Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a RH 6.2 linux box acting as a firewall and squid proxy server for an NT network. It forwards email to the Exchange server on the private Lan. The linux box is the only thing that has a "real" ip address.
Firstly, I am pretty new to linux, although I'm getting better every day.
We have gotten 2 calls now from other companies saying that our Exchange server is attacking their network, or port-scanning their network. They're talking about the linux box. But I don't know where to look to stop whatever service is causing this confusion. I'm not trying to attack anybody's network. Anyone have any ideas? Thanks in advance.
If your simply doing a sendmail relay on to an exchange server using your firewall as the companies emails MX pointer and it was fine up until now, then you may have someone in your firewall box portscanning.
I would suggest you look in your logs first.
Start by looking for failed login attempts.
cat /var/logs/messages* | grep 'authentication'
look for anything that says "authentication failure" or accepted when you know you didn't login.
Then check the wtmp file with the command "last" check the time of the reported scan with who was logined in.
I would also download something like "ethereal" to start sniffing the network. "could also use ngrep"
I suspect from past experience it's someone internal to your company who has a login on the system and is bored.
No demons on the system should scan for ports as part of the systems standard working.
Remember you can do any standard SYN/ACK portscan without having to have suid 0 with something like nmap.
You need some IDS software and Tripwire on that firewall to help you.
Thanks for the response Raz, but the linux machine has no function other than a firewall gateway. It is not running sendmail. It simply forwards anything going to the Exchange server from the internet using ipmasqadm and ipchains. Also there are no other user accounts on the machine that someone could log into. I will check the logs as you suggested just to make sure.
What exactly did the other companies say ?
Ask them to send you the logs of the scan attempts.
Are the companies that are reporting the scans anything to do with your own site, or a competitor site.
You know its very easy for someone to change a tcp packets header, so it has a different source address thus faking where the probe came from. "an example is the decoy option in nmap"
Also if your FTP demon is incorrectly installed or old and has anonymous IP access, then someone can also do a FTP bounce scan. "i.e get your system to scan someone on their behalf"
If it helps send me an email to roldbury@newmail.net with your FW's IP address and I'll start some penertation testing to see how secure your firewall is. Also I can give you some IDS software which will check your logs every 15 minutes for any DENY and other interesting messages and email them to you. (1 shell scrips, 1 perl script and an entry in the cron tab)
I suggest you DENY input access on any ports below 1024 while you look into this.
i.e
Turn some ICMP types off to make your system more invisible.
Note: some ICMP types have to be ACCEPT or packets can't fragment correctly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.