IP-Tables and Security in General (fwd)

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Mon Sep 23 15:16:17 UTC 2013


Mail from DCB.

---------- Forwarded message ----------
X-Spam-Level: 
From: David Collier-Brown <davec-b-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org>
To: tlug-lxSQFCZeNF4 at public.gmane.org, Aruna Hewapathirane <aruna.hewapathirane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Cc: D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org>
Date: Mon, 23 Sep 2013 10:20:16 -0400
Subject: Re: [TLUG]: IP-Tables and Security in General
Reply-To: davecb-0XdUWXLQalXR7s880joybQ at public.gmane.org

On 09/23/2013 09:37 AM, Aruna Hewapathirane wrote:
> Thank you everyone for the suggestions and my apologies for cross
> posting, I simply wanted to access as large a knowledge base as I
> possibly could out there.
>
> Am not running a network ( yet ) all I have is a single ancient PC (
> Intel(R) Pentium(R) 4 CPU 3.06GHz with 2GB RAM ) running Ubuntu 10.04
> LTS mostly used to develop.
>
> My ISP is Bell so I have their router and when I had a look it says:
>
>   * Connection type: Ethernet
>   * IP address: 192.168.2.26
>   * IP address allocation: DHCP
>   * *IP address type: Private (NAT)*
>
> So am guessing it implements Network Address Translation. I tried
> netstat -tanp and netstat -aute and top to try and isolate but this is
> easier said than done so I used Lightweight Portable Security Live CD
> for the time being and it stopped the unwanted traffic but now I can't
> mount my drive.
>
>  fdisk-l shows zilch ? Is there a work around for this ?
>
> netstat -tanp gives me this, and what are all those connections and
> are they all legit or ?? Thank you everyone for all the ideas and help.
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address        
> State       PID/Program name
> tcp        0      0 127.0.0.1:631 <http://127.0.0.1:631>          
> 0.0.0.0:*               LISTEN      1191/cupsd     
> tcp        0      0 127.0.0.1:46270 <http://127.0.0.1:46270>        
> 0.0.0.0:*               LISTEN      2331/GoogleTalkPlug
> tcp        0      0 127.0.0.1:49991 <http://127.0.0.1:49991>        
> 0.0.0.0:*               LISTEN      2331/GoogleTalkPlug
> tcp        0      0 192.168.2.26:54472
> <http://192.168.2.26:54472>      74.125.225.116:80
> <http://74.125.225.116:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:52803
> <http://192.168.2.26:52803>      165.254.94.104:80
> <http://165.254.94.104:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44169
> <http://192.168.2.26:44169>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:41957
> <http://192.168.2.26:41957>      23.61.97.224:80
> <http://23.61.97.224:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:37141
> <http://192.168.2.26:37141>      74.125.225.121:80
> <http://74.125.225.121:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:41993
> <http://192.168.2.26:41993>      23.61.97.224:80
> <http://23.61.97.224:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:36685
> <http://192.168.2.26:36685>      23.61.95.139:80
> <http://23.61.95.139:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44099
> <http://192.168.2.26:44099>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:57406
> <http://192.168.2.26:57406>      207.152.124.122:80
> <http://207.152.124.122:80>      TIME_WAIT   -              
> tcp        0      0 192.168.2.26:41984
> <http://192.168.2.26:41984>      23.61.97.224:80
> <http://23.61.97.224:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44098
> <http://192.168.2.26:44098>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:41983
> <http://192.168.2.26:41983>      23.61.97.224:80
> <http://23.61.97.224:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:43909
> <http://192.168.2.26:43909>      74.125.225.41:80
> <http://74.125.225.41:80>        TIME_WAIT   -              
> tcp        1      0 192.168.2.26:58247
> <http://192.168.2.26:58247>      165.254.94.114:80
> <http://165.254.94.114:80>       CLOSE_WAIT  1905/clock-applet
> tcp        0      0 192.168.2.26:39746
> <http://192.168.2.26:39746>      199.38.165.155:80
> <http://199.38.165.155:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:46506
> <http://192.168.2.26:46506>      74.125.225.127:80
> <http://74.125.225.127:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:53263
> <http://192.168.2.26:53263>      173.194.46.57:80
> <http://173.194.46.57:80>        ESTABLISHED 2227/firefox   
> tcp        0      0 192.168.2.26:40756
> <http://192.168.2.26:40756>      173.194.46.45:80
> <http://173.194.46.45:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:54106
> <http://192.168.2.26:54106>      74.125.225.91:80
> <http://74.125.225.91:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44102
> <http://192.168.2.26:44102>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:59210
> <http://192.168.2.26:59210>      199.7.51.72:80
> <http://199.7.51.72:80>          TIME_WAIT   -              
> tcp        0      0 192.168.2.26:55576
> <http://192.168.2.26:55576>      31.13.71.49:80
> <http://31.13.71.49:80>          TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44838
> <http://192.168.2.26:44838>      165.254.94.154:80
> <http://165.254.94.154:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:57073
> <http://192.168.2.26:57073>      74.125.225.89:80
> <http://74.125.225.89:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:60427
> <http://192.168.2.26:60427>      74.125.225.127:443
> <http://74.125.225.127:443>      ESTABLISHED 2227/firefox   
> tcp        0      0 192.168.2.26:41370
> <http://192.168.2.26:41370>      165.254.94.113:80
> <http://165.254.94.113:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:52091
> <http://192.168.2.26:52091>      165.254.94.131:80
> <http://165.254.94.131:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:50579
> <http://192.168.2.26:50579>      216.239.120.40:80
> <http://216.239.120.40:80>       ESTABLISHED 2227/firefox   
> tcp        0      0 192.168.2.26:53334
> <http://192.168.2.26:53334>      173.194.46.57:80
> <http://173.194.46.57:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:55095
> <http://192.168.2.26:55095>      165.254.94.130:80
> <http://165.254.94.130:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:33246
> <http://192.168.2.26:33246>      207.152.125.97:80
> <http://207.152.125.97:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:35851
> <http://192.168.2.26:35851>      74.125.225.154:80
> <http://74.125.225.154:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:60024
> <http://192.168.2.26:60024>      23.61.112.74:80
> <http://23.61.112.74:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:47021
> <http://192.168.2.26:47021>      173.194.46.85:443
> <http://173.194.46.85:443>       ESTABLISHED 2227/firefox   
> tcp        0      0 192.168.2.26:37800
> <http://192.168.2.26:37800>      165.254.94.129:80
> <http://165.254.94.129:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44103
> <http://192.168.2.26:44103>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44839
> <http://192.168.2.26:44839>      165.254.94.154:80
> <http://165.254.94.154:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:40799
> <http://192.168.2.26:40799>      74.125.142.95:80
> <http://74.125.142.95:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:35582
> <http://192.168.2.26:35582>      198.252.206.25:80
> <http://198.252.206.25:80>       ESTABLISHED 2227/firefox   
> tcp        0      0 192.168.2.26:44100
> <http://192.168.2.26:44100>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:46961
> <http://192.168.2.26:46961>      165.254.94.139:80
> <http://165.254.94.139:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:35943
> <http://192.168.2.26:35943>      31.13.71.49:443
> <http://31.13.71.49:443>         ESTABLISHED 2227/firefox   
> tcp        1      0 192.168.2.26:58246
> <http://192.168.2.26:58246>      165.254.94.114:80
> <http://165.254.94.114:80>       CLOSE_WAIT  1905/clock-applet
> tcp        0      0 127.0.0.1:42513 <http://127.0.0.1:42513>        
> 127.0.0.1:49991 <http://127.0.0.1:49991>         ESTABLISHED
> 2328/plugin-contain
> tcp        0      0 192.168.2.26:41982
> <http://192.168.2.26:41982>      23.61.97.224:80
> <http://23.61.97.224:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:59619
> <http://192.168.2.26:59619>      173.194.46.66:443
> <http://173.194.46.66:443>       ESTABLISHED 2227/firefox   
> tcp        0      0 192.168.2.26:40798
> <http://192.168.2.26:40798>      74.125.142.95:80
> <http://74.125.142.95:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:47682
> <http://192.168.2.26:47682>      131.253.40.48:80
> <http://131.253.40.48:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:40833
> <http://192.168.2.26:40833>      74.125.142.95:80
> <http://74.125.142.95:80>        TIME_WAIT   -              
> tcp        0      0 192.168.2.26:37145
> <http://192.168.2.26:37145>      74.125.225.121:80
> <http://74.125.225.121:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:43287
> <http://192.168.2.26:43287>      23.61.81.169:80
> <http://23.61.81.169:80>         TIME_WAIT   -              
> tcp        0      0 192.168.2.26:52804
> <http://192.168.2.26:52804>      165.254.94.104:80
> <http://165.254.94.104:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:44101
> <http://192.168.2.26:44101>      165.254.94.168:80
> <http://165.254.94.168:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:45436
> <http://192.168.2.26:45436>      207.152.124.89:80
> <http://207.152.124.89:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:52800
> <http://192.168.2.26:52800>      165.254.94.104:80
> <http://165.254.94.104:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:49379
> <http://192.168.2.26:49379>      74.125.225.124:80
> <http://74.125.225.124:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:52802
> <http://192.168.2.26:52802>      165.254.94.104:80
> <http://165.254.94.104:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:59186
> <http://192.168.2.26:59186>      199.7.51.72:80
> <http://199.7.51.72:80>          TIME_WAIT   -              
> tcp        0      0 127.0.0.1:49991 <http://127.0.0.1:49991>        
> 127.0.0.1:42513 <http://127.0.0.1:42513>         ESTABLISHED
> 2331/GoogleTalkPlug
> tcp        0      0 192.168.2.26:52801
> <http://192.168.2.26:52801>      165.254.94.104:80
> <http://165.254.94.104:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:54619
> <http://192.168.2.26:54619>      74.125.225.123:80
> <http://74.125.225.123:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:55570
> <http://192.168.2.26:55570>      31.13.71.49:80
> <http://31.13.71.49:80>          TIME_WAIT   -              
> tcp        0      0 192.168.2.26:57492
> <http://192.168.2.26:57492>      165.254.94.145:80
> <http://165.254.94.145:80>       TIME_WAIT   -              
> tcp        0      0 192.168.2.26:52805
> <http://192.168.2.26:52805>      165.254.94.104:80
> <http://165.254.94.104:80>       TIME_WAIT   -              
> tcp6       0      0 ::1:631                 :::*                   
> LISTEN      1191/cupsd     
>
>
>
>
> On Sun, Sep 22, 2013 at 1:09 PM, D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
> <mailto:hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org>> wrote:
>
>     | From: Aruna Hewapathirane <aruna.hewapathirane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
>     <mailto:aruna.hewapathirane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>>
>
>     | To: The Canadian Ubuntu Users Community
>     <ubuntu-ca-nLRlyDuq1AZFpShjVBNYrg at public.gmane.org <mailto:ubuntu-ca-nLRlyDuq1AZFpShjVBNYrg at public.gmane.org>>,
>     Toronto Linux User's Group <tlug-lxSQFCZeNF4 at public.gmane.org <mailto:tlug-lxSQFCZeNF4 at public.gmane.org>>
>
>     Cross-posting to lists like these is probably a bad idea.  So I've
>     only replied to the TLUG list.
>
>     | I recently noticed lots of incoming connections on my
>     fire-starter ( its
>     | the firewall I use ) and my load average kicked up considerably
>     but I am
>     | unable to identify what is specifically causing all this sudden
>     unwanted
>     | incoming traffic as am no network specialist :-)
>
>     You have told us way too little about your network for us to give
>     specific advice.
>
>     - are you running multiple machines?  I will assume so.
>
>     - what is your gateway system?  For example, a cable or DSL
>       modem/router from your ISP.  Does it implement NAT?
>
>     - what are your machines trying to do?  Are they just "clients" or are
>       they intended to be servers to the internet.  (I quote the word
>       "client" because this is a distorted way of viewing the internet
>       forced on us.
>
>     - what is the unwanted traffic?  (Ususally tcdump or wireshark or
>       logging can tell you.)
>
>     | Does anyone have any information on how to secure Ubuntu with
>     iptables for
>     | newbies to system administration and security in general ?
>
>     Sadly, this is too big and general a question.
>
>     | Do we have a best practices model for preventing intrusions and
>     securing
>     | one's system ?
>
>     That's kind of jargon, but I know what you mean.
>
>     You can do security from first principles (had work, and error prone),
>     or you can copy something else that has consensus support.
>
>     Every mainstream general distro tries to give you a good basis for
>     a secure
>     system (in my opinion, Ubuntu isn't the best but is OK).  But from
>     there, you customize for different purposes and need to adjust
>     security
>     appropriately.
>
>     Summary: you need to specify what your systems are intended to do and
>     how.  Security has to reflect and be reflected in those designs.
>     Security should not be an afterthought.
>     --
>     The Toronto Linux Users Group.      Meetings: http://gtalug.org/
>     TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>     How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
>
>
>
> -- 
> *Aruna Hewapathirane*
> Consultant/Trainer
> Phone : 647-709-9269
> Website:<http://goog_1768911931>Open Source Solutions
> <http://sahanaya.net/aruna/>
>
>
>
> <https://sites.google.com/site/arunahewapathirane/home/business-card/buisness-card.png?attredirects=0>
>

The netstat looks odd: I get
---
[sudo] password for davecb:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name   
tcp        0      0 0.0.0.0:2049            0.0.0.0:*              
LISTEN      -                  
tcp        0      0 0.0.0.0:58022           0.0.0.0:*              
LISTEN      953/rpc.statd      
tcp        0      0 0.0.0.0:875             0.0.0.0:*              
LISTEN      975/rpc.rquotad    
tcp        0      0 0.0.0.0:111             0.0.0.0:*              
LISTEN      946/rpcbind        
tcp        0      0 0.0.0.0:20048           0.0.0.0:*              
LISTEN      984/rpc.mountd     
tcp        0      0 0.0.0.0:45748           0.0.0.0:*              
LISTEN      -                  
tcp        0      0 127.0.0.1:631           0.0.0.0:*              
LISTEN      1556/cupsd         
tcp        0      0 127.0.0.1:25            0.0.0.0:*              
LISTEN      24905/sendmail: acc
tcp        0      0 10.111.100.153:42429    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp        0      0 10.111.100.153:42421    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp        0      0 10.111.100.153:34575    166.78.79.129:993      
CLOSE_WAIT  25063/thunderbird  
tcp        0      0 10.111.100.153:37796    74.125.225.112:443     
ESTABLISHED 25063/thunderbird  
tcp        1      0 10.111.100.153:43363    64.147.188.18:443      
CLOSE_WAIT  24964/firefox      
tcp        0      0 10.111.100.153:58745    207.245.223.251:993    
ESTABLISHED 25063/thunderbird  
tcp       38      0 10.111.100.153:43349    64.147.188.18:443      
CLOSE_WAIT  24964/firefox      
tcp        0      0 10.111.100.153:34579    166.78.79.129:993      
ESTABLISHED 25063/thunderbird  
tcp        0      0 10.111.100.153:42431    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp        0      0 10.111.100.153:58823    207.245.223.251:993    
ESTABLISHED 25063/thunderbird  
tcp       38      0 10.111.100.153:42417    64.147.188.18:443      
CLOSE_WAIT  24964/firefox      
tcp        1      0 10.111.100.153:42430    64.147.188.18:443      
CLOSE_WAIT  24964/firefox      
tcp        0      0 10.111.100.153:39607    173.194.68.16:993      
ESTABLISHED 25063/thunderbird  
tcp        0      0 10.111.100.153:42428    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp        0      0 10.111.100.153:42423    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp        0      0 10.111.100.153:42422    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp        0      0 10.111.100.153:42425    64.147.188.18:443      
ESTABLISHED 24964/firefox      
tcp6       0      0 :::2049                 :::*                   
LISTEN      -                  
tcp6       0      0 :::111                  :::*                   
LISTEN      946/rpcbind        
tcp6       0      0 :::20048                :::*                   
LISTEN      984/rpc.mountd     
tcp6       0      0 :::58578                :::*                   
LISTEN      -                  
tcp6       0      0 :::38933                :::*                   
LISTEN      953/rpc.statd      
tcp6       0      0 ::1:631                 :::*                   
LISTEN      1556/cupsd  


the listens are daemons, the close-waits and established are what I get,
but all the time-waits look wierd

tcp        0      0 192.168.2.26:54472 <http://192.168.2.26:54472>     
74.125.225.116:80 <http://74.125.225.116:80>       TIME_WAIT  
-              
tcp        0      0 192.168.2.26:52803 <http://192.168.2.26:52803>     
165.254.94.104:80 <http://165.254.94.104:80>       TIME_WAIT  
-              
tcp        0      0 192.168.2.26:44169 <http://192.168.2.26:44169>     
165.254.94.168:80 <http://165.254.94.168:80>       TIME_WAIT   - 

They're all from you to someone's port 80. so they may just be  http
sessions originating with you that are waiting to be sure data has
arrived, but there are a lot of them.  Were you hopping around to all
those addresses just before you took the snapshot?

--dave

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb-0XdUWXLQalXR7s880joybQ at public.gmane.org           |                      -- Mark Twain
(416) 223-8968

--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list