I think 70% of our hack attacks on our Raq come from countries like Russia, Korea, China and places on the opposite side of the world that definitely don't have anything to do with us (e.g. why would someone from Europe want to telnet in?).

Is there a way to specificially block the entire country? I hope it is as simple as blocking a whole range of IP addresses (e.g. 201.110.*.* to 203.30.*.* for example to block China) so that I wouldn't have to worry about my Raq TCPwrapper blocking until the list becomes too long.

For anyone who is curious, here is one of my system attack warnings that I get around 10 times a day (please do feel free to give your comments as I have no idea what the hell is going on here below) :confused:

Not sure if a kind expert can explain to a newbie like me and others what it all means? Thanks in advance! ;) (I've replaced my IP address BTW with 200.200.200.200 and my domain with home01.mydomain.com).

=================

Jul 24 06:59:03 home01 portsentry[762]: attackalert: TCP SYN/Normal scan from host: 210.113.163.95/210.113.163.95 to TCP port: 22
Jul 24 06:59:03 home01 portsentry[762]: attackalert: Host 210.113.163.95 has been blocked via wrappers with string: "ALL: 210.113.163.95"
Jul 24 06:59:03 home01 portsentry[762]: attackalert: Host 210.113.163.95 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 210.113.163.95 -j DENY -l"

Security Violations
=-=-=-=-=-=-=-=-=-=
Jul 24 06:59:03 home01 portsentry[762]: attackalert: TCP SYN/Normal scan from host: 210.113.163.95/210.113.163.95 to TCP port: 22
Jul 24 06:59:03 home01 portsentry[762]: attackalert: Host 210.113.163.95 has been blocked via wrappers with string: "ALL: 210.113.163.95"
Jul 24 06:59:03 home01 portsentry[762]: attackalert: Host 210.113.163.95 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 210.113.163.95 -j DENY -l"
Jul 24 06:46:00 home01 sendmail[32767]: gethostbyaddr(200.200.200.200) failed: 1
Jul 24 06:46:01 home01 sendmail[306]: gethostbyaddr(200.200.200.200) failed: 1
Jul 24 07:00:03 home01 sendmail[885]: error: safesasl(/etc/sasldb) failed: Group readable file
Jul 24 07:00:03 home01 sendmail[885]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jul 24 06:59:03 home01 portsentry[762]: attackalert: TCP SYN/Normal scan from host: 210.113.163.95/210.113.163.95 to TCP port: 22
Jul 24 06:59:03 home01 portsentry[762]: attackalert: Host 210.113.163.95 has been blocked via wrappers with string: "ALL: 210.113.163.95"
Jul 24 06:59:03 home01 portsentry[762]: attackalert: Host 210.113.163.95 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 210.113.163.95 -j DENY -l"
Jul 24 07:00:01 home01 proftpd[863]: AllowChmod is deprecated, and will not work consistantly, use <Limit SITE_CHMOD> instead.
Jul 24 07:00:01 home01 proftpd[863]: home01.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Jul 24 07:00:01 home01 proftpd[863]: home01.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Jul 24 07:00:01 home01 in.proftpd[863]: connect from 127.0.0.1
Jul 24 07:00:02 home01 imapd[864]: connect from 127.0.0.1
Jul 24 07:00:03 home01 in.qpopper[884]: connect from 127.0.0.1
Jul 24 06:46:00 home01 sendmail[32767]: gethostbyaddr(200.200.200.200) failed: 1
Jul 24 06:46:00 home01 sendmail[32767]: g6NMk0c32767: clone g6NMk0b32767, owner=admin
Jul 24 06:46:01 home01 sendmail[306]: gethostbyaddr(200.200.200.200) failed: 1
Jul 24 07:00:02 home01 imapd[864]: imap service init from 127.0.0.1
Jul 24 07:00:02 home01 imapd[864]: Logout user=??? host=localhost [127.0.0.1]
Jul 24 07:00:03 home01 sendmail[885]: error: safesasl(/etc/sasldb) failed: Group readable file
Jul 24 07:00:03 home01 sendmail[885]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

disable telnet all together would be the first start.

Disable Telnet definitely

Blocking entire IP blocks probably won't work, as they aren't assigned to countries as much as block owners and the more intelligent hackers spoof their IPs anyway.

If they spoof an IP how do they get the return packet stream? Just curious.

I have no idea!
All I know is that most of the people using fraudulent credit cards spoof their IPs when ordering... and a lot of the IPs that turn up in portsentry are being misreported by RIPE

OT: Check your proftpd.conf
Jul 24 07:00:01 home01 proftpd[863]: AllowChmod is deprecated, and will not work consistantly, use <Limit SITE_CHMOD> instead.

Hi Microsol,

I get these same errors, what do they mean and how do i get reid of them ?

Thanks!

Set up tcp-wrappers to only allow those ip's you want near your server. That will keep out the rest of the world

Harden down your box so you dont have to disable access to anyone. Run security audits on it and keep unused services turned off, packages up to date and be aware of any changes that may seem funny.

Originally posted by dutchie
Hi Microsol,

I get these same errors, what do they mean and how do i get reid of them ?

Thanks!

Search for this one in your proftpd.conf <Limit SITE_CHMOD> and just comment it out or delete it.
Also check if there is a </Limit> in there. Do the same as described above.

Originally posted by blacknight
... spoof their IPs when ordering... Oh, OK. In that case the form gets submitted and they don't need to see the response page.

AllowChmod is deprecated, and will not work consistantly, use <Limit SITE_CHMOD> instead.

This happens after installing the security update from cobalt
RaQ4-All-Security-2.0.1-13323.pkg

Ok here is what you need to do in details:

edit the /etc/proftpd.conf file

Comment out (notice #) the AllowChmod line;

---------------------------------
# Restore file permissions capability to site administrator
<Global>
#AllowChmod on
<Limit SITE_CHMOD>
AllowAll
</Limit>
# Report localtime, not GMT
TimesGMT off
</Global>
-----------------------------------------

BTW If you use DenyAll within <Limit SITE_CHMOD>, your customers won't be able to chmod thier files.

and after saving the file:

cd /etc/rc.d/init.d
./inetd stop
./inetd start

Now check your /var/log/messages it should be all OK.

Regards,

Al-Juhani

Originally posted by projo
If they spoof an IP how do they get the return packet stream? Just curious.

They don't necessarily spoff their ip, most often they use proxy servers. Smart hackers will chain 3-4 proxies before doing some major damage to someone.