Explain this firewall log entry

Discussion in 'Other Operating Systems' started by BluBoy, Aug 21, 2013.

  1. BluBoy

    BluBoy Member

    Joined:
    Jan 20, 2006
    Messages:
    1,899
    Location:
    Brisbane
    It's not a big thing, but I noticed a few hits on my firewall (iptables) that don't make a lot of sense. Looking deeper I have actually seen the same sort of hit on a couple of not-even-close boxes I have online.

    The relevant section of my iptables script:
    All fairly boring, with the added security of specific stateful-packet-inspection (originally put in for some logging metrics).

    And this is what is showing up in the logs
    ... a lot of those (hundreds per day), from various IP addresses.

    To my understanding, there are two explanations for this.
    1) I am browsing a website and the response isn't making it back though.
    Possible, but I am not browsing at all, and any legitimate checks (updates etc) were disabled for testing. Also, the firewall should allow the established connection through. Finally standard browsing/wget/yum/apt etc are all working fine.

    or 2) People are attempting to port scan, by appearing as a legitimate http responses.
    Now I understand port scanning (and see a fair bit of it on the standard set of ports), but why would you go after these VERY random high ports, seriously who is running something on 1824, 32803, 43733, 1234, 17258, 12524 or any of the hundreds of other random ports.

    Am I missing something?
     
  2. f3n1x

    f3n1x Member

    Joined:
    Mar 20, 2003
    Messages:
    1,704
    Location:
    Armadale, Melbourne
    Add to iptables:

    Code:
    /sbin/iptables -A INPUT -D ${IP} -p tcp --sport 80 -m state --state NEW -j NFLOG --nflog-group:10
    
    Then run:

    Code:
    tcpdump -i nflog:10 -s 65535 -w <file>
    Then open the file in wireshark and your mystery http traffic should show up and be ready for analysis.

    The NFLOG target is part of netfilers ULOGD component. More info on that here.
     
    Last edited: Aug 21, 2013
  3. SchRAMBO

    SchRAMBO Member

    Joined:
    Mar 27, 2002
    Messages:
    2,066
    Location:
    Perth
    It's often a good idea to specify and change your port numbers for services to try and conceal what possibly that port may be used for other than the bleeding obvious indicator. For example the typical 443, 22, 53, 80, 110. Just another small thing you can do to slightly fend of most script kiddies and bots. But I think nmap and whatever other network scanners are out there can determine what service a port may be using by monitoring and analysing the packet header bit sizes and other distinguishing features anyway. Something I'll have to investigate and play with myself. :)
     
    Last edited: Aug 23, 2013
  4. f3n1x

    f3n1x Member

    Joined:
    Mar 20, 2003
    Messages:
    1,704
    Location:
    Armadale, Melbourne
    Obscuring port numbers may help a tiny bit (ie fool the really basic botnets) but by no means should it be your primary or even secondary security measure.

    For that you need Strong passwords, strong implementations and in the case of organisations (as opposed to just one guy), strong policies (the weakest link is often the human operator).
     

Share This Page

Advertisement: