Re: smtp

Re: smtp

[azeem ahmad]

thanks a lot for solving this problem
but here just tell me one thing more that how u said that i m safe. is there 
tcpdump output telling something. if yes then how u judge it.

Regards
Azeem


>From: Gavin Hamill <gdh@acentral.co.uk>
>To: netfilter@lists.netfilter.org
>Subject: Re: smtp
>Date: Fri, 14 May 2004 20:47:23 +0100
>
>On Friday 14 May 2004 19:54, azeem ahmad wrote:
> > hi
> > here is the out put even after blocking all smtp
> > 
>---------------------------------------------------------------------------
> >------------------------------------------------------
> >21:17:31.259275
> > 192.168.0.101.4730 > 207.24.89.66.smtp: S
> > 556950735:556950735(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>
>Notice how all of these are your infected PC trying to talk to the outside
>world, and that there are no packets from the outside world to the infected
>PC? This will be due to your iptables commands blocking this from 
>happening..
>and given that the snapshot took place over 4 seconds, I would say you're
>quite safe :)
>
>Yes, the infected PC will continue to spew out packets until it's fixed, 
>but
>there is no danger, and your Internet bandwidth will no longer be affected.
>
>Cheers,
>Gavin.
>

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

RE: smtp

[Alexis]

Yes its, all tcpdump logged packets are all with the SYN flag on (and DF
too)

It means that all packets that you are looking at, are the host trying to
reach a destination that it can not connect, so it tries, and tries and
tries again.

It means that the path to the "way out" is blocked.

 

-----Mensaje original-----
De: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] En nombre de azeem ahmad
Enviado el: Viernes, 14 de Mayo de 2004 17:12
Para: netfilter@lists.netfilter.org
Asunto: Re: smtp 

thanks a lot for solving this problem
but here just tell me one thing more that how u said that i m safe. is there
tcpdump output telling something. if yes then how u judge it.

Regards
Azeem


>From: Gavin Hamill <gdh@acentral.co.uk>
>To: netfilter@lists.netfilter.org
>Subject: Re: smtp
>Date: Fri, 14 May 2004 20:47:23 +0100
>
>On Friday 14 May 2004 19:54, azeem ahmad wrote:
> > hi
> > here is the out put even after blocking all smtp
> > 
>-----------------------------------------------------------------------
>----
> >------------------------------------------------------
> >21:17:31.259275
> > 192.168.0.101.4730 > 207.24.89.66.smtp: S
> > 556950735:556950735(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>
>Notice how all of these are your infected PC trying to talk to the 
>outside world, and that there are no packets from the outside world to 
>the infected PC? This will be due to your iptables commands blocking 
>this from happening..
>and given that the snapshot took place over 4 seconds, I would say 
>you're quite safe :)
>
>Yes, the infected PC will continue to spew out packets until it's 
>fixed, but there is no danger, and your Internet bandwidth will no 
>longer be affected.
>
>Cheers,
>Gavin.
>

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail

Re: smtp

[Gavin Hamill]

On Friday 14 May 2004 21:11, azeem ahmad wrote:
> thanks a lot for solving this problem
> but here just tell me one thing more that how u said that i m safe. is
> there tcpdump output telling something. if yes then how u judge it.

I'm repeating myself here :) It's obvious because only one direction is 
logged. 

Try doing 'tcpdump -n port 80' for example, and you will see both sides of the 
TCP conversation, and compare that with the 'port 25'.

Cheers,
Gavin

Re: smtp

[azeem ahmad]

hi
here is the out put even after blocking all smtp
---------------------------------------------------------------------------------------------------------------------------------
21:17:31.259275 192.168.0.101.4730 > 207.24.89.66.smtp: S 
556950735:556950735(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:17:32.064278 192.168.0.101.4732 > 216.240.135.98.smtp: S 
557195445:557195445(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:17:33.021182 192.168.0.101.4735 > 202.163.96.6.smtp: S 
557501406:557501406(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:17:33.519967 192.168.0.101.4727 > 216.127.83.228.smtp: S 
556716191:556716191(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:17:34.224181 192.168.0.101.4730 > 207.24.89.66.smtp: S 
556950735:556950735(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:17:35.028993 192.168.0.101.4732 > 216.240.135.98.smtp: S 
557195445:557195445(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
----------------------------------------------------------------------------------------------------------------------------------
>From: Gavin Hamill <gdh@acentral.co.uk>
>To: netfilter@lists.netfilter.org
>Subject: Re: smtp
>Date: Fri, 14 May 2004 16:53:13 +0100
>
>On Friday 14 May 2004 16:41, azeem ahmad wrote:
> > hi
> > sorry for disturbing you a lot
> > but i dont know how can i capture the screen. should i write it down
>
>That's OK there are a couple of easy alternatives. Either 'ssh' into the
>machine (google for 'putty' - a good SSH client for windows) and copy and
>paste the output.. or redirect the output from tcpdump to a file, the same
>way you can with any UNIX command...
>
>$ tcpdump -n -i eth1 port 25 >dump.txt
>
>Then you can just insert this text file into the body of your email.
>
>Cheers,
>Gavin.
>

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Re: smtp

[Gavin Hamill]

On Friday 14 May 2004 19:54, azeem ahmad wrote:
> hi
> here is the out put even after blocking all smtp
> ---------------------------------------------------------------------------
>------------------------------------------------------ 
>21:17:31.259275 
> 192.168.0.101.4730 > 207.24.89.66.smtp: S
> 556950735:556950735(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

Notice how all of these are your infected PC trying to talk to the outside 
world, and that there are no packets from the outside world to the infected 
PC? This will be due to your iptables commands blocking this from happening.. 
and given that the snapshot took place over 4 seconds, I would say you're 
quite safe :)

Yes, the infected PC will continue to spew out packets until it's fixed, but 
there is no danger, and your Internet bandwidth will no longer be affected.

Cheers,
Gavin.

Re: smtp

[azeem ahmad]

hi
sorry for disturbing you a lot
but i dont know how can i capture the screen. should i write it down

Regards
Azeem



>From: Gavin Hamill <gdh@acentral.co.uk>
>To: netfilter@lists.netfilter.org
>Subject: Re: smtp
>Date: Fri, 14 May 2004 14:40:16 +0100
>
>On Friday 14 May 2004 14:19, azeem ahmad wrote:
> > hi
> > please tell me how can i save the output of tcpdump to a file
> >
> > i tried -F anf -w but it doesnt seem to work
>
>-w is the one to use, but you do need to tell it a filename. However, what 
>I
>meant was simply copy + paste the output you see on the console since that
>will be a lot easier for us to glance at.. I mean the stuff like this:
>
>tel# tcpdump -i eth1 -n port 25
>tcpdump: listening on eth1
>14:39:37.592117 10.0.0.52.3564 > 194.200.209.13.25: S 
>1292097321:1292097321(0)
>win 64240 <mss 1460,nop,nop,sackOK> (DF)
>14:39:37.592174 10.0.0.254.3564 > 10.0.0.253.25: S 1292097321:1292097321(0)
>win 64240 <mss 1460,nop,nop,sackOK> (DF)
>14:39:37.592353 10.0.0.253.25 > 10.0.0.254.3564: S 958030498:958030498(0) 
>ack
>1292097322 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>14:39:37.592381 194.200.209.13.25 > 10.0.0.52.3564: S 
>958030498:958030498(0)
>ack 1292097322 win 5840 <mss 1460,nop,nop,sackOK> (DF)
>14:39:37.592587 10.0.0.52.3564 > 194.200.209.13.25: . ack 1 win 64240 (DF)
>14:39:37.592603 10.0.0.254.3564 > 10.0.0.253.25: . ack 1 win 64240 (DF)
>
>Cheers,
>Gavin.
>

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: smtp

[Gavin Hamill]

On Friday 14 May 2004 16:41, azeem ahmad wrote:
> hi
> sorry for disturbing you a lot
> but i dont know how can i capture the screen. should i write it down

That's OK there are a couple of easy alternatives. Either 'ssh' into the 
machine (google for 'putty' - a good SSH client for windows) and copy and 
paste the output.. or redirect the output from tcpdump to a file, the same 
way you can with any UNIX command...

$ tcpdump -n -i eth1 port 25 >dump.txt

Then you can just insert this text file into the body of your email.

Cheers,
Gavin.

Re: smtp

[azeem ahmad]

hi
please tell me how can i save the output of tcpdump to a file

i tried -F anf -w but it doesnt seem to work

Regards
Azeem

>From: Antony Stone <Antony@Soft-Solutions.co.uk>
>Reply-To: netfilter@lists.netfilter.org
>To: netfilter@lists.netfilter.org
>Subject: Re: smtp
>Date: Fri, 14 May 2004 13:46:09 +0100
>
>On Friday 14 May 2004 12:17 pm, azeem ahmad wrote:
>
> > hi all
> > i m havingg a continous upload on port 25 but i m unable to know which 
>ip
> > from my network is uploading on port 25. i saw on iptraf that some one 
>is
> > continously uploading on 25. the hardware addresss that iptraf is 
>showing
> > isnt really on my LAN but the traffic is coming from my LAN
> > how can i find out the real hardware address or ip of the machine 
>uploading
>
>Plug a packet sniffer (eg: ethereal) into the link using a hub?
>
>Antony.
>
>--
>Most people have more than the average number of legs.
>
>                                                      Please reply to the 
>list;
>                                                            please don't CC 
>me.
>
>

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

Re: smtp

[Gavin Hamill]

On Friday 14 May 2004 14:19, azeem ahmad wrote:
> hi
> please tell me how can i save the output of tcpdump to a file
>
> i tried -F anf -w but it doesnt seem to work

-w is the one to use, but you do need to tell it a filename. However, what I 
meant was simply copy + paste the output you see on the console since that 
will be a lot easier for us to glance at.. I mean the stuff like this:

tel# tcpdump -i eth1 -n port 25
tcpdump: listening on eth1
14:39:37.592117 10.0.0.52.3564 > 194.200.209.13.25: S 1292097321:1292097321(0) 
win 64240 <mss 1460,nop,nop,sackOK> (DF)
14:39:37.592174 10.0.0.254.3564 > 10.0.0.253.25: S 1292097321:1292097321(0) 
win 64240 <mss 1460,nop,nop,sackOK> (DF)
14:39:37.592353 10.0.0.253.25 > 10.0.0.254.3564: S 958030498:958030498(0) ack 
1292097322 win 5840 <mss 1460,nop,nop,sackOK> (DF)
14:39:37.592381 194.200.209.13.25 > 10.0.0.52.3564: S 958030498:958030498(0) 
ack 1292097322 win 5840 <mss 1460,nop,nop,sackOK> (DF)
14:39:37.592587 10.0.0.52.3564 > 194.200.209.13.25: . ack 1 win 64240 (DF)
14:39:37.592603 10.0.0.254.3564 > 10.0.0.253.25: . ack 1 win 64240 (DF)

Cheers,
Gavin.

Re: smtp

[azeem ahmad]

thanks a lot Mr. Gavin Hamill
but i have blocked all the port 25 traffic even then the infected ip which 
is 192.168.0.105 is reciving smtp from many ip addresses from out side
the script i run is as follow
---------------------------------------------------------------------------------------------------
iptables -F
iptables -t nat -F
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A FORWARD -p tcp --dport 25 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DROP
iptables -t nat -A POSTROUTING -p tcp --dport 25 -j DROP
--------------------------------------------------------------------------------------------------------
i flushed iptables first so no other contradictory rule can exist there but 
even then the traffic is coming
what can be the problem

Regards
Azeem


>From: Gavin Hamill <gdh@acentral.co.uk>
>To: netfilter@lists.netfilter.org
>Subject: Re: smtp
>Date: Fri, 14 May 2004 12:37:08 +0100
>
>On Friday 14 May 2004 12:17, azeem ahmad wrote:
> > hi all
> > i m havingg a continous upload on port 25 but i m unable to know which 
>ip
> > from my network is uploading on port 25. i saw on iptraf that some one 
>is
> > continously uploading on 25. the hardware addresss that iptraf is 
>showing
> > isnt really on my LAN but the traffic is coming from my LAN
> > how can i find out the real hardware address or ip of the machine 
>uploading
>
>iptraf is a useful tool for some purposes, but here tcpdump would be more
>appropriate. Install it, and try
>
>tcpdump -n port 25
>
>You may need to specify the eth device with "-i eth0" etc.
>
>It should be obvious very quickly which address on your LAN is generating 
>the
>traffic (the machine will almost certainly be a Windows box with a virus).
From then, you can issue
>
>$ iptables -A FORWARD -p tcp -i ethX -s X.X.X.X --dport 25 -j DROP
>
>And this will immediately stop all traffic from IP address X.X.X.X coming 
>*IN*
>to ethX on your firewall.
>
From there, remove the virus and then undo the above line. (replace -A with
>-D)
>
>Cheers,
>Gavin.
>

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: smtp

[Gavin Hamill]

On Friday 14 May 2004 13:07, azeem ahmad wrote:
> thanks a lot Mr. Gavin Hamill
> but i have blocked all the port 25 traffic even then the infected ip which
> is 192.168.0.105 is reciving smtp from many ip addresses from out side
> the script i run is as follow

That's fairly comprehensive - I don't think much will be getting through 
that :)

You'll be running iptables on a machine with at least 2 network cards, so you 
may wish to try tcpdump on both eth0 and eth1 - since you will still likely 
be seeing the incoming traffic from the outside listed in the 'tcpdump' 
ouput, but no replies should be happening.

Likewise, when you try on the other interface, you may see the LAN machine 
trying to send out a lot, but the connections will be failing and there 
should be nothing to worry about.

Feel free to post a small amount of 'tcpdump' output if it would help clear 
things up?

Cheers,
Gavin.

smtp

[azeem ahmad]

hi all
i m havingg a continous upload on port 25 but i m unable to know which ip 
from my network is uploading on port 25. i saw on iptraf that some one is 
continously uploading on 25. the hardware addresss that iptraf is showing 
isnt really on my LAN but the traffic is coming from my LAN
how can i find out the real hardware address or ip of the machine uploading

Regards
Azeem

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: smtp

[Gavin Hamill]

On Friday 14 May 2004 12:17, azeem ahmad wrote:
> hi all
> i m havingg a continous upload on port 25 but i m unable to know which ip
> from my network is uploading on port 25. i saw on iptraf that some one is
> continously uploading on 25. the hardware addresss that iptraf is showing
> isnt really on my LAN but the traffic is coming from my LAN
> how can i find out the real hardware address or ip of the machine uploading

iptraf is a useful tool for some purposes, but here tcpdump would be more 
appropriate. Install it, and try

tcpdump -n port 25

You may need to specify the eth device with "-i eth0" etc. 

It should be obvious very quickly which address on your LAN is generating the 
traffic (the machine will almost certainly be a Windows box with a virus). 
From then, you can issue 

$ iptables -A FORWARD -p tcp -i ethX -s X.X.X.X --dport 25 -j DROP

And this will immediately stop all traffic from IP address X.X.X.X coming *IN* 
to ethX on your firewall.

From there, remove the virus and then undo the above line. (replace -A with 
-D)

Cheers,
Gavin.

Re: smtp

[Antony Stone]

On Friday 14 May 2004 12:17 pm, azeem ahmad wrote:

> hi all
> i m havingg a continous upload on port 25 but i m unable to know which ip
> from my network is uploading on port 25. i saw on iptraf that some one is
> continously uploading on 25. the hardware addresss that iptraf is showing
> isnt really on my LAN but the traffic is coming from my LAN
> how can i find out the real hardware address or ip of the machine uploading

Plug a packet sniffer (eg: ethereal) into the link using a hub?

Antony.

-- 
Most people have more than the average number of legs.

                                                     Please reply to the list;
                                                           please don't CC me.

SMTP

[Steffen Bisgaard]

Hallo all,

Can anybody tell me why the following doesn't allow me to send and receive
email?

# POP server (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 110 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
# POP client (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT


# ------------------------------------------------------------------
# SMTP server (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
#
#
#
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 25 -j ACCEPT