![[LWN Logo]](/images/lwn.banner.gif)
Date: Sun, 10 May 1998 13:28:32 -0400 (EDT) From: Jon Lewis <jlewis@inorganic5.fdt.net> To: linux-security@redhat.com Subject: [linux-security] Re: Re: Lightning fast attacks? On Sat, 9 May 1998, Wietse Venema wrote: > Eric Wampner: > > May 8 00:35:15 osg-gw imapd[4307]: warning: can't get client address: > > Connection reset by peer > > May 8 00:35:15 osg-gw imapd[4307]: refused connect from unknown > > > > My question, is the attacker learning anything? Are they able to "time" their > > connection requests so they know if you are trying to track them? > > This was most likely part of a network sweep to find machines > running an IMAP service. > > The attacker found out that your machine is running something on > the port normally used by de IMAP server, and disconnected even > before your server had a chance to respond. > > [mod: I approved Eric's message because I wanted you all to have a > look at these "logs" and tell me and Eric (and learn for yourselves) > what probably happened. Wietse is confirming my reading of the log: > tcpd is trying to find out who it is talking to, but the remote end > already has abandoned the connection. The "legit" explanation is that I know you said "discussion closed", but I think I have something useful to contribute. Many months ago, someone was DoS attacking one of our servers by doing the rapid connect/disconnect thing with port 23. Inetd would think something was wrong and shut down telnetd (ok for security...I always use ssh...but annoying to the users who like telnet). Since the attacker was closing his connections before tcpd could tell where they came from, the logs were useless. To catch where the connections are coming from, try using something like: ipfwadm -A in -a -o -y -P tcp -D any/0 13 23 37 143 513 514 This will clutter your logs a bit...depending on how many connections per day you see for each logged service...but it will tell you who's probing your system. [Mod: Let me also make a statement that completely stealth attacks are impossible. Any attack *will* generate packets on a wire. In order for those packets to be delivered to the target, they must follow IP conventions. Granted, the source address can be spoofed (which should be impossible if ISPs/NSPs start filtering at the customer routers) but apart from that a real, trackable packet will be sent to the target. -- alex] -- alex] ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | http://noagent.com/?jl1 for cheap Network Administrator | life insurance over the net. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____ -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null