labrocca
Verified User
- Joined
- Mar 12, 2006
- Messages
- 151
I have this in my logs:
There you can see that I had to add rule 505 to block the high ports early in the ruleset but I know that's not the right way to block this. And without that rule they SHOULDN'T be hitting those ports anyways.
Help is GREATLY appreciated.
As you can see...they are using my NS2 to do a LOT of traffic to hit other sites. I replaced my domain obviously but this server is both ns1.domain.com and ns2.domain.com The attack is from smtp.as.ro. It's bizarre because I can't figure out how they are passing my firewall.16:27:20.626762 IP smtp.as.ro.http > ns2.domain.com.51891: . 372412:373860(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
16:27:20.628011 IP smtp.as.ro.http > ns2.domain.com.51891: . 373860:375308(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
16:27:20.628039 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 375308 win 32580 <nop,nop,timestamp 1892617620 379626649>
16:27:20.629260 IP smtp.as.ro.http > ns2.domain.com.51891: . 375308:376756(1448) ack 1 win 1716 <nop,nop,timestamp 379626650 1892617292>
16:27:20.629288 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 376756 win 33304 <nop,nop,timestamp 1892617621 379626650>
16:27:20.630509 IP cpe-66-74-154-25.socal.res.rr.com.1156 > ns1.domain.com.http: P 1:1393(1392) ack 1 win 65535
16:27:20.640708 IP ns1.domain.com.http > 82.115.16.118.16812: . ack 1368 win 32148 <nop,nop,timestamp 1892617633 7362279>
16:27:20.644512 IP 78.140.130.213.http > ns2.domain.com.53910: . 2897:4345(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.645755 IP 78.140.130.213.http > ns2.domain.com.53910: . 4345:5793(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.645803 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 31856 <nop,nop,timestamp 1892617638 439326923>
16:27:20.645835 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 33304 <nop,nop,timestamp 1892617638 439326923>
16:27:20.647001 IP 78.140.130.213.http > ns2.domain.com.53910: . 5793:7241(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.648127 IP smtp.as.ro.http > ns2.domain.com.51891: . 376756:378204(1448) ack 1 win 1716 <nop,nop,timestamp 379626760 1892617403>
16:27:20.649377 IP smtp.as.ro.http > ns2.domain.com.56971: . 165072:166520(1448) ack 1 win 1716 <nop,nop,timestamp 379626663 1892617304>
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny tcp from any to any frag
00505 deny ip from any to any dst-port 32566-65534
01500 deny ip from table(1) to me
01600 check-state
01700 deny tcp from any to any established
01800 allow ip from any to any out keep-state
01900 allow icmp from any to any
02000 allow tcp from any to any dst-port 21 setup keep-state
02100 allow tcp from any to any dst-port 22 setup keep-state
02200 allow tcp from any to any dst-port 25 setup keep-state
02300 allow tcp from any to any dst-port 53 setup keep-state
02400 allow udp from any to any dst-port 53 keep-state
02500 allow tcp from any to any dst-port 80 setup keep-state
02600 allow tcp from any to any dst-port 110 setup keep-state
02700 allow tcp from any to any dst-port 143 setup keep-state
02800 allow tcp from any to any dst-port 443 setup keep-state
02900 allow tcp from any to any dst-port 2222 setup keep-state
03000 allow tcp from any to any dst-port 32555-32565 in setup keep-state
03100 deny log logamount 10 ip from any to any
65535 deny ip from any to any
There you can see that I had to add rule 505 to block the high ports early in the ruleset but I know that's not the right way to block this. And without that rule they SHOULDN'T be hitting those ports anyways.
Help is GREATLY appreciated.
Last edited: