IP-Tables and Security in General (fwd)
D. Hugh Redelmeier
hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Mon Sep 23 15:16:17 UTC 2013
Mail from DCB.
---------- Forwarded message ----------
X-Spam-Level:
From: David Collier-Brown <davec-b-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org>
To: tlug-lxSQFCZeNF4 at public.gmane.org, Aruna Hewapathirane <aruna.hewapathirane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Cc: D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org>
Date: Mon, 23 Sep 2013 10:20:16 -0400
Subject: Re: [TLUG]: IP-Tables and Security in General
Reply-To: davecb-0XdUWXLQalXR7s880joybQ at public.gmane.org
On 09/23/2013 09:37 AM, Aruna Hewapathirane wrote:
> Thank you everyone for the suggestions and my apologies for cross
> posting, I simply wanted to access as large a knowledge base as I
> possibly could out there.
>
> Am not running a network ( yet ) all I have is a single ancient PC (
> Intel(R) Pentium(R) 4 CPU 3.06GHz with 2GB RAM ) running Ubuntu 10.04
> LTS mostly used to develop.
>
> My ISP is Bell so I have their router and when I had a look it says:
>
> * Connection type: Ethernet
> * IP address: 192.168.2.26
> * IP address allocation: DHCP
> * *IP address type: Private (NAT)*
>
> So am guessing it implements Network Address Translation. I tried
> netstat -tanp and netstat -aute and top to try and isolate but this is
> easier said than done so I used Lightweight Portable Security Live CD
> for the time being and it stopped the unwanted traffic but now I can't
> mount my drive.
>
> fdisk-l shows zilch ? Is there a work around for this ?
>
> netstat -tanp gives me this, and what are all those connections and
> are they all legit or ?? Thank you everyone for all the ideas and help.
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 127.0.0.1:631 <http://127.0.0.1:631>
> 0.0.0.0:* LISTEN 1191/cupsd
> tcp 0 0 127.0.0.1:46270 <http://127.0.0.1:46270>
> 0.0.0.0:* LISTEN 2331/GoogleTalkPlug
> tcp 0 0 127.0.0.1:49991 <http://127.0.0.1:49991>
> 0.0.0.0:* LISTEN 2331/GoogleTalkPlug
> tcp 0 0 192.168.2.26:54472
> <http://192.168.2.26:54472> 74.125.225.116:80
> <http://74.125.225.116:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:52803
> <http://192.168.2.26:52803> 165.254.94.104:80
> <http://165.254.94.104:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44169
> <http://192.168.2.26:44169> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:41957
> <http://192.168.2.26:41957> 23.61.97.224:80
> <http://23.61.97.224:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:37141
> <http://192.168.2.26:37141> 74.125.225.121:80
> <http://74.125.225.121:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:41993
> <http://192.168.2.26:41993> 23.61.97.224:80
> <http://23.61.97.224:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:36685
> <http://192.168.2.26:36685> 23.61.95.139:80
> <http://23.61.95.139:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44099
> <http://192.168.2.26:44099> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:57406
> <http://192.168.2.26:57406> 207.152.124.122:80
> <http://207.152.124.122:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:41984
> <http://192.168.2.26:41984> 23.61.97.224:80
> <http://23.61.97.224:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44098
> <http://192.168.2.26:44098> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:41983
> <http://192.168.2.26:41983> 23.61.97.224:80
> <http://23.61.97.224:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:43909
> <http://192.168.2.26:43909> 74.125.225.41:80
> <http://74.125.225.41:80> TIME_WAIT -
> tcp 1 0 192.168.2.26:58247
> <http://192.168.2.26:58247> 165.254.94.114:80
> <http://165.254.94.114:80> CLOSE_WAIT 1905/clock-applet
> tcp 0 0 192.168.2.26:39746
> <http://192.168.2.26:39746> 199.38.165.155:80
> <http://199.38.165.155:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:46506
> <http://192.168.2.26:46506> 74.125.225.127:80
> <http://74.125.225.127:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:53263
> <http://192.168.2.26:53263> 173.194.46.57:80
> <http://173.194.46.57:80> ESTABLISHED 2227/firefox
> tcp 0 0 192.168.2.26:40756
> <http://192.168.2.26:40756> 173.194.46.45:80
> <http://173.194.46.45:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:54106
> <http://192.168.2.26:54106> 74.125.225.91:80
> <http://74.125.225.91:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44102
> <http://192.168.2.26:44102> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:59210
> <http://192.168.2.26:59210> 199.7.51.72:80
> <http://199.7.51.72:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:55576
> <http://192.168.2.26:55576> 31.13.71.49:80
> <http://31.13.71.49:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44838
> <http://192.168.2.26:44838> 165.254.94.154:80
> <http://165.254.94.154:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:57073
> <http://192.168.2.26:57073> 74.125.225.89:80
> <http://74.125.225.89:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:60427
> <http://192.168.2.26:60427> 74.125.225.127:443
> <http://74.125.225.127:443> ESTABLISHED 2227/firefox
> tcp 0 0 192.168.2.26:41370
> <http://192.168.2.26:41370> 165.254.94.113:80
> <http://165.254.94.113:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:52091
> <http://192.168.2.26:52091> 165.254.94.131:80
> <http://165.254.94.131:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:50579
> <http://192.168.2.26:50579> 216.239.120.40:80
> <http://216.239.120.40:80> ESTABLISHED 2227/firefox
> tcp 0 0 192.168.2.26:53334
> <http://192.168.2.26:53334> 173.194.46.57:80
> <http://173.194.46.57:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:55095
> <http://192.168.2.26:55095> 165.254.94.130:80
> <http://165.254.94.130:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:33246
> <http://192.168.2.26:33246> 207.152.125.97:80
> <http://207.152.125.97:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:35851
> <http://192.168.2.26:35851> 74.125.225.154:80
> <http://74.125.225.154:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:60024
> <http://192.168.2.26:60024> 23.61.112.74:80
> <http://23.61.112.74:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:47021
> <http://192.168.2.26:47021> 173.194.46.85:443
> <http://173.194.46.85:443> ESTABLISHED 2227/firefox
> tcp 0 0 192.168.2.26:37800
> <http://192.168.2.26:37800> 165.254.94.129:80
> <http://165.254.94.129:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44103
> <http://192.168.2.26:44103> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44839
> <http://192.168.2.26:44839> 165.254.94.154:80
> <http://165.254.94.154:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:40799
> <http://192.168.2.26:40799> 74.125.142.95:80
> <http://74.125.142.95:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:35582
> <http://192.168.2.26:35582> 198.252.206.25:80
> <http://198.252.206.25:80> ESTABLISHED 2227/firefox
> tcp 0 0 192.168.2.26:44100
> <http://192.168.2.26:44100> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:46961
> <http://192.168.2.26:46961> 165.254.94.139:80
> <http://165.254.94.139:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:35943
> <http://192.168.2.26:35943> 31.13.71.49:443
> <http://31.13.71.49:443> ESTABLISHED 2227/firefox
> tcp 1 0 192.168.2.26:58246
> <http://192.168.2.26:58246> 165.254.94.114:80
> <http://165.254.94.114:80> CLOSE_WAIT 1905/clock-applet
> tcp 0 0 127.0.0.1:42513 <http://127.0.0.1:42513>
> 127.0.0.1:49991 <http://127.0.0.1:49991> ESTABLISHED
> 2328/plugin-contain
> tcp 0 0 192.168.2.26:41982
> <http://192.168.2.26:41982> 23.61.97.224:80
> <http://23.61.97.224:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:59619
> <http://192.168.2.26:59619> 173.194.46.66:443
> <http://173.194.46.66:443> ESTABLISHED 2227/firefox
> tcp 0 0 192.168.2.26:40798
> <http://192.168.2.26:40798> 74.125.142.95:80
> <http://74.125.142.95:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:47682
> <http://192.168.2.26:47682> 131.253.40.48:80
> <http://131.253.40.48:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:40833
> <http://192.168.2.26:40833> 74.125.142.95:80
> <http://74.125.142.95:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:37145
> <http://192.168.2.26:37145> 74.125.225.121:80
> <http://74.125.225.121:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:43287
> <http://192.168.2.26:43287> 23.61.81.169:80
> <http://23.61.81.169:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:52804
> <http://192.168.2.26:52804> 165.254.94.104:80
> <http://165.254.94.104:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:44101
> <http://192.168.2.26:44101> 165.254.94.168:80
> <http://165.254.94.168:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:45436
> <http://192.168.2.26:45436> 207.152.124.89:80
> <http://207.152.124.89:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:52800
> <http://192.168.2.26:52800> 165.254.94.104:80
> <http://165.254.94.104:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:49379
> <http://192.168.2.26:49379> 74.125.225.124:80
> <http://74.125.225.124:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:52802
> <http://192.168.2.26:52802> 165.254.94.104:80
> <http://165.254.94.104:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:59186
> <http://192.168.2.26:59186> 199.7.51.72:80
> <http://199.7.51.72:80> TIME_WAIT -
> tcp 0 0 127.0.0.1:49991 <http://127.0.0.1:49991>
> 127.0.0.1:42513 <http://127.0.0.1:42513> ESTABLISHED
> 2331/GoogleTalkPlug
> tcp 0 0 192.168.2.26:52801
> <http://192.168.2.26:52801> 165.254.94.104:80
> <http://165.254.94.104:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:54619
> <http://192.168.2.26:54619> 74.125.225.123:80
> <http://74.125.225.123:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:55570
> <http://192.168.2.26:55570> 31.13.71.49:80
> <http://31.13.71.49:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:57492
> <http://192.168.2.26:57492> 165.254.94.145:80
> <http://165.254.94.145:80> TIME_WAIT -
> tcp 0 0 192.168.2.26:52805
> <http://192.168.2.26:52805> 165.254.94.104:80
> <http://165.254.94.104:80> TIME_WAIT -
> tcp6 0 0 ::1:631 :::*
> LISTEN 1191/cupsd
>
>
>
>
> On Sun, Sep 22, 2013 at 1:09 PM, D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
> <mailto:hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org>> wrote:
>
> | From: Aruna Hewapathirane <aruna.hewapathirane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
> <mailto:aruna.hewapathirane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>>
>
> | To: The Canadian Ubuntu Users Community
> <ubuntu-ca-nLRlyDuq1AZFpShjVBNYrg at public.gmane.org <mailto:ubuntu-ca-nLRlyDuq1AZFpShjVBNYrg at public.gmane.org>>,
> Toronto Linux User's Group <tlug-lxSQFCZeNF4 at public.gmane.org <mailto:tlug-lxSQFCZeNF4 at public.gmane.org>>
>
> Cross-posting to lists like these is probably a bad idea. So I've
> only replied to the TLUG list.
>
> | I recently noticed lots of incoming connections on my
> fire-starter ( its
> | the firewall I use ) and my load average kicked up considerably
> but I am
> | unable to identify what is specifically causing all this sudden
> unwanted
> | incoming traffic as am no network specialist :-)
>
> You have told us way too little about your network for us to give
> specific advice.
>
> - are you running multiple machines? I will assume so.
>
> - what is your gateway system? For example, a cable or DSL
> modem/router from your ISP. Does it implement NAT?
>
> - what are your machines trying to do? Are they just "clients" or are
> they intended to be servers to the internet. (I quote the word
> "client" because this is a distorted way of viewing the internet
> forced on us.
>
> - what is the unwanted traffic? (Ususally tcdump or wireshark or
> logging can tell you.)
>
> | Does anyone have any information on how to secure Ubuntu with
> iptables for
> | newbies to system administration and security in general ?
>
> Sadly, this is too big and general a question.
>
> | Do we have a best practices model for preventing intrusions and
> securing
> | one's system ?
>
> That's kind of jargon, but I know what you mean.
>
> You can do security from first principles (had work, and error prone),
> or you can copy something else that has consensus support.
>
> Every mainstream general distro tries to give you a good basis for
> a secure
> system (in my opinion, Ubuntu isn't the best but is OK). But from
> there, you customize for different purposes and need to adjust
> security
> appropriately.
>
> Summary: you need to specify what your systems are intended to do and
> how. Security has to reflect and be reflected in those designs.
> Security should not be an afterthought.
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
>
>
>
> --
> *Aruna Hewapathirane*
> Consultant/Trainer
> Phone : 647-709-9269
> Website:<http://goog_1768911931>Open Source Solutions
> <http://sahanaya.net/aruna/>
>
>
>
> <https://sites.google.com/site/arunahewapathirane/home/business-card/buisness-card.png?attredirects=0>
>
The netstat looks odd: I get
---
[sudo] password for davecb:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:2049 0.0.0.0:*
LISTEN -
tcp 0 0 0.0.0.0:58022 0.0.0.0:*
LISTEN 953/rpc.statd
tcp 0 0 0.0.0.0:875 0.0.0.0:*
LISTEN 975/rpc.rquotad
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN 946/rpcbind
tcp 0 0 0.0.0.0:20048 0.0.0.0:*
LISTEN 984/rpc.mountd
tcp 0 0 0.0.0.0:45748 0.0.0.0:*
LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN 1556/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 24905/sendmail: acc
tcp 0 0 10.111.100.153:42429 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp 0 0 10.111.100.153:42421 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp 0 0 10.111.100.153:34575 166.78.79.129:993
CLOSE_WAIT 25063/thunderbird
tcp 0 0 10.111.100.153:37796 74.125.225.112:443
ESTABLISHED 25063/thunderbird
tcp 1 0 10.111.100.153:43363 64.147.188.18:443
CLOSE_WAIT 24964/firefox
tcp 0 0 10.111.100.153:58745 207.245.223.251:993
ESTABLISHED 25063/thunderbird
tcp 38 0 10.111.100.153:43349 64.147.188.18:443
CLOSE_WAIT 24964/firefox
tcp 0 0 10.111.100.153:34579 166.78.79.129:993
ESTABLISHED 25063/thunderbird
tcp 0 0 10.111.100.153:42431 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp 0 0 10.111.100.153:58823 207.245.223.251:993
ESTABLISHED 25063/thunderbird
tcp 38 0 10.111.100.153:42417 64.147.188.18:443
CLOSE_WAIT 24964/firefox
tcp 1 0 10.111.100.153:42430 64.147.188.18:443
CLOSE_WAIT 24964/firefox
tcp 0 0 10.111.100.153:39607 173.194.68.16:993
ESTABLISHED 25063/thunderbird
tcp 0 0 10.111.100.153:42428 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp 0 0 10.111.100.153:42423 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp 0 0 10.111.100.153:42422 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp 0 0 10.111.100.153:42425 64.147.188.18:443
ESTABLISHED 24964/firefox
tcp6 0 0 :::2049 :::*
LISTEN -
tcp6 0 0 :::111 :::*
LISTEN 946/rpcbind
tcp6 0 0 :::20048 :::*
LISTEN 984/rpc.mountd
tcp6 0 0 :::58578 :::*
LISTEN -
tcp6 0 0 :::38933 :::*
LISTEN 953/rpc.statd
tcp6 0 0 ::1:631 :::*
LISTEN 1556/cupsd
the listens are daemons, the close-waits and established are what I get,
but all the time-waits look wierd
tcp 0 0 192.168.2.26:54472 <http://192.168.2.26:54472>
74.125.225.116:80 <http://74.125.225.116:80> TIME_WAIT
-
tcp 0 0 192.168.2.26:52803 <http://192.168.2.26:52803>
165.254.94.104:80 <http://165.254.94.104:80> TIME_WAIT
-
tcp 0 0 192.168.2.26:44169 <http://192.168.2.26:44169>
165.254.94.168:80 <http://165.254.94.168:80> TIME_WAIT -
They're all from you to someone's port 80. so they may just be http
sessions originating with you that are waiting to be sure data has
arrived, but there are a lot of them. Were you hopping around to all
those addresses just before you took the snapshot?
--dave
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb-0XdUWXLQalXR7s880joybQ at public.gmane.org | -- Mark Twain
(416) 223-8968
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list