IPCop-Forum.de

www.ipcop-forum.de


IPCop-Community
CL-Systems
Home Home   Doku Doku   Links Links   Downloads Downloads
UnIPCop Der (Un)IPCop   IFS IPCop-ForumSpy
CopTime CopTime   Galerie IPCop-Galerie   IPCop Userkarte Userkarte
Aktuelle Zeit: 28.05.2018, 03:39

Alle Zeiten sind UTC+02:00




Ein neues Thema erstellen  Auf das Thema antworten  [ 8 Beiträge ] 
Autor Nachricht
BeitragVerfasst: 08.07.2015, 12:00 
Offline
Rookie
Themenstarter
Rookie

Registriert: 22.05.2015
Beiträge: 9
I've noticed a couple of weeks ago that it took quite some time before the log file of the day would open, while before that the log would display much faster. At first I thought it was hanging, but after a couple of minutes it did display after all. When it did open, it became quite apparent what was causing the delay, because the log contained literally MILLIONS of hits! Some computers in a number of countries (Brazil, Russia, Israel, etc.) were sending huge numbers of packets to port 5093 (UDP). A quick check revealed that this was an old exploit of version 7.2 of the Sentinel License Manager that would enable an attacker to run arbitrary code if the attack was successful. We're not even running that, but IPCop DROPs these packets anyway, so that's not a problem.

I was hoping that the flood would stop eventually, and the attack would move on to other targets, but there's no sign of that. At the moment, we're still being hit by millions of packets a day, and I'm wondering if that will impact our internet connection? The IPCop computer has an AMD 3200+ CPU, and both CPU and memory usage is quite low, 4% or so.

Is there a way to block the packets, or at least to ignore these hits, so the log file won't be too large to display?

Thanks!


Nach oben
   
BeitragVerfasst: 08.07.2015, 12:12 
Offline
Superintendent
Superintendent
Benutzeravatar

Registriert: 27.11.2005
Beiträge: 599
Wohnort: Internet
ableeker hat geschrieben:
Is there a way to block the packets, or at least to ignore these hits, so the log file won't be too large to display?

the packets are blocked already (as you can see it in your log: RED DROP / RED REJECT) but still logged...
to avoid that just add a new "minimize log" - rule with drop to your firewall settings with the effect that the pakets are not longer logged completely or max x packets per minute.

_________________
APU3B2 2GB-RAM; Red-Green-Blue-Orange, nun mit IpFire... RIP IpCOP


Nach oben
   
BeitragVerfasst: 08.07.2015, 19:12 
Offline
Rookie
Themenstarter
Rookie

Registriert: 22.05.2015
Beiträge: 9
Thanks for the tip, Nukelodeon! According to the logs the packets are dropped indeed, so that's nice! I would love to create a rule that would drop the packets, and not log them, but how do you do that? You can't drop packets when you use Port Forwarding, and I don't want to forward the packets anyway. Or do you mean forward to an address that doesn't exist? Outgoing Traffic, and IPCop Access rules work for outgoing traffic. Would External IPCop Access do the trick? The documentation is a bit terse (to say the least), it just says "Control traffic from the Red interface to IPCop."

Would the following rule work?

Any Source -> Destination IPCop UDP port 5093 / Action DROP, do not log or limit log?

Thanks!


Nach oben
   
BeitragVerfasst: 08.07.2015, 19:23 
Offline
Rookie
Themenstarter
Rookie

Registriert: 22.05.2015
Beiträge: 9
The log now shows 10 million hits for today! And it takes more than 10 minutes to show the most recent results.


Nach oben
   
BeitragVerfasst: 08.07.2015, 20:40 
Offline
Rookie
Themenstarter
Rookie

Registriert: 22.05.2015
Beiträge: 9
External IPCop Access seems to be working. That's great! Thanks.


Nach oben
   
BeitragVerfasst: 08.07.2015, 21:13 
Offline
IPCop-Entwickler, Site-Moderator, IPCop-Supporter 2006, 2007, 2008 und 2009
IPCop-Entwickler, Site-Moderator, IPCop-Supporter 2006, 2007, 2008 und 2009
Benutzeravatar

Registriert: 26.06.2005
Beiträge: 19149
Wohnort: LDK | Hessen
Make sure you DROP the packets. Using REJECT might be to much for your uplink connection. Especially when your downlink is much faster than your uplink.

_________________
/* Gruß weizen_42 */

Bild
| IPCop Doku | IPCop Galerie | IPCop Uptime | Ärger vermeiden |


Nach oben
   
BeitragVerfasst: 08.07.2015, 21:19 
Offline
Superintendent
Superintendent
Benutzeravatar

Registriert: 27.11.2005
Beiträge: 599
Wohnort: Internet
ableeker hat geschrieben:
Would the following rule work?

Any Source -> Destination IPCop UDP port 5093 / Action DROP, do not log or limit log?

that's the trick ;)

_________________
APU3B2 2GB-RAM; Red-Green-Blue-Orange, nun mit IpFire... RIP IpCOP


Nach oben
   
BeitragVerfasst: 09.07.2015, 12:15 
Offline
Rookie
Themenstarter
Rookie

Registriert: 22.05.2015
Beiträge: 9
It's working. Thanks, Nukelodeon and weizen_42, great stuff!


Nach oben
   
Beiträge der letzten Zeit anzeigen:  Sortiere nach  
Ein neues Thema erstellen  Auf das Thema antworten  [ 8 Beiträge ] 

Alle Zeiten sind UTC+02:00


Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast


Du darfst keine neuen Themen in diesem Forum erstellen.
Du darfst keine Antworten zu Themen in diesem Forum erstellen.
Du darfst deine Beiträge in diesem Forum nicht ändern.
Du darfst deine Beiträge in diesem Forum nicht löschen.

Suche nach:
Gehe zu Forum:  
cron
Powered by phpBB® Forum Software © phpBB Limited
Deutsche Übersetzung durch phpBB.de