In the past couple of weeks I've noticed the I am getting lots of snort reports showing a portsweep started from my ppoe connection.
How do I figure out what internal ip is initiating this?
I've tried with ntop, but I am too stupid to get ntop to show all internal ip addresses. It seems to run for a few days and then quit and only shows the pppoe connection and not the next level down 192.168.1.x and 192.168.2.x segments. ntop documentation sucks.
snort[20173]: [122:3:0] (portscan) TCP Portsweep[Priority: 3]: {PROTO:255} my.pppoe.com.ip -> 173.194.43.78
How do I figure out what internal ip is initiating this?
I've tried with ntop, but I am too stupid to get ntop to show all internal ip addresses. It seems to run for a few days and then quit and only shows the pppoe connection and not the next level down 192.168.1.x and 192.168.2.x segments. ntop documentation sucks.
Share this post:
Responses (10)
-
Accepted Answer
-
Accepted Answer
Update:
Tried the iptables FORWARD command with more luck.
It looks like my android devices are calling back to the mothership every few minutes. They each do about 8-10 of
every few minutes. So with 3-4 android devices this is happening a lot.May 16 10:31:19 localhost kernel: IN=eth2 OUT=ppp0 SRC=android.device.ip DST=173.194.43.72 LEN=268 TOS=0x00 PREC=0x00 TTL=63 ID=49933 DF PROTO=TCP SPT=45061 DPT=443 WINDOW=229 RES=0x00 ACK PSH URGP=0
Funny thing is my Apple Laptop is also calling back to the Google ship. I'm using Little Snitch and see that this is Firefox, Thunderbird (multiple gmail accts), Busycal (connected to google calendar).
I'm getting the feeling that this isn't as serious as I originally thought. Am I mistaken??? -
Accepted Answer
-
Accepted Answer
The IN flag is the source interface and will be blank if the packet comes from ClearOS. Which chain are you logging that from OUTPUT or FORWARD?. If it is OUTPUT then ClearOS is the source (I'm not sure the statement is true if you have run the proxy in some modes). It looks like a standard browser access - DPT = port 80, with the SYN flag set. I'm blocked at work so I can't try to access the 173.194.43.87 site -
Accepted Answer
Thanks again, Nick.
I've been watching the log for a number of days. I'm not able figure out the source. What I get is:
kernel: IN= OUT=ppp0 SRC=my.ppoe.com DST=173.194.43.87 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59807 DF PROTO=TCP SPT=45724 DPT=80 WINDOW=5808 RES=0x00 SYN URGP=0
Unfortunately, this doesn't show the initiating IP address. Is there a way to get more details? I see the IN= portion is blank.
I have narrowed it down to my wifi network segment because it stops at midnight and starts again at 6:30am. I had to kill the wifi during those periods or my kids wouldn't sleep. Damn texting going on at all hours of the night and they don't have the sense to turn off the device..... -
Accepted Answer
Iptables does not take a regex. /25 will give you 0 - 127 which is only two addresses more than 1-126 so just use the /25 notation. To use --dst-range add "-m iprange" to the rule.
Look in /var/log/messages for the log. It can be redirected but that is more complicated.iptables -I OUTPUT -m iprange --dst-range 173.194.43.1-173.194.43.126 -j LOG
[edit]
That block is owned by Google!
[/edit] -
Accepted Answer
Hmm. I guess for this one I can do
iptables -I OUTPUT -d 173.194.43.0/25 -j LOG
But that includes more IPs than I want. Figuring out how to do a range would be better.
Would something like this work?
iptables -I OUTPUT -d 173.194.43.[1-126] -j LOG
Or am I getting out of control with the attempted bash regex? -
Accepted Answer
Thanks again for your help, Nick.
I have a range of IPs that I would like to check using these rules but when I try the rule
I get an error.iptables -I OUTPUT --dst-range 173.194.43.1-173.194.43.126 -j LOG
How do I do a --dst-range and --src-range using the iptables 1.3.5 version on COS5.2sp1?
I can't figure it out from the man page. I don't think this option exists in v1.3.5. I don't seem to be able to figure out the right google-fu to find examples of doing a range using v1.3.5.
Oh, and does this go to the messages log? -
Accepted Answer
That looks like one of the internal rules and I don't know how they are constructed, but it could be 173.194.43.78 who is scanning you, but snort is picking up the replies.
You could try logging all messages to that IP with some firewall rules:
Try the input or output rules first. If they get any hits it is pretty certain 173.194.43.78 is scanning you. If the forward rule gets any hits then you are scanning him and the log should identify the source of the traffic.iptables -I FORWARD -d 173.194.43.78 -j LOG
iptables -I OUTPUT -d 173.194.43.78 -j LOG
iptables -I INPUT -s 173.194.43.78 -j LOG
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »