closing a firewall port, manually

suse 9.3 pro, all security updates installed (THANK YOU YaST and
SUSEWatcher!)

i'm getting thousands of these:

Nov 10 09:11:14 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=60.213.187.70
DST=80.161.69.43 LEN=339 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP
SPT=47949 DPT=1029 LEN=319
Nov 10 09:11:36 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=80.161.2.84
DST=80.161.69.43 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=44067 DF
PROTO=TCP SPT=3347 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B401010402)

but i didn't used to..

i *theorize* that it is due to my port 113 not being completely
stealthed (grc.com reports: 113 IDENT Closed Your computer has
responded that this port exists but is currently closed to
connections....ALL others are: Stealth There is NO EVIDENCE
WHATSOEVER that a port (or even any computer) exists at this IP
address!)

my theory is that the windoz wormbots doing probes see the 113
response and then try to weasel in through port 445..

further, i remember i did not see these kind of log entries when i
was running Fedora, whose default firewall stealthed ALL ports...

YaST firewall setup does not SEEM to have a place for me to close
port 113 (i did have to turn off ping in both fedora and suse---but,
can't find 113's switch)

anyone able to guide me through YaST or know what files to tinker
with, and how?

DenverD

ah, slight modification of the background: fedora was always run with
the only hook to the net via isdn....it never sat for hours/days
hooked up as does SUSE and my new ADSL...so, maybe the wormbots
never had a chance to randomly hit my IP's 445..

anyone know if the bots just randomly scan/try 445, or do they search
for pings, port 113 [and other] replies and then hang around and
pump in packets until they tire, and move on..

in other words...is it worth any effort at all (since apparently
nothing is getting in--and, i am "just" wasting cycles and hard
drive space piling up all those drop notices)

DenverD adjusted his/her tinfoil beanie to post:

> suse 9.3 pro, all security updates installed (THANK YOU YaST and
> SUSEWatcher!)
>
> i'm getting thousands of these:
>
> Nov 10 09:11:14 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
> MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=60.213.187.70
> DST=80.161.69.43 LEN=339 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP
> SPT=47949 DPT=1029 LEN=319
> Nov 10 09:11:36 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
> MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=80.161.2.84
> DST=80.161.69.43 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=44067 DF
> PROTO=TCP SPT=3347 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
> (020405B401010402)
>
> but i didn't used to..

Hi DenverD,

Perhaps the log level has been set back to default, you can drop/raise
the firewall log level in Yast>System>/etc/sysconfig
Editor>Network>Firewall>SuSEfirewall2

As you can see these packets are getting dropped so no problem there so
the firewall is doing its job and nothing to worry about.

> in other words...is it worth any effort at all (since apparently
> nothing is getting in--and, i am "just" wasting cycles and hard
> drive space piling up all those drop notices)

Are your log files not rotating and slowly growing or have you set up
cron to use logrotate on a daily basis? ( can be done from the
sysconfig editor as well )

HTH

--
Mark
Twixt hill and high water
N. Wales, UK
Novell Support Forums SysOp

baskitcaise wrote:

> DenverD adjusted his/her tinfoil beanie to post:
>
>> suse 9.3 pro, all security updates installed (THANK YOU YaST and
>> SUSEWatcher!)
>>
>> i'm getting thousands of these:
>>
>> Nov 10 09:11:14 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=60.213.187.70
>> DST=80.161.69.43 LEN=339 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF
>> PROTO=UDP SPT=47949 DPT=1029 LEN=319
>> Nov 10 09:11:36 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=80.161.2.84
>> DST=80.161.69.43 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=44067 DF
>> PROTO=TCP SPT=3347 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
>> (020405B401010402)
>>
>> but i didn't used to..
>
> Hi DenverD,
>
> Perhaps the log level has been set back to default, you can
> drop/raise the firewall log level in Yast>System>/etc/sysconfig
> Editor>Network>Firewall>SuSEfirewall2

taking that path i get to Firewall okay...but then the only branch is
personal-firewall, with no apparent way to twiddle the log level..

however, if i YaST>Security and Users>Firewall>Logging Level i see
logging level for both "Logging Accepted Packets" and "Logging Not
Accepted Packets" are set to 'Log Only Critical'..

what should it be? (options are "Log All" "Log Only Critical" and "Do
Not Log Any")




>
> As you can see these packets are getting dropped so no problem
> there so the firewall is doing its job and nothing to worry about.
>
>> in other words...is it worth any effort at all (since apparently
>> nothing is getting in--and, i am "just" wasting cycles and hard
>> drive space piling up all those drop notices)
>
> Are your log files not rotating and slowly growing or have you set
> up cron to use logrotate on a daily basis? ( can be done from the
> sysconfig editor as well )

yes, they are rotating, with the old files mashed flat in a .gz
but not daily...looks like about weekly...

all that junk makes it hard to quickly scan /var/log/messages for
problems....sure wish i could keep the junk out..

but, thanks for helping,

DenverD

On Thu, 10 Nov 2005 08:44:59 +0000, DenverD wrote:

> suse 9.3 pro, all security updates installed (THANK YOU YaST and
> SUSEWatcher!)
>
> i'm getting thousands of these:
>
> Nov 10 09:11:14 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
> MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=60.213.187.70
> DST=80.161.69.43 LEN=339 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP
> SPT=47949 DPT=1029 LEN=319
> Nov 10 09:11:36 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
> MAC=00:0b:6a:bc:12:c5:00:0a:f3:1e:90:38:08:00 SRC=80.161.2.84
> DST=80.161.69.43 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=44067 DF
> PROTO=TCP SPT=3347 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
> (020405B401010402)
>
> but i didn't used to..

Maybe your ISP was filtering these before and now are not. I get this
kind of traffic all the time. Usually, its from misconfigured or zombied
Windows machines blindly trying to connect to any address.
>
> i *theorize* that it is due to my port 113 not being completely
> stealthed (grc.com reports: 113 IDENT Closed Your computer has responded
> that this port exists but is currently closed to connections....ALL
> others are: Stealth There is NO EVIDENCE WHATSOEVER that a port (or even
> any computer) exists at this IP address!)

I've closed the ident port, and I still get the usual traffic on various
windows ports. Common are 139, 445, 1026-1029, etc... In fact, I get
more packets on these ports that I do on, say, 21 or 22.

>
> my theory is that the windoz wormbots doing probes see the 113 response
> and then try to weasel in through port 445..
> further, i remember i did not see these kind of log entries when i was
> running Fedora, whose default firewall stealthed ALL ports...
>
> YaST firewall setup does not SEEM to have a place for me to close port
> 113 (i did have to turn off ping in both fedora and suse---but, can't
> find 113's switch)
> anyone able to guide me through YaST or know what files to tinker with,
> and how?

It's in /etc/sysconfig/SuSEfirewall2. Look for
FW_SERVICES_REJECT_EXT="0/0,tcp,113" If you clear the values from within
the quotes and then restart the SuSEfirewall2, all packets going to 113
will be dropped instead of rejected. Caveat is that some servers expect an
answer about 113, even if the answer is "this door is closed".
Connecting to IRC servers is likely where you would find problems. You can
try it and see if you notice any connection timeouts or refused
connections.

[snip]

--
sktsee

sktsee wrote:

> It's in /etc/sysconfig/SuSEfirewall2. Look for
> FW_SERVICES_REJECT_EXT="0/0,tcp,113" If you clear the values from
> within the quotes and then restart the SuSEfirewall2, all packets
> going to 113 will be dropped instead of rejected. Caveat is that
> some servers expect an answer about 113, even if the answer is
> "this door is closed". Connecting to IRC servers is likely where
> you would find problems. You can try it and see if you notice any
> connection timeouts or refused connections.



thank you! sktsee,

here. in my 9.3 YaST it is
system>etc/sysconfig Editor>Other>etc>sysconfig>SuSEfirewall2

i cleared the reject line and now have full stealth...THANKS!!

email works ok and i almost never use IRC...but, as you and others
predicted the windoz zombied boxes continue to knock on the door..

how rude!
now, where was that person who know how to stop those dropped packets
from being logged (they make such a mess...a pain to wad through to
actually look at the logs to see if there IS something there
important..

good weekend to you,

DenverD

DenverD wrote:
> sktsee wrote:
>
>
>>It's in /etc/sysconfig/SuSEfirewall2. Look for
>>FW_SERVICES_REJECT_EXT="0/0,tcp,113" If you clear the values from
>>within the quotes and then restart the SuSEfirewall2, all packets
>>going to 113 will be dropped instead of rejected. Caveat is that
>>some servers expect an answer about 113, even if the answer is
>>"this door is closed". Connecting to IRC servers is likely where
>>you would find problems. You can try it and see if you notice any
>>connection timeouts or refused connections.
>
>
>
>
> thank you! sktsee,
>
> here. in my 9.3 YaST it is
> system>etc/sysconfig Editor>Other>etc>sysconfig>SuSEfirewall2
>
> i cleared the reject line and now have full stealth...THANKS!!
>
> email works ok and i almost never use IRC...but, as you and others
> predicted the windoz zombied boxes continue to knock on the door..
>

If you take a look at /etc/sysconfig/scripts/SuSEfirewall2-custom,
you'll find at the bottom of the script an example of what you are
looking for. Just uncomment the following lines and modify for which
packets you want dropped, but not logged. For instance, since Windows
Messenger packets constitute the majority of packets that are dropped by
SuSEfirewall2 on my system, I modified the following rule slightly
(changed port range) to prevent logging them:


for chain in input_ext input_dmz input_int forward_ext forward_dmz
forward_int; do
iptables -A $chain -j DROP -p udp --dport 1025:1031

Then, I edited /etc/sysconfig/SuSEfirewall2 and uncommented the line

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom".

Then I reloaded SuSEfirewall2.

rcSuSEfirewall2 restart
***Note you may see iptables complain about no matching rules, etc.
after restarting SuSEfirewall2. This is due to the fact that some of the
"zones" listed in the rule do not have an interface associated with
them, like input_dmz or forward_ext. I don't forward packets, nor do I
have a dmz defined so I could effectively remove input_dmz, and
forward_*. The rule still works despite it's complaining.

You can look in your log to see which type of packets you don't want
showing up and edit the rule accordingly.

HTH
--
sktsee

ah...thank you...but, to get started i took a look in my 'messages'
and i see hits on ports 22, 68, 113, 137, 139, 445, 1025-1028 and
1433...(and got tired of looking...there may be more!)

before i modify the files you mentioned (below) i wonder if it is
possible (i'm a USER, not a hacker) to simply (?) *not* log all
those with "SFW2-INext-DROP" in the message...rather than specifying
all specific ports, or an (incomplete) range..

sorry if this question makes no sense--it makes sense to me (all i
wanna do is *not* log the attempts that were *un*successful..)

DenverD
OR, maybe i *want* the unsuccessful logged---but, i do not have
enough experience with firewalls/logs/linux to actually know that!
(so, how about a way to "BOLD PRINT LOOK HERE STUPID" or surround
each really bad thing with *****)

sktsee wrote:

> If you take a look at /etc/sysconfig/scripts/SuSEfirewall2-custom,
> you'll find at the bottom of the script an example of what you are
> looking for. Just uncomment the following lines and modify for
> which packets you want dropped, but not logged. For instance, since
> Windows Messenger packets constitute the majority of packets that
> are dropped by SuSEfirewall2 on my system, I modified the following
> rule slightly (changed port range) to prevent logging them:
>
>
> for chain in input_ext input_dmz input_int forward_ext forward_dmz
> forward_int; do
> iptables -A $chain -j DROP -p udp --dport 1025:1031
>
> Then, I edited /etc/sysconfig/SuSEfirewall2 and uncommented the
> line
>
> #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom".
>
> Then I reloaded SuSEfirewall2.
>
> rcSuSEfirewall2 restart
> ***Note you may see iptables complain about no matching rules,
> etc.
> after restarting SuSEfirewall2. This is due to the fact that some
> of the "zones" listed in the rule do not have an interface
> associated with them, like input_dmz or forward_ext. I don't
> forward packets, nor do I have a dmz defined so I could effectively
> remove input_dmz, and forward_*. The rule still works despite it's
> complaining.
>
> You can look in your log to see which type of packets you don't
> want showing up and edit the rule accordingly.
>
> HTH
> sktsee

DenverD wrote:
> ah...thank you...but, to get started i took a look in my 'messages'
> and i see hits on ports 22, 68, 113, 137, 139, 445, 1025-1028 and
> 1433...(and got tired of looking...there may be more!)
>
> before i modify the files you mentioned (below) i wonder if it is
> possible (i'm a USER, not a hacker) to simply (?) *not* log all
> those with "SFW2-INext-DROP" in the message...rather than specifying
> all specific ports, or an (incomplete) range

You can in Yast. It's yast2->Security->Firewall->Logging Level. Change
the level of the not accepted packets from log critical to none. I would
seriously caution against that, though. It's not good practice. You
should have some level of logging if for nothing else to make sure your
firewall is working. Otherwise, you'll need to test it periodically. And
by periodically I mean every time you connect to the internet

>
> sorry if this question makes no sense--it makes sense to me (all i
> wanna do is *not* log the attempts that were *un*successful..)
>
> DenverD
> OR, maybe i *want* the unsuccessful logged---but, i do not have
> enough experience with firewalls/logs/linux to actually know that!
> (so, how about a way to "BOLD PRINT LOOK HERE STUPID" or surround
> each really bad thing with *****)
>
I don't think SuSEfirewall2's default configuration will help much in
that regard. You'd have to decide for yourself what packets are
important enough to flag and then create new rules, or customize the
existing ones to assign more significance to their presence. Either way,
you should study up on iptables before attempting such modifications
since it's possible to render the firewall useless with a badly formed rule.

You might want to check out packages scanlogd and an IDS if you want to
be able to analyze security concerns like port scans and intrusion
detection.

[snip]

--
sktsee

sktsee wrote:

> You can in Yast. It's yast2->Security->Firewall->Logging Level.
> Change the level of the not accepted packets from log critical to
> none. I would seriously caution against that

i agree...i won't do that!


> Either way, you should study up on iptables before attempting such
> modifications since it's possible to render the firewall useless
> with a badly formed rule.

tooo hard (for me) i'll just leave it alone for now....thanks for
your help


DenverD