Hello,
i have internet usage rules for all of my network. only 2 servers have full access to the internet.. lately i've noticed that lots of traffic being produced by the servers .. is there a way to know whose using port forwarding to my server so they access the internet ? or is there a way to block people from doing such a thing ? _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
2010/2/25 Roland RoLaNd r_o_l_a_n_d@hotmail.com:
Hello,
i have internet usage rules for all of my network. only 2 servers have full access to the internet.. lately i've noticed that lots of traffic being produced by the servers .. is there a way to know whose using port forwarding to my server so they access the internet ? or is there a way to block people from doing such a thing ?
Err. Disable ip_forward&nat on server and limit connections on main firewall ..
-- Eero
cat /proc/sys/net/ipv4/ip_forward 0
----------------------------------------
Date: Thu, 25 Feb 2010 13:39:41 +0200 From: eero.volotinen@iki.fi To: centos@centos.org Subject: Re: [CentOS] block port forwarding?
2010/2/25 Roland RoLaNd :
Hello,
i have internet usage rules for all of my network. only 2 servers have full access to the internet.. lately i've noticed that lots of traffic being produced by the servers .. is there a way to know whose using port forwarding to my server so they access the internet ? or is there a way to block people from doing such a thing ?
Err. Disable ip_forward&nat on server and limit connections on main firewall ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
2010/2/25 Roland RoLaNd r_o_l_a_n_d@hotmail.com:
cat /proc/sys/net/ipv4/ip_forward 0
So, problem solved?
-- Eero
On Thu, Feb 25, 2010 at 6:39 AM, Eero Volotinen eero.volotinen@iki.fiwrote:
2010/2/25 Roland RoLaNd r_o_l_a_n_d@hotmail.com:
Hello,
i have internet usage rules for all of my network. only 2 servers have full access to the internet.. lately i've noticed that lots of traffic being produced by the servers .. is there a way to know whose using port forwarding to my server so they
access the internet ?
or is there a way to block people from doing such a thing ?
Err. Disable ip_forward&nat on server and limit connections on main firewall ..
-- Eero
@Eero: Don't be so literal. You need to read the whole messages and understand the problem. Just because someone calls something "forwarding" doesn't mean they are speaking in the literal Linux kernel sense of the word.
@Roland: In addition to what some other posters have said, look at who is logged in to the server at the time. You might find some open SSH sessions that are using port forwarding. You can disable this by setting "AllowTcpForwarding no" in the sshd_config, but if users have shell, it will be very difficult to stop it. You also might want to see if there is a proxy setup, or something like that.
On Thursday 25 February 2010 07:36:50 Roland RoLaNd wrote:
lately i've noticed that lots of traffic being produced by the servers .. is there a way to know whose using port forwarding to my server so they access the internet ?
I don't know why you use the term "port forwarding". If I understand you correctly., and having said that ip forwarding isn't turned on, you suspect someone is using your 2 servers to gain access to the internet"? The only thing I can think of...they might be using your servers as a SOCKS proxy. For this , there needs to be some way to connect to these serves (SSH? etc...).
Log in to these servers and do a "netstat -ntap" so you can see the established connections and track what programs are responsible for these. If anyone is connected to your machines (from the local network) you'll see it there too. Of course, I'm assuming your machines were not tampered with (that is, all the binaries are intact :)
Best regards, Jorge
p.d. you can try wireshark (network sniffer)...
-
Brian Mathis -
Eero Volotinen -
Jorge Fábregas -
Roland RoLaNd