DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th February 2012
Zyos's Avatar
Zyos Zyos is offline
Port Guard
 
Join Date: Nov 2011
Location: United States
Posts: 22
Thanked 0 Times in 0 Posts
Default I think my laptop is updating an attacker with my IP?

I am baffled. I have a laptop here next to me acting as a web server. It is connected to the internet using a NAT'ed router. I have a dynamic ip address which I have changed multiple time in order to get this ip here, 58.218.199.147 to leave me alone.

So far the only way I have gotten them to stop scanning my ports is to either edit pf.conf and block everything in all directions or unplug the machine entirely. I can't seem to find anything unusual showing up in pflog

If I open up the ports www, domain, and https on the server and use the router to block all access to it I still end up seeing things like this appear in it's logs several times a day.
Code:
[DoS Attack: ACK Scan] from source: 58.218.199.147, port 80
[DoS Attack: ACK Scan] from source: 58.218.199.147, port 443
If I open the ports via the router so that people can visit my website all sorts of crazy things start happening. 58.218.199.147 and one of its sister ip 58.218.199.250 or possibly 221.174.50.137 start accessing the server on a regular basis and a bunch of different ip's start attacking me. I have been WinNuked, IMAP scanned, ACK scanned, RST scanned, and Null scanned from all sorts of ip's all over the world in obvious patterns. I haven't told anyone there is a web-server here.

This computer has been compromised before when it had windows on it, but since then it's been wiped and reformatted several times. I believe my computer may still be compromised somehow, but I don't what to do about it. My other machines don't appear to do this, however one is new and the other has had its hard drive replaced.

I'm fairly new at all of this and have no idea what to do next. Does anyone know what's going on?
Reply With Quote
  #2   (View Single Post)  
Old 6th February 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

Welcome to the Internet.

Consider if the Internet were the real world -- your IP address would be your home address. You would want to keep your doors and windows locked, and only let in people you knew, and greeted at the door yourself.

Consider what happens when you set up a service that awaits incoming activity -- you unlock your door. In this case you have a service that will respond to anyone who "knocks" at two doors on your front porch: the two marked TCP port 80 and TCP port 443.

Your experience is typical of anyone who ever opens a service on the Internet, intentionally, or unintentionally. There are script kiddies and other bad actors who set up computers to do nothing other than scan blocks of subnets by the millions -- knocking on every door -- and hoping for positive responses, and then subject those responding systems to further attack.

Your NAT router is not described. If your router is OpenBSD, PF gives you a lot of options to control access to your services, including limiting or eliminating many forms of attack, and adding attacker IP addresses to blocking tables automatically. If your NAT router is a turnkey SOHO device, you are limited to whatever that device may offer, which might be no more than NAT alone as your sole protection from the vagaries of the Internet.

You mention that you have opened "domain" services -- so you are perhaps running or plan to run a DNS server open to the Internet from this platform as well, though that doesn't make much sense to me if your Internet address is dynamic.
Reply With Quote
  #3   (View Single Post)  
Old 6th February 2012
Zyos's Avatar
Zyos Zyos is offline
Port Guard
 
Join Date: Nov 2011
Location: United States
Posts: 22
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
Your experience is typical of anyone who ever opens a service on the Internet, intentionally, or unintentionally. There are script kiddies and other bad actors who set up computers to do nothing other than scan blocks of subnets by the millions -- knocking on every door -- and hoping for positive responses, and then subject those responding systems to further attack.
Oh, I see. They're scanning everyone in my entire subnet not just tracking me lol.

Quote:
Originally Posted by jggimi View Post
You mention that you have opened "domain" services -- so you are perhaps running or plan to run a DNS server open to the Internet from this platform as well, though that doesn't make much sense to me if your Internet address is dynamic.
That was not what I was intending to do. I'll close that off then. Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Do I need xsrc etc when updating a release? claytonl NetBSD Installation and Upgrading 0 12th October 2011 12:40 AM
Updating Wikipedia screenshots rpindy OpenBSD General 15 29th May 2011 09:14 PM
patching or updating ? dennky OpenBSD Installation and Upgrading 12 14th January 2010 07:17 PM
/usr became full while updating via cvs IronForge OpenBSD Installation and Upgrading 3 6th January 2010 01:08 PM
Updating FreeBSD carpman FreeBSD Installation and Upgrading 6 26th October 2008 11:49 AM


All times are GMT. The time now is 03:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick