Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st January 2007, 01:02
lubod lubod is offline
Junior Member
 
Join Date: Dec 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Network questions regarding Ubuntu Server

Hi, I have a Ubuntu Dapper Drake 6.06 Server running, but for some reason there are spurious entries in the routing table, which obviously I did not add manually.

Quote:
me@myserver:/etc$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
59.117.191.225 - 255.255.255.255 !H - - - -
200.65.167.244 - 255.255.255.255 !H - - - -
192.168.31.2 - 255.255.255.255 !H - - - -
58.20.109.33 - 255.255.255.255 !H - - - -
12.6.10.23 - 255.255.255.255 !H - - - -
a.b.c.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1
192.168.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 a.b.c.1 0.0.0.0 UG 0 0 0 eth1
I inserted me@myserver instead of the real prompt and hostname, and ab.c. instead of the real IP address.

So I wonder, what would insert this stuff (and what can I do to prevent it from reappearing), and is there a text file I can edit to remove it?

I tried various ways of doing sudo route -n del -host 192.168.31.2, but always come up with errors that suggest my syntax is wrong. The one I'm most interested in removing, and therefore presumably re-enabling, is 192.168.31.2,
Reply With Quote
Sponsored Links
  #2  
Old 1st January 2007, 21:21
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Did you set up that server yourself?
Have you tried to reboot it? What's the output of
Code:
ls -la /etc/network/if-up.d
? What's in /etc/networking/interfaces?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 1st January 2007, 22:21
lubod lubod is offline
Junior Member
 
Join Date: Dec 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

First, thanks for answering and Happy New Year!

Yes, I did set up the server myself, and have rebooted at least once since this started happening. If I recall it was worse before the reboot, then it seemed to not allow anyone online, now it blocks just one computer, or only a few. My first concern of course is fixing it, but there is a bigger long term question about security and reliability: Since both these seemingly false routes and entries in hosts.deny blocking some of the same addresses like 192.168.31.2 appeared at the same time, is it likely it was hacked? I took all sorts of precautions, like using ssh (never telnet), restricting webmin to only being administered by certain known IP addresses, etc. In fact I've checked the output of last, which shows nothing suspicious, and installed portsentry to guard against attempts at hacking, and I'm almost beginning to think it was one of my precautions that automatically blocked this stuff in an overzealous attempt to protect itself.

Output of ls -la /etc/network/if-up.d

Quote:
$ ls -la /etc/network/if-up.d
total 24
drwxr-xr-x 2 root root 4096 2006-12-21 10:29 .
drwxr-xr-x 6 root root 4096 2006-11-30 17:58 ..
-rwxr-xr-x 1 root root 1386 2006-05-23 03:39 mountnfs
-rwxr-xr-x 1 root root 551 2006-05-28 19:48 ntpdate
-rwxr-xr-x 1 root root 157 2006-05-28 19:48 ntp-server
-rwxr-xr-x 1 root root 1120 2006-06-08 01:22 postfix
I guess in your next question is about /etc/network/interfaces, because there is no networking in /etc.

Quote:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo eth1 eth0
iface lo inet loopback

# The primary network interface
iface eth1 inet static
address a.b.c.d
netmask 255.255.255.128
network a.b.c.0
broadcast a.b.c.127
gateway a.b.c.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 209.218.76.2 216.171.129.14 209.218.44.6

iface eth0 inet static
address 192.168.31.1
netmask 255.255.255.0
broadcast 192.168.31.255
network 192.168.31.0
pre-up iptables-restore < /etc/iptables.up.rules
interfaces (END)

Last edited by lubod; 2nd January 2007 at 02:33.
Reply With Quote
  #4  
Old 2nd January 2007, 19:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Quote:
Originally Posted by lubod
Since both these seemingly false routes and entries in hosts.deny blocking some of the same addresses like 192.168.31.2 appeared at the same time, is it likely it was hacked?
You should check that: http://www.howtoforge.com/faq/1_38_en.html

Quote:
Originally Posted by lubod
and installed portsentry to guard against attempts at hacking
It's possible that these routes are created by Portsentry. Can you disable it and reboot the system (make sure Portsentry doesn't start automatically at boot time).

Quote:
Originally Posted by lubod
Output of ls -la /etc/network/if-up.d
What's in each of the files?

Quote:
Originally Posted by lubod
I guess in your next question is about /etc/network/interfaces, because there is no networking in /etc.
Yes, right.

What's in /etc/iptables.up.rules?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 3rd January 2007, 02:25
lubod lubod is offline
Junior Member
 
Join Date: Dec 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Again, thanks for the tips. The page you refer to has chkrootkit typed in as ckrootkit in several places!

Chkrootkit has shown false positives for the ports portsentry is guarding, like 1524, which correctly drops telnet connections. I wonder if testing the defenses by trying to connect to that triggered adding the computers I tried it from to the blocking list. Quite possible. Being hacked is unlikely, I just wondered how things got blocked, and one scenario that came to mind, (unlikely as it is) is that someone who has gained access is trying to block me from administering the server. But here is the output anyway:

chkrootkit:

Quote:
sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/dhcpd3[24353])
eth1: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
rkhunter (which is up to date, --update says so):

Quote:
---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 103 seconds

-----------------------------------------------------------------------
It does note, however:

Quote:
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)
and

Quote:
Application advisories
* Application scan
Checking Apache2 modules ... [ OK ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.4.2.2 [ OK ]
- Bind DNS 9.3.2 [ OK ]
- OpenSSL 0.9.8a [ Unknown ]
- OpenSSH 4.2p1 [ OK ]

Your system contains some unknown version numbers.
I'll reboot without portsentry at the next opportunity, but it can't be done immediately, maybe tomorrow or the day after. I found a temporary workaround, to use one system which can still access the server to reassign a new 192.x.y.z IP address to the one being blocked.

I can post the contents of the files in question, but having glanced at them they do look harmless, like configurations for the various services like postfix set up automatically by webmin. But here's what they say:

mountnfs:

Quote:
#! /bin/sh
# Mount network file systems now that at least one interface is
# configured.

[ "$IFACE" != "lo" ] || exit 0

test -f /etc/fstab || exit 0

[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/init/functions.sh


# Lock around this otherwise insanity may occur
mkdir /var/run/network/mountnfs 2>/dev/null || exit 0

#
# Read through fstab line by line. If it is NFS, set the flag
# for mounting NFS file systems. If any NFS partition is found and it
# not mounted with the nolock option, we start the portmapper.
#
portmap=no
while read device mountpt fstype options
do
case "$device" in
""|\#*)
continue
;;
esac

case "$options" in
*noauto*)
continue
;;
esac

case "$fstype" in
nfs|nfs4)
case "$options" in
*nolock*)
;;
*)
portmap=yes
;;
esac
;;
smbfs|cifs|coda|ncp|ncpfs)
;;
*)
fstype=
;;
esac
if [ -n "$fstype" ]
then
case "$NETFS" in
$fstype|*,$fstype|$fstype,*|*,$fstype,*)
;;
*)
NETFS="$NETFS${NETFS:+,}$fstype"
;;
esac
fi
done < /etc/fstab

if [ "$portmap" = yes ]
then
if [ -x /sbin/portmap ] && [ -z "`pidof portmap`" ]
then
start-stop-daemon --start --quiet --exec /sbin/portmap
fi
fi

if [ -n "$NETFS" ]
then
pre_mountall
mount -a -t$NETFS 2>&1 | egrep -v '(already|nothing was) mounted'
post_mountall
fi

rmdir /var/run/network/mountnfs 2>/dev/null || exit 0
ntp-server:

Quote:
#!/bin/sh

# remove (or comment out) the next line if your network addresses change
exit 0

case $IFACE in
eth*)
/etc/init.d/ntp-server restart
;;
esac
ntpdate:

Quote:
#!/bin/sh
# Adjust the system clock with ntp whenever a network interface is
# brought up, as it might mean we can contact the server.

[ "$IFACE" != "lo" ] || exit 0

test -f /usr/sbin/ntpdate || exit 0

if [ -f /etc/default/ntpdate ]; then
. /etc/default/ntpdate
test -n "$NTPSERVERS" || exit 0
else
NTPSERVERS="ntp.ubuntu.com"
fi

if [ "$VERBOSITY" = 1 ]; then
echo "Synchronizing clock to $NTPSERVERS..."
/usr/sbin/ntpdate -b -s $NTPOPTIONS $NTPSERVERS || true
else
/usr/sbin/ntpdate -b -s $NTPOPTIONS $NTPSERVERS >/dev/null 2>&1 || true
fi
continued on next post, over 10000 characters
Reply With Quote
  #6  
Old 3rd January 2007, 02:34
lubod lubod is offline
Junior Member
 
Join Date: Dec 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

continued from previous post:

postfix:

Quote:
#!/bin/sh -e
# Called when a new interface comes up
# Written by LaMont Jones <lamont@debian.org>

# don't bother to restart postfix when lo is configured.
if [ "$IFACE" = "lo" ]; then
exit 0
fi

# If /usr isn't mounted yet, silently bail.
if [ ! -d /usr/lib/postfix ]; then
exit 0
fi

RUNNING=""
# If master is running, force a queue run to unload any mail that is
# hanging around. Yes, sendmail is a symlink...
if [ -f /var/spool/postfix/pid/master.pid ]; then
pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
if [ "X$exe" = "Xmaster" ]; then
RUNNING="y"
fi
fi

# start or reload Postfix as needed
if [ ! -x /sbin/resolvconf ]; then
f=/etc/resolv.conf
if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
exit 0
fi
if [ -n "$RUNNING" ]; then
/etc/init.d/postfix reload >/dev/null 2>&1
fi
fi

# If master is running, force a queue run to unload any mail that is
# hanging around. Yes, sendmail is a symlink...
if [ -n "$RUNNING" ]; then
if [ -x /usr/sbin/sendmail ]; then
/usr/sbin/sendmail -q >/dev/null 2>&1
fi
fi
iptables.up.rules:

Quote:
# Generated by iptables-save v1.3.3 on Mon Dec 4 17:41:50 2006
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Dec 4 17:41:50 2006
# Generated by iptables-save v1.3.3 on Mon Dec 4 17:41:50 2006
*mangle
:PREROUTING ACCEPT [377:45945]
:INPUT ACCEPT [376:45893]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:372111]
:POSTROUTING ACCEPT [463:372111]
COMMIT
# Completed on Mon Dec 4 17:41:50 2006
# Generated by iptables-save v1.3.3 on Mon Dec 4 17:41:50 2006
*filter
:FORWARD DROP [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth1 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
# Internal LAN outbound
-A FORWARD -i eth0 -j ACCEPT
# Internal LAN loopback
-A FORWARD -i lo -j ACCEPT
# Internal LAN Existing connections
-A FORWARD -i eth1 -j ACCEPT
COMMIT
# Completed on Mon Dec 4 17:41:50 2006
I have a feeling it is portsentry, or at least something in the system set too strictly with regards to security, and therefore blocking what it considers suspicious activity.

This is listed under the portsentry portion of webmin:

Block TCP Probes: Yes (was No by default)
Block UDP Probes: same

Hosts to ignore traffic from:
127.0.0.1/32
0.0.0.0

I did not to my knowledge enter these numbers, either they were the defaults or some part of webmin created them in response to my configuration.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 13:19
Ubuntu 6.06 as a Web Server on a Windows Network timbo Installation/Configuration 1 4th August 2006 13:43
VMWare Server Howto and Ubuntu Questions crudolphy HOWTO-Related Questions 11 25th July 2006 21:11
Ubuntu Server Installation Questions jacobrich Installation/Configuration 13 15th January 2006 19:36
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 03:30


All times are GMT +2. The time now is 15:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.