homepage Welcome to WebmasterWorld Guest from 107.22.37.143
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Firewall
Some Dudes camping at my router
David




msg:909292
 10:51 pm on Mar 15, 2002 (gmt 0)

I have a small network 3 windows machines and my Linux box. The windows machines are all running Nortons Firewall. With Linux I set it up with high security tables. All behind a hardware router

It started a couple of days ago when I noticed my zip drive light up. I did a netstat and noticed the Dude was conneted to my box. Now I have a virtual windows on my box with samba networking the zip and a temp directory. I disconnected the network drive and broke the connection. So it looks like he was in through one of my windows machines. As long as I didn't fire up the virtual windows machine my box was shielded. If I start it up he will eventualy connect.

Last night I started scanning myself with nmap tring to figure out how he is getting in (by the way he is on a Linux box). I can't get past the router scanning unless I send ack packets, then I learn Nortons is wide open to someone who knows what they are doing.

This morning he connected direct to my linux box. I shut down all incoming to the eth0 and killed the connection. I started tcpdump and pointed at the router gateway and sure enough he shows up. I am over my head in this.. He/She was sending stuff like "awk whois Ip number" and some stuff about icmb. When I have the machine locked down he can't get in.

I think he is hijacking sessions and cruising past the router at that point.

Thats my sad story, I could use a little advice as to how to approach this. I have been reading about firewall setups and its going to take me awhile get a grip on it.

Suggestions ?

 

EliteWeb




msg:909293
 11:00 pm on Mar 15, 2002 (gmt 0)

Wow David :) one thing I would do is change the hardware firewall password and if it has SNMP enabled change it out of the group *PUBLIC to anything else like BOB, *PUBLIC = your hardware password, and if they do a snmp dump and dump the config for yer hardware they could have the passwd in plain text. Learn more about snmp and MIBs by going to the hardware's website. They may be able to upload a new config via TFTP to the hardware

Make sure your hardware is configured properly to not allow incoming connections in except on specific ports to specific machines to figure more about what he is doing.

Theres millions of books on security, its just hard to find the right ones.

bufferzone




msg:909294
 8:12 pm on Mar 16, 2002 (gmt 0)

Frist I'd go by cert.org and nsa.gov to look at rocketdicing my OS and applications, (all of them, linux and windows), next I would install a third party logging system, to make it hard for the dude to fumble with my OS log withour me knowing about it, then I would look at a firewall switch like zywall 1.

Come back with som info on how you solve this problem. I, for one, would love to hear

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved