Hello All,
I was reviewing my logs and noticed some problems with my HTTP rules with FWTK
and HTTP-GW -- someone was able to get to the proxy who wasn't supposed to. I
have found the typo in my rules table, but have some questions now that I have
reviewed my logs. I have been getting pretty regular hits from
sparc.berkeley.edu and puck.berkeley.edu on HTTP only (there is not a HTTP
server inside the firewall.....only outside the firewall). The odd thing is
that the duration and bytes-in values seem high (on one of the entries I have
24008 bytes in for a duration of 93). Am I dealing with someone trying to
interactivily hack thru my firewall via HTTP? Could I have been comprimised
via FTP or Telnet from the HTTP-GW Proxy? How can I get more info from the
http-gw process?
Here's the syslog entries (they are probably out of date/time order)
# grep berkeley /var/adm/messages
May 4 16:26:19 igate http-gw[5457]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
May 4 16:26:20 igate http-gw[5457]: exit host=puck.berkeley.edu/128.32.92.12
cmds=1 in=0 out=0 user=unauth duration=2
May 4 16:26:22 igate http-gw[5458]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
May 4 16:26:26 igate http-gw[5458]: exit host=puck.berkeley.edu/128.32.92.12
cmds=1 in=13668 out=0 user=unauth duration=5
May 7 00:50:41 igate http-gw[6931]: deny host=puck.berkeley.edu/128.32.92.12
use of gateway (Ver 1.0 / 49)
May 7 00:50:41 igate http-gw[6931]: exit host=puck.berkeley.edu/128.32.92.12
cmds=1 in=0 out=0 user=unauth duration=1
# grep berkeley /var/adm/messages.*
/var/adm/messages.0:May 2 19:13:11 igate http-gw[25141]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
/var/adm/messages.0:May 2 19:13:13 igate http-gw[25141]: exit
host=puck.berkeley.edu/128.32.92.12 cmds=1 in=0 out=0 user=unauth duration=2
/var/adm/messages.0:May 2 19:13:39 igate http-gw[25142]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
/var/adm/messages.0:May 2 19:13:42 igate http-gw[25142]: exit
host=puck.berkeley.edu/128.32.92.12 cmds=1 in=13668 out=0 user=unauth
duration=4
/var/adm/messages.0:May 3 00:59:01 igate http-gw[26079]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
/var/adm/messages.0:May 3 00:59:03 igate http-gw[26079]: exit
host=puck.berkeley.edu/128.32.92.12 cmds=1 in=0 out=0 user=unauth duration=3
/var/adm/messages.0:May 3 00:59:04 igate http-gw[26080]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
/var/adm/messages.0:May 3 00:59:09 igate http-gw[26080]: exit
host=puck.berkeley.edu/128.32.92.12 cmds=1 in=13668 out=0 user=unauth
duration=5
/var/adm/messages.1:Apr 25 13:40:54 igate http-gw[8801]: permit
host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49)
/var/adm/messages.1:Apr 25 13:42:26 igate http-gw[8801]: exit
host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=24008 out=0 user=unauth
duration=93
/var/adm/messages.1:Apr 25 13:42:34 igate http-gw[8806]: permit
host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49)
/var/adm/messages.1:Apr 25 13:42:45 igate http-gw[8806]: exit
host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=1016 out=0 user=unauth
duration=15
/var/adm/messages.1:Apr 26 16:02:00 igate http-gw[18051]: permit
host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49)
/var/adm/messages.1:Apr 26 16:02:07 igate http-gw[18051]: exit
host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=24008 out=0 user=unauth
duration=8
/var/adm/messages.1:Apr 26 16:02:10 igate http-gw[18052]: permit
host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49)
/var/adm/messages.1:Apr 26 16:02:12 igate http-gw[18052]: exit
host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=1008 out=0 user=unauth
duration=3
/var/adm/messages.3:Apr 10 20:20:50 igate http-gw[15102]: permit
host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49)
/var/adm/messages.3:Apr 10 20:20:57 igate http-gw[15102]: exit
host=puck.berkeley.edu/128.32.92.12 cmds=1 in=9214 out=0 user=unauth
duration=7
Any Ideas?
Anton Rager
arager @
hibbertco .
com
|
|
