LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Firewall Log Question

[ILUG] Firewall Log Question

John P. Looney john at antefacto.com
Thu Nov 22 18:00:42 GMT 2001 

On Thu, Nov 22, 2001 at 01:43:13PM -0400, eduardo mentioned:
> We are in a mixed network, which includes a router Cisco, a 3COM swich
> common to the two networks and a hub where gateway/fire wall linux computer
> is connected.
> 
> One of the network is my company network (192.168.X.X / 255.255.0.0. I am in
> charge of it) and the other network belongs to other company (10.10.X.X /
> 255.255.0.0). This company has a VPN. Now, they are accusing me as hacker,
> alleging we have tried to go into their VPN. As prove of tha t , they are
> showing the following type of message:
> 
> Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> 
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
> SYN (#70)
> 
> Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.185:138
> 
> 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
> 
> Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> 
> 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
> SYN (#70)

 Must of the traffic is on port 138, so it looks like some sort of Windows
traffic. Windows boxes are quite talkative, and I know in the NT 3.51 days
(last time I used windows for work), each NT box used to ask each
non-windows box "are you a windows box ?" every few minutes. It could be
something like that. I'm not sure what the opening packet (on port 4512)
was though. 
 
 Either way, get onto your company solicitor, and send him a nasty letter,
accusing him of slander or some such for his trouble. I know in work, we
get about fifty script kiddie attacks a week, and with something like
snort, you know what exploit they are trying, a lot of the time. This
person is just showing off that he has a firewall, and knows how to use
it; there is no hacking, its just a misconfigured windows box. That admin
must be really bored.

Kate

-- 
_______________________________________
John Looney             Chief Scientist
a n t e f a c t o     t: +353 1 8586004
www.antefacto.com     f: +353 1 8586014

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell