Find the answer to your Linux question:
Results 1 to 4 of 4
I have a linux based server that does everything for me - and the company in South Carolina that has it under support contract seems to have fallen off the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2006
    Posts
    2

    Unhappy Newbie - HELP


    I have a linux based server that does everything for me - and the company in South Carolina that has it under support contract seems to have fallen off the face of the earth last week. I'm a school district and use this server for e-mail, web, firewall, etc. and I'm quite distressed. I have very limited unix knowledge and need some quick help if possible.

    The state of Arkansas has notified me that it will cut my Internet connection if I do not get a port scanning virus off my network immediately - but I don't know how to produce the nat logs that might tell me which of my internally addressed machines is the culprit. I am natting the private addresses through 1 external address. I have over 600 workstations and an Enterprise virus solution but the culprit must be on an unprotected machine.

    If anyone can point me toward log files that I could search I would be most appreciative!!

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,864
    As an initial measure, cut everyones internet access, just allow the server to talk to the internet. Once you've done that, you have isolated the problem to inside your network.

    You might want to try to establish whether this is a virus or whether it's a malicious user on your lan that's doing the port scan on purpose.

    Here's an approach you can use to stop this kind of thing happening:

    - block everyone's internet access by using the firewall rules and IP tables; you do this on the machine that is acting as the firewall.
    - allow internet access only for the server by its IP address, again do this on the firewall box.
    - set up a web proxy such as squid on the server, this is not hard - give it a go.
    - give everyone web access through the proxy only - you could even force them to log onto the proxy.

    This way, nobody gets to connect outside on any ports - they must go through the web proxy which gives them access. You can also set up monitoring software to grab the IP address of the machine that's doing port scans.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    Dec 2006
    Posts
    2
    Thank you for the suggestions. I can't cut everyone since I have 4 schools and administration that access student records, payroll, accounts, etc. via the state servers across the Internet. One of the programmers from the "missing" company contacted me to say the support team all left that company but he was kind enough to log into my server and shut the ports that were sending the traffic out, but he didn't tell me where the traffic was originating. I think the proxy server is already running but the authentication is turned off. When you say "monitoring" software are you speaking of something like Ethereal?

  4. #4
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,864
    Quote Originally Posted by Arkansas
    Thank you for the suggestions. I can't cut everyone since I have 4 schools and administration that access student records, payroll, accounts, etc. via the state servers across the Internet. One of the programmers from the "missing" company contacted me to say the support team all left that company but he was kind enough to log into my server and shut the ports that were sending the traffic out, but he didn't tell me where the traffic was originating. I think the proxy server is already running but the authentication is turned off. When you say "monitoring" software are you speaking of something like Ethereal?
    You can cut everyone off - if you dont, your ISP will do it for you; you dont need to disable any vpn connections between remote sites, its only internet access you're turning off through the gateway, you can leave open the routes between vpn boxes connecting your lan and wan. And it's only until you have things set up properly again.

    If the proxy server is already running, then it should be quite easy to tell people that the only access to the internet is through that as you have a virus or a script kiddie on one of the workstations causing problems.

    You can use ethereal to check out network traffic, yes. You can also do it by turning up the ipchains logging in your NAT machine that fronts your LAN connection to the internet.
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •