick on vr1 all
>
># Block all inbound traffic from non-routable or reserved address
>spaces
>block in log quick on vr0 from 192.168.0.0/16 to any   #RFC 1918
>private IP
>block in log quick on vr0 from 172.16.0.0/12 to any    #RFC 1918
>private IP
>block in log quick on vr0 from 10.0.0.0/8 to any       #RFC 1918
>private IP
>block in log quick on vr0 from 127.0.0.0/8 to any      #loopback
>block in log quick on vr0 from 0.0.0.0/8 to any        #loopback
>block in log quick on vr0 from 169.254.0.0/16 to any   #DHCP
>auto-config
>block in log quick on vr0 from 192.0.2.0/24 to any     #reserved
for
>doc's
>block in log quick on vr0 from 204.152.64.0/23 to any  #Sun cluster
>interconnect
>block in log quick on vr0 from 224.0.0.0/3 to any       #Class D &
E
>multicast
>
># Block frags
>block in quick on vr0 all with frags
># Block short tcp packets
>block in quick on vr0 proto tcp all with short
># Block source routed packets
>block in quick on vr0 all with opt lsrr
>block in quick on vr0 all with opt ssrr
># Block nmap OS fingerprint attempts
># Log first occurrence of these so I can get their IP address
>block in log first quick on vr0 proto tcp all flags FUP
>block in log first quick on vr0 proto tcp all flags SF/SFRA
>block in log first quick on vr0 proto tcp all flags /SFRA
>block in log first quick on vr0 proto tcp all flags F/SFRA
>block in log first quick on vr0 proto tcp all flags U/SFRAU
>block in log first quick on vr0 proto tcp all flags P
># Block anything with special options
>block in quick on vr0 all with ipopts
>
># Block public pings
>block in log quick on vr0 proto icmp all icmp-type 8
>
>
># TSTT NameServers
>pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep
>state
>pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep
>state
>
># Block and log only first occurrence of all remaining traffic
># coming into the firewall. The logging of only the first
># occurrence stops a .denial of service. attack targeted
># at filling up your log file space.
># This rule enforces the block all by default logic.
>block in log first quick on vr0 all
>
>
><SNIP>
>
>firewall# tail -f /var/log/ipfilter.log
>27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 ->
>192.168.1.1,445 PR tcp len 20 48 -S IN
>27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 ->
>192.168.1.1,445 PR tcp len 20 48 -S IN
>27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:38.993186 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:03.372975 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:06.350342 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:12.289440 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:14.453865 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:17.418664 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:23.462695 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:53.929698 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:54.745636 vr0 @0:27 b 70.176.85.4,2263 ->
>192.168.1.1,16478
>PR tcp len 20 48 -S IN
>27/06/2005 11:15:55.988928 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:58.693653 vr0 @0:27 b 138.217.177.128,3036 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:16:01.582810 vr0 @0:27 b 138.217.177.128,3036 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:16:02.423821 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today it's
>FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list