Сервер FreeBSD, стоит NAT, SQUID, все прозрачно ... трабла в том, что провайдер говорит, что с нашего внешнего ip идет сканирование по 2048 порту. Как узнать с какой машины идут эти пакеты ? Или как это пресечь.

Мой rc.firewall

fxp0 - внешний интерф.
ed1 - внутренний

${fwcmd} add divert natd all from 192.168.100.0/24 to any out via fxp0
${fwcmd} add divert natd all from any to внешний_ip in via fxp0

${fwcmd} add 30  fwd 192.168.100.2,3128 tcp from 192.168.100.2/24 to any 80
        ${fwcmd} add pass tcp from any to any established
        ${fwcmd} add pass ip from 192.168.100.0/24 to any via lo0
        ${fwcmd} add deny icmp from any to any frag
        ${fwcmd} add pass ICMP from any to any

${fwcmd} add pass tcp from 192.168.100.0/24 to 192.168.100.2 80,143,20,21,110,3128 setup in via ed1
${fwcmd} add pass udp from 192.168.100.0/24 to 192.168.100.2 80,143,20,21,110,3128 in via ed1
${fwcmd} add pass tcp from 192.168.100.0/24 to 192.168.100.2 22,135,137,139 setup in via ed1
${fwcmd} add pass udp from 192.168.100.0/24 to 192.168.100.2
135,137,139 in via ed1

${fwcmd} add deny log ip from 192.168.100.0/24 to 192.168.100.2 in via ed1

        # Enable FTP

        ${fwcmd} add pass tcp from any to me 21 setup
        ${fwcmd} add pass tcp from any 20 to me setup
        ${fwcmd} add pass tcp from any to me 32768-65535 setup

        # icmp
        ${fwcmd} add deny icmp from any to any frag
        ${fwcmd} add pass icmp from any to me icmptype 0,3,4,8,11,12
        ${fwcmd} add pass icmp from me to any icmptype 0,3,4,8,11,12

        # Stop RFC1918 nets
     ${fwcmd} add deny all from 10.0.0.0/8 to any via fxp0
     ${fwcmd} add deny all from 172.16.0.0/12 to any via fxp0
     ${fwcmd} add deny all from 192.168.0.0/16 to any via fxp0

        ${fwcmd} add pass tcp from any to me 53 setup
        ${fwcmd} add pass udp from any to me 53
        ${fwcmd} add pass tcp from any 53 to me setup

• Трабла с Безопасностью !!!!,Dimz, 21:53 , 10-Окт-03
• Трабла с Безопасностью !!!!,dev, 01:29 , 11-Окт-03
• Трабла с Безопасностью !!!!,Kadr, 01:27 , 13-Окт-03
  • Трабла с Безопасностью !!!!,Stable, 11:30 , 13-Окт-03

Попробуй trafshow -i ed0

А если просто
${fwcmd} add deny log tcp from any to any dst-port 2048 out xmit ed1
и посмотреть security лог?

Это Nachi worm у тебя на Винбоксах
http://vil.nai.com/vil/content/v_100559.htm

Ничего что я на Английском выдержку дам?

The rash of ping scans we have been seeing are most likely the results  of the Nachi/Welchia worm (see  http://vil.nai.com/vil/content/v_100559.htm and  http://securityresponse.symantec.com/avcenter/venc/data/ w32.welchia.worm.html). Nachi sends out ICMP ECHO_REQUEST packets with  an ip data length of 92 bytes, so I've been using a very simple tcpdump  to detect infected machines:

/usr/sbin/tcpdump -n -l -i em0 "icmp[0] = 8 and ip[3] = 92"

One other good tool for detecting compromised machines is to look for  computers with port 139 and 445 open, and port 135 closed. Since port  135 is normally open on a default Windows install, finding the  Filesharing ports open but the RPC port closed is often an indicator of  a machine that has been compromised, but where the clever worm then  closes the RPC vulnerability so that it cannot be further exploited. I  use a simple nmap script:

nmap -sU -sT -oG - -p 135,139,445 YOUR_IP_RANGE | grep 445 | grep 139 |  grep -v 135 | awk '{print $2,$3}'

Note that this is not a perfect scan, as the port 135 only tends to be  closed until the computer is rebooted for the first time after the  machine is compromised. Other good ports to scan for are 69 (tftp),  3221, and 6351 (used by the hale worm  (http://securityresponse.symantec.com/avcenter/venc/data/ backdoor.hale.html)).

A quick way to scan for Nachi/Welchia is to look for an open port 707/tcp on a host. I use:

nmap -oG - -p 707 your_ip_range | grep 707/open | awk '{print $2, $3}'

to detect hosts.

... Спасибо за ответ, на 4 машинах сидели worms, причем на win2k, они и ломились. Надо бы поискать программку, фиксирующую чрезмерную активность с какого либо ip во внутренней сети.