[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Strange log messages

From: ABrady <kcsmart kc rr com>
To: redhat-list redhat com
Subject: Re: Strange log messages
Date: Wed, 24 Oct 2001 13:32:08 -0500

On Wed, 24 Oct 2001 13:24:39 -0500 Wayne Stout <waynestout hantover com>
imparted to us:
> Greetings, everyone.
> 
> I've noticed my logs filling up with some standard firewall packet
> deny 
> messages, and I'm wondering something.
> 
> The machine that this is happening on is a dial-in server that acts as
> a 
> gateway to a unix server for data transfer. It's located on our
> company 
> network behind the firewall, but I appear to be getting requests from 
> outside of our network. Am I correct, then, at suspecting that our
> firewall 
> is less than secure? (BTW, the firewall is an NT4 machine running some
> 3rd 
> party firewalling software. I know, but I'm not in the position to
> change it.)

Normally if you see denials, they aren't getting through. If you see
nothing, they got in.

All bets are off with NT.

> Our network is the 128.2.1 block, but as you can see by the log
> entries, 
> I'm getting external traffic on a machine that should only be seeing 
> traffic from on the network.

If you have  INTERNET-->NT-->EVEYRTHING_ELSE

and anything on the ANYTHING_ELSE part is getting traffic, NT is letting
it in. That is NOT inconsistent with what I stated above because you
aren't getting you denials from the NT machine, you're getting them from
an internal, (supposedly) protected machine.

There are reasons why some are calling for administrators and businesses
to dump the IIS stuff, as well as insurance companies charging more for
servers with NT and IIS on them.

> It this a security issue or do I stil have something torked on the
> linux box?
> 
> Oct 24 09:37:18 wayne2000 kernel: Packet log: input DENY eth0 PROTO=6 
> 216.148.21
> 8.160:443 128.2.1.129:1034 L=44 S=0x00 I=22689 F=0x4000 T=128 (#32)
> Oct 24 09:37:30 wayne2000 kernel: Packet log: input DENY eth0 PROTO=6 
> 216.148.21
> 8.160:443 128.2.1.129:1034 L=40 S=0x00 I=27042 F=0x4000 T=128 (#32)
> Oct 24 09:37:31 wayne2000 kernel: Packet log: input DENY eth0 PROTO=6 
> 216.148.21
> 8.160:443 128.2.1.129:1034 L=44 S=0x00 I=23972 F=0x4000 T=128 (#32)

-- 
Nice little planet you've got there. Shame if anything were to happen to
it.

References:
- Strange log messages
  - From: Wayne Stout

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]