Monitoring IPFW Logs
Pages: 1, 2
Also in FreeBSD Basics:
Unfortunately, not all packets sent to your computer are as benign as the examples I gave for ports 119 and 113. If someone was looking for a machine to compromise, they could in theory try to get in on any open port. Fortunately, they usually tend to use common exploits on a few "notorious" trojan ports. There will be times when you are reading your firewall log that you'll be glad you that you took the time necessary to create and maintain your firewall.
There are numerous resources on the Internet to find out which ports are used by which exploits. One of the best places to start is with Robert Graham's "What am I seeing? FAQ":
If you come across a port you haven't seen before, there is a comprehensive port search utility here.
If you'd like to see a list of common trojans sorted by different categories, try this page.
The above resources will help to satisfy your curiosity concerning the entries that appear in your firewall log, but the question still remains: What, if anything, can I do about these entries? You can send a polite email with a copy of the firewall entries to either the host's service provider or to the administrator of the network where the host resides. To find out who to send the email to, do a:
dig -x IP_address_of_sender
to get the host name of the machine that sent the undesirable packets. You can then try a
whois query on the last portion (or TLD) of the host name to see who registered that TLD (top-level domain). For example, I received a lot of netbus (a common trojan) entries from a host whose name ended with "home.com". When I ran the
whois utility, I received the following response:
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.
To single out one record, look it up with "xxx", where xxx is one of the of the records displayed above. If the records are the same, look them up with
=xxx to receive a full display for each record.
>>> Last update of whois database: Thu, 28 Jun 2001 02:04:50 EDT <<<
The registry database contains only .com, .net, .org, .edu, domains and registrars.
Because there were two registrants that had "home.com" as part of their name, I re-ran the inquiry like so:
Home Network (HOME-DOM)
425 Broadway St.
Redwood City, CA 94063
Domain Name: HOME.COM
Administrative Contact, Technical Contact:
DNS Administration (DA24627-OR) abuse@HOME.COM
425 Broadway St
Redwood City , CA 94063
Because this is a service provider, I'm not surprised that the email address of the administrative contact is "firstname.lastname@example.org". If this had been a small company who had not set up an "abuse" email account, I could instead send an email to the person listed in the "Administrative Contact, Technical Contact" section.
You'll note from the original
whois query that there are several competing registrars. If you don't receive any results from your
whois query, the host probably lives in a different portion of the globe and its TLD may be registered in a different database. The
whois utility on your FreeBSD system has several switches to allow you to query the various
whois databases. The following useful switches are taken from
WHOIS(1) FreeBSD General Commands Manual WHOIS(1) DESCRIPTION Whois looks up records in the databases maintained by several Network Information Centers (NICs). The options are as follows: <snip> -p Use the Asia/Pacific Network Information Center (APNIC) database. It contains network numbers used in East Asia, Australia, New Zealand, and the Pacific islands. -r Use the R'eseaux IP Europ'eens (RIPE) database. It contains network numbers and domain contact information for Europe. <snip>
A common complaint from those who take the time to send polite email is that they never receive acknowledgement that their email was even received or that any satisfactory action against the offending host took place. As a result, many administrators now upload their firewall logs to a centralized database. There are several interesting initiatives available; even if you don't want to participate, you can still view the accumulated statistics to see which ports are being probed and by whom.
One initiative is at www.mynetwatchman.com. Its script allows you to upload your
ipfw logs and I will be demonstrating its usage in a future article.
Another is at aris.securityfocus.com. They accept
snort logs and I'll cover this initiative in more depth later on this year when I demonstrate creating an intrusion detection system with
snort. Securityfocus also has several valuable mailing lists. My favorite is the "incidents" mailing list. You can read the archives or sign up for any of their mailing lists at www.securityfocus.com.
Yet another initiative is at Incidents.org, which is headed up by the SANS Institute. If you are interested in security issues, it sends out a weekly newsletter via email. To subscribe, email email@example.com with the subject line: Subscribe Newsbites
The links mentioned in today's article should get you started on understanding the entries in your firewall log. In next week's article, I'd like to take a break from firewalls and do my semi-annual tour through the ports collection.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.