# Where to direct attempts to access port 1026

## evoweiss

Hi all,

Well, ever since my cable company switched to Comcast I get a ton of hits on port 1026 (unfortunately, my router lets them through.) From what I  am to understand that it's an attempt to spim the MSN Messenger services by infected computers. I guess since being moved to a well-known ISP, I'm a bigger target.

I was wondering, if I wanted to use SUA/NAT routing to forward these attempts to a black hole or dead end, where should I direct them? 127.0.0.1?

Best,

Alex

----------

## tukachinchila

I would just drop any tcp and udp inbound packets on port 1026 using iptables, or ebtables. I'm not an expert on firewall rules, so you might want to check the man pages. Something like this might work though: 

```
iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto tcp --ip-dport 1026 -j DROP

iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto udp --ip-dport 1026 -j DROP
```

 (Changing 10.0.0.2 to whatever your IP address is)

The more secure way would be to drop all packets on all ports, and then poke holes for only the applications you need.

----------

## evoweiss

 *tukachinchila wrote:*   

> I would just drop any tcp and udp inbound packets on port 1026 using iptables, or ebtables. I'm not an expert on firewall rules, so you might want to check the man pages. Something like this might work though: 
> 
> ```
> iptables -A INPUT -p IPv4 --ip-dst 10.0.0.2 --ip-proto tcp --ip-dport 1026 -j DROP
> 
> ...

 

Ok, thanks for the info. My router pretty much deals with everything else, so I just need to set up iptables in the manner you've described.

Best,

Alex

----------

## evoweiss

Hi again,

I tried to run iptables using the rules you specified, but I got the following error.

```
# iptables -A INPUT -p IPv4 --ip-dst 192.168.1.35 --ip-proto tcp --ip-dport 1026 -j DROP

iptables v1.2.11: unknown protocol `ipv4' specified

Try `iptables -h' or 'iptables --help' for more information.

```

If I recall correctly, the way to properly set up iptables is by sealing everything off and then 'poking holes' in the ports you want to keep open. Even though I have a router with SPI, I'd still like to it the correct way. In my case, the ports to keep open would be ssh, bittorrent, and something for irc file transfers. 

Can anybody help me with this? I tried to search for a how-to, but must be missing something.

Best,

Alex

----------

## Arno

Here's a web based iptables generator that might help you getting started:

```
http://easyfwgen.morizot.net/gen/
```

----------

## evoweiss

Hi,

 *Arno wrote:*   

> Here's a web based iptables generator that might help you getting started:
> 
> ```
> http://easyfwgen.morizot.net/gen/
> ```
> ...

 

Thanks, but I found a different solution that involved the zywall firewall router I have. Basically, the problem was that either a) I used a newer version of the firmware and blocked said port, but couldn't receive email alerts for anything or b) used the original firmware and said port was forwarded and I got email alerts.

What I did was revert to the older version of the firmware (no security problems with it ever) and then looked around and found out how to get the router to do what I wanted by telnetting into its CLI. So, in short, I changed the rule that was set for port 1026 to block AND specified that hits to that port don't trigger an alert email to me. Mind you, I'll still see hits to that port in my daily log, but I won't be barragged with false positive email alerts all day long (I once had around 300 hits to that port in an hour, the joys of Comcast!)

I have no idea why the company set port 1026 open by default, perhaps there was some purpose early on, but it seemed weird.

Best,

Alex

----------

## NiklasH

The way to do it, IMHO is to set a DROP policy for the INPUT chain, like this:

```
iptables -P INPUT DROP
```

Then you poke holes in it for the services you want to allow, something like this:

```
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```

If you want to get back a bit, you can look at the TARPIT target, which makes it very hard for scanners to close the connection to your box.  :Twisted Evil: 

```

iptables -A INPUT -p tcp --dport 1026 -j LOG --log-prefix "Lamer scanning msn... TARPIT! "

iptables - INPUT -p tcp --dport 1026 -j TARPIT
```

Lastly, you can add a LOG rule to the end of the chain:

```
iptables -A INPUT -j LOG --log-prefix "Dropped packet: "
```

I don't know if tarpit is in the default installation of iptables, though.

(Edit: maybe i should have read all the posts before i posted... Oh well...)

----------

## evoweiss

Hi NiklasH,

Thanks for the info about setting up iptables. Is there a specific file I put these settings in or will executing those commands and then setting iptables to run as default via rc-update do the trick?

[rant]Also, I'm getting REALLY pissed off at Comcast. Everything worked dandy with my previous ISP, a small cable TV company. However, since Comcast took over I have had one problem after another with dropped connections. I don't know whether there's some problem that Comcast has with my router (a Zywall 1 with SPI) or whether they are just fscked up. Has anybody else had these sorts of problems with them or am I the only one?[/rant]

Alex

----------

## NiklasH

 *evoweiss wrote:*   

> Hi NiklasH,
> 
> Thanks for the info about setting up iptables. Is there a specific file I put these settings in or will executing those commands and then setting iptables to run as default via rc-update do the trick?
> 
> 

 

NP  :Smile: 

You just add the rules, check that everything is OK, then do 

```
/etc/init.d/iptables save
```

Then you need to add iptables to default with rc-update.

 *Quote:*   

> 
> 
> [rant]Also, I'm getting REALLY pissed off at Comcast. Everything worked dandy with my previous ISP, a small cable TV company. However, since Comcast took over I have had one problem after another with dropped connections. I don't know whether there's some problem that Comcast has with my router (a Zywall 1 with SPI) or whether they are just fscked up. Has anybody else had these sorts of problems with them or am I the only one?[/rant]
> 
> Alex

 

A long shot might be to set up a cron job that pings some external server every five minutes or so. We have had a few brain-dead switches at work that seem to be too

used to Windows boxes, with their constant network blabber...  :Smile:  The ping cronjob seemed to work for that.

Apparently the Linux/Unix boxes were so silent that the switches thought that they were gone from the network, and dropped them from their ARP cache (or whatever they do...).

If you do use the ping cron job, remember the -c switch. I hosed a server at work when I forgot that...  :Embarassed: 

----------

## evoweiss

NiklasH,

Thanks for the quick reply. Now, I hate to sound stupid, but what would I need to do to set up said cron job? Believe it or not, I've come this far without the need to use it until now. I will set something like that up as soon as I get home and will keep my fingers crossed. I guess a ping with a count of 1 or 5 should do, right?

Alex

----------

## NiklasH

 *evoweiss wrote:*   

> NiklasH,
> 
> Thanks for the quick reply. Now, I hate to sound stupid, but what would I need to do to set up said cron job? Believe it or not, I've come this far without the need to use it until now. I will set something like that up as soon as I get home and will keep my fingers crossed. I guess a ping with a count of 1 or 5 should do, right?
> 
> Alex

 

I guess you've already got a cron daemon running, so all you need to do is make sure you're in the cron group, 

then edit your crontab (with crontab -e), something like this:

```
MAILTO=<your mail>

*/5 * * * * ping -c 5 www.sco.com > /dev/null 2>&1
```

The MAILTO makes cron mail the output to you.

Not very interesting for this job, though...  :Smile: 

----------

## nephros

 *NiklasH wrote:*   

> 
> 
> ```
> MAILTO=<your mail>
> 
> ...

 

sco.com might not be very wise choice for real use, their furure is not looking rosy and they might disappear soon  :Twisted Evil: 

Use icann.org or verisign.com, we're in trouble when those are down..

----------

## evoweiss

Funny... Incidentally, I think it might not be a case of no traffic resulting in the death of the connection. After all, both times so far the connection died in the midst of something that would have resulted in network activity.

I'm going to try setting up the IP tables instead of using my router to see whether that does the trick.

Best,

Alex

----------

## evoweiss

Hi all,

Well, there appears to be some weird bug in my router firmware, so I need to take the iptables approach to drop those idiots who try to access 1026 (the tarpit option sounds fun  :Smile: ). However, there's a problem. I emerged iptables and when I tried to issue the iptables -P INPUT DROP command I got the following:

```

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

So, what do I need to set as a module in my kernel?

Alex

----------

## NiklasH

 *evoweiss wrote:*   

> Hi all,
> 
> Well, there appears to be some weird bug in my router firmware, so I need to take the iptables approach to drop those idiots who try to access 1026 (the tarpit option sounds fun ). However, there's a problem. I emerged iptables and when I tried to issue the iptables -P INPUT DROP command I got the following:
> 
> ```
> ...

 

The iptables modules are under Device Drivers -> Networking support -> Networking options ->  Network packet filtering

I think you need to emerge iptables with the extensions USE flag for tarpit.

----------

## nephros

 *NiklasH wrote:*   

> The iptables modules are under Device Drivers -> Networking support -> Networking options ->  Network packet filtering
> 
> I think you need to emerge iptables with the extensions USE flag for tarpit.

 

That, and depending on the kernel sources you use, you might have to patch them with patch-o-matic-ng from netfilter.org.

IIRC gentoo-sources are already patched with TARPIT support.

----------

## evoweiss

 *nephros wrote:*   

>  *NiklasH wrote:*   The iptables modules are under Device Drivers -> Networking support -> Networking options ->  Network packet filtering
> 
> I think you need to emerge iptables with the extensions USE flag for tarpit. 
> 
> That, and depending on the kernel sources you use, you might have to patch them with patch-o-matic-ng from netfilter.org.
> ...

 

Thanks... I'm running the ck-sources. I'll be upgrading my kernel in a few days, so I'll take care of it then.

Alex

----------

