From pete at soper.us Mon Sep 1 16:42:56 2014 From: pete at soper.us (Pete Soper) Date: Mon, 01 Sep 2014 16:42:56 -0400 Subject: [TriLUG] Triangle Embedded Dev: Monday, Sept 8th 7pm @ NCSU Eng Bldg I, rm 1007 meeting reminder Message-ID: <5404DA50.2060006@soper.us> The Triangle area embedded development interest group (TriEmbed) is meeting this Monday at 7pm at the NCSU Centenial Campus Engineering Bldg I rm 1007. This month's presentation will be a talk by Paul MacDougal about interrupts. Bring your gadgets and gizmos for show and tell. More meeting details and map here . Main website -Pete From jackhill at jackhill.us Wed Sep 3 09:01:54 2014 From: jackhill at jackhill.us (Jack Hill) Date: Wed, 3 Sep 2014 09:01:54 -0400 (EDT) Subject: [TriLUG] Bash workshop this Saturday, September 6th: 1:00-5:00pm, Splat Space in Durham Message-ID: Have you been craving more bash tricks after going home from the August TriLUG meeting? Have a bash project that you're working on, or want to speed up your daily work flow with better aliases and functions in your dotfiles? Just curious to see what other people are doing? Then please come to our bash workshop happening this Saturday, September 6th at 1:00pm at Splat Space in Durham. If you have a project you're working, please bring it. If you don't have a project, don't worry, we'll provide ideas (but a computer will still be useful). When: Saturday, September 6th, 1:00-5:00pm Where: Splat Space, 331 W. Main St., Durham http://splatspace.org/location/ Hope to see you there, Jack -- Jack Hill TriLUG Steering Committee From bill at arrowsreach.com Fri Sep 5 08:47:54 2014 From: bill at arrowsreach.com (Bill Farrow) Date: Fri, 5 Sep 2014 08:47:54 -0400 Subject: [TriLUG] Durham LUG - Linux Gaming with Steam - Wed Sept 10 Message-ID: The Durham Linux User Group is holding a meetup event next week on Linux Gaming with Steam and Steam OS. Topic: Discuss Linux Gaming with Steam and Steam OS Date: Wednesday, September 10, 2014, 7pm Location: Bull City Coworking, 112 S Duke St, Durham, NC Refreshments: Beer and Pizza RSVP: http://www.meetup.com/LinuxUserGroup/ TriLUG would like to encourage and support other Linux User Groups in the area. Bill From brb.lists at gmail.com Fri Sep 5 13:12:16 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 13:12:16 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? Message-ID: Hi all, I know this has got to be something simple, but I just can't figure out what is wrong. I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the main network and Eth1 connects to a small/private network. Eth0 is on the inside network of a PIX 515e and has internet access. Here's a simple pic: internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) The PIX is the default gateway for ubuntu eth0 as well as all the host on the .9 network. I have added a route on the PIX to send traffic from the .9 network to the IP of the ubuntu box. From the PIX I can ping eth1 of the ubuntu box, but not a device on that .8 network. I've enable routing on the ubuntu box (ip_forward is set to 1). No other boxes on the .9 network can even ping eth1 on the ubuntu box. What in the world am I missing here? I've done several google searches and all of them point to enabling ip_forward and make sure iptables is not blocking anything. IP tables is currently off on the ubuntu box. Anyone have any ideas? Thanks, Brian From matt at noway2.thruhere.net Fri Sep 5 13:25:01 2014 From: matt at noway2.thruhere.net (Matt Flyer) Date: Fri, 5 Sep 2014 13:25:01 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: Message-ID: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Do you have more than one default gateway assigned? That will create which way to go confusion and traffic goes nowhere even with a metric value. Sent from my iPad > On Sep 5, 2014, at 1:12 PM, Brian Blater wrote: > > Hi all, > > I know this has got to be something simple, but I just can't figure out > what is wrong. > > I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the main > network and Eth1 connects to a small/private network. Eth0 is on the inside > network of a PIX 515e and has internet access. Here's a simple pic: > > internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) > > The PIX is the default gateway for ubuntu eth0 as well as all the host on > the .9 network. I have added a route on the PIX to send traffic from the .9 > network to the IP of the ubuntu box. From the PIX I can ping eth1 of the > ubuntu box, but not a device on that .8 network. > > I've enable routing on the ubuntu box (ip_forward is set to 1). > > No other boxes on the .9 network can even ping eth1 on the ubuntu box. > > What in the world am I missing here? I've done several google searches and > all of them point to enabling ip_forward and make sure iptables is not > blocking anything. IP tables is currently off on the ubuntu box. > > Anyone have any ideas? > > Thanks, > Brian > -- > This message was sent to: Matt Flyer > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net > Welcome to TriLUG: http://trilug.org/welcome From bill at arrowsreach.com Fri Sep 5 13:34:43 2014 From: bill at arrowsreach.com (Bill Farrow) Date: Fri, 5 Sep 2014 13:34:43 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: On Fri, Sep 5, 2014 at 1:25 PM, Matt Flyer wrote: > Do you have more than one default gateway assigned? That will create > which way to go confusion and traffic goes nowhere even with a metric value. Show us the output of "ip route show"... Bill From brb.lists at gmail.com Fri Sep 5 13:41:48 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 13:41:48 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: Correct, I've only got one default gateway define. # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.99.1 0.0.0.0 UG 100 0 0 eth0 192.168.98.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 On Fri, Sep 5, 2014 at 1:25 PM, Matt Flyer wrote: > Do you have more than one default gateway assigned? That will create > which way to go confusion and traffic goes nowhere even with a metric value. > > Sent from my iPad > > > On Sep 5, 2014, at 1:12 PM, Brian Blater wrote: > > > > Hi all, > > > > I know this has got to be something simple, but I just can't figure out > > what is wrong. > > > > I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the > main > > network and Eth1 connects to a small/private network. Eth0 is on the > inside > > network of a PIX 515e and has internet access. Here's a simple pic: > > > > internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) > > > > The PIX is the default gateway for ubuntu eth0 as well as all the host on > > the .9 network. I have added a route on the PIX to send traffic from the > .9 > > network to the IP of the ubuntu box. From the PIX I can ping eth1 of the > > ubuntu box, but not a device on that .8 network. > > > > I've enable routing on the ubuntu box (ip_forward is set to 1). > > > > No other boxes on the .9 network can even ping eth1 on the ubuntu box. > > > > What in the world am I missing here? I've done several google searches > and > > all of them point to enabling ip_forward and make sure iptables is not > > blocking anything. IP tables is currently off on the ubuntu box. > > > > Anyone have any ideas? > > > > Thanks, > > Brian > > -- > > This message was sent to: Matt Flyer > > To unsubscribe, send a blank message to trilug-leave at trilug.org from > that address. > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net > > Welcome to TriLUG: http://trilug.org/welcome > -- > This message was sent to: Brian Blater > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > From aaron at joyner.ws Fri Sep 5 13:42:07 2014 From: aaron at joyner.ws (Aaron Joyner) Date: Fri, 5 Sep 2014 13:42:07 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: A PIX is not a router. Say it again to yourself. A PIX is not a router. I am repeating like a parrot that phrase that another long time TriLUG member once repeated to me with equal conviction. I seem to recall that because of the PIX's design as a firewall, it will not do arbitrary routing, mostly as a (mis)"feature" to protect you from inadvertently bypassing it's security. I believe what's happening is that you have all of the routing configured correctly, but instead of forwarding the packet like you expect, the PIX is dropping it on the floor. You can confirm this: 1) from an arbitrary host on the .9 network, ping 192.168.8.1 2) On the ubuntu box, run: tcpdump -i eth0 icmp You *should* see the packet arrive on the eth0 interface, but you *won't* because the PIX ate it. This will allow you to remove the Ubuntu box from suspicion, as it can't forward a packet that it isn't receiving. Happy routing, Aaron S. Joyner On Fri, Sep 5, 2014 at 1:34 PM, Bill Farrow wrote: > On Fri, Sep 5, 2014 at 1:25 PM, Matt Flyer > wrote: > > Do you have more than one default gateway assigned? That will create > > which way to go confusion and traffic goes nowhere even with a metric > value. > > Show us the output of "ip route show"... > > Bill > -- > This message was sent to: Aaron S. Joyner > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws > Welcome to TriLUG: http://trilug.org/welcome > From brb.lists at gmail.com Fri Sep 5 13:42:27 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 13:42:27 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: Here is the ip route show: # ip route show default via 192.168.99.1 dev eth0 metric 100 192.168.98.0/24 dev eth1 proto kernel scope link src 192.168.98.10 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.214 On Fri, Sep 5, 2014 at 1:34 PM, Bill Farrow wrote: > On Fri, Sep 5, 2014 at 1:25 PM, Matt Flyer > wrote: > > Do you have more than one default gateway assigned? That will create > > which way to go confusion and traffic goes nowhere even with a metric > value. > > Show us the output of "ip route show"... > > Bill > -- > This message was sent to: Brian Blater > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > From jmack at wm7d.net Fri Sep 5 13:44:45 2014 From: jmack at wm7d.net (Joseph Mack NA3T) Date: Fri, 5 Sep 2014 10:44:45 -0700 (PDT) Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: Message-ID: On Fri, 5 Sep 2014, Brian Blater wrote: > Hi all, > > I know this has got to be something simple, but I just can't figure out > what is wrong. > > I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the main > network and Eth1 connects to a small/private network. Eth0 is on the inside > network of a PIX 515e and has internet access. Here's a simple pic: > > internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) > > The PIX is the default gateway for ubuntu eth0 as well as all the host on > the .9 network. I have added a route on the PIX to send traffic from the .9 > network to the IP of the ubuntu box. From the PIX I can ping eth1 of the > ubuntu box, but not a device on that .8 network. > > I've enable routing on the ubuntu box (ip_forward is set to 1). > > No other boxes on the .9 network can even ping eth1 on the ubuntu box. > > What in the world am I missing here? I've done several google searches and > all of them point to enabling ip_forward and make sure iptables is not > blocking anything. IP tables is currently off on the ubuntu box. > > Anyone have any ideas? do the machines you're pinging from have a route to 192.168.8.0/24 or are all the pings being sent to the default gw? Joe > > Thanks, > Brian > -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! From matt at noway2.thruhere.net Fri Sep 5 13:48:46 2014 From: matt at noway2.thruhere.net (matt at noway2.thruhere.net) Date: Fri, 5 Sep 2014 13:48:46 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: Message-ID: > On Fri, 5 Sep 2014, Brian Blater wrote: > >> Hi all, >> >> I know this has got to be something simple, but I just can't figure out >> what is wrong. >> >> I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the >> main >> network and Eth1 connects to a small/private network. Eth0 is on the >> inside >> network of a PIX 515e and has internet access. Here's a simple pic: >> >> internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) >> >> The PIX is the default gateway for ubuntu eth0 as well as all the host >> on >> the .9 network. I have added a route on the PIX to send traffic from the >> .9 >> network to the IP of the ubuntu box. From the PIX I can ping eth1 of the >> ubuntu box, but not a device on that .8 network. >> >> I've enable routing on the ubuntu box (ip_forward is set to 1). >> >> No other boxes on the .9 network can even ping eth1 on the ubuntu box. >> >> What in the world am I missing here? I've done several google searches >> and >> all of them point to enabling ip_forward and make sure iptables is not >> blocking anything. IP tables is currently off on the ubuntu box. >> >> Anyone have any ideas? > > do the machines you're pinging from have a route to 192.168.8.0/24 or are > all > the pings being sent to the default gw? > > Joe > The brain fog is clearing away. I took another look at the diagram and it reminded me of trying to reach a LAN segment from a VPN interface which requires routes or LAN translations. Brian, take a look at these links: http://allanmcrae.com/2013/09/routing-traffic-with-openvpn/ Specifically, the part about IPTables set up after enabling forwarding and http://rbgeek.wordpress.com/2012/12/13/openvpn-server-on-ubuntu-12-04-behind-nat/ the part about look at the routing table on client machines. From bill at arrowsreach.com Fri Sep 5 13:49:13 2014 From: bill at arrowsreach.com (Bill Farrow) Date: Fri, 5 Sep 2014 13:49:13 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: On Fri, Sep 5, 2014 at 1:42 PM, Brian Blater wrote: > # ip route show > default via 192.168.99.1 dev eth0 metric 100 > 192.168.98.0/24 dev eth1 proto kernel scope link src 192.168.98.10 > 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.214 Shouldn't it also have routes for the 192.168.8.0 and 192.168.9.0 networks ? Bill From aaron at joyner.ws Fri Sep 5 13:52:09 2014 From: aaron at joyner.ws (Aaron Joyner) Date: Fri, 5 Sep 2014 13:52:09 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: Some additional searching around lead me to the suggestion that you might be able to overcome this behavior of the PIX with this command: same-security-traffic permit intra-interface (to allow U-turining traffic) Credit where credit is due, found via the search "pix routing between interfaces", which isn't exactly what you're doing, but is the way I've heard people stumble onto this problem before: https://supportforums.cisco.com/discussion/11548911/cannot-communicate-between-same-security-level-interfaces-pix-535-pix-os-80428 And indeed, here's Cisco's reference for that command (although on an ASA, I believe it's equally applicable here): http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263 Aaron S. Joyner On Fri, Sep 5, 2014 at 1:42 PM, Aaron Joyner wrote: > A PIX is not a router. Say it again to yourself. A PIX is not a router. > > I am repeating like a parrot that phrase that another long time TriLUG > member once repeated to me with equal conviction. I seem to recall that > because of the PIX's design as a firewall, it will not do arbitrary > routing, mostly as a (mis)"feature" to protect you from inadvertently > bypassing it's security. > > I believe what's happening is that you have all of the routing configured > correctly, but instead of forwarding the packet like you expect, the PIX is > dropping it on the floor. You can confirm this: > 1) from an arbitrary host on the .9 network, ping 192.168.8.1 > 2) On the ubuntu box, run: > tcpdump -i eth0 icmp > > You *should* see the packet arrive on the eth0 interface, but you *won't* > because the PIX ate it. This will allow you to remove the Ubuntu box from > suspicion, as it can't forward a packet that it isn't receiving. > > Happy routing, > Aaron S. Joyner > > > On Fri, Sep 5, 2014 at 1:34 PM, Bill Farrow wrote: > >> On Fri, Sep 5, 2014 at 1:25 PM, Matt Flyer >> wrote: >> > Do you have more than one default gateway assigned? That will create >> > which way to go confusion and traffic goes nowhere even with a metric >> value. >> >> Show us the output of "ip route show"... >> >> Bill >> -- >> This message was sent to: Aaron S. Joyner >> To unsubscribe, send a blank message to trilug-leave at trilug.org from >> that address. >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug >> Unsubscribe or edit options on the web : >> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws >> Welcome to TriLUG: http://trilug.org/welcome >> > > From brb.lists at gmail.com Fri Sep 5 13:54:06 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 13:54:06 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: Yes, A PIX is not a "true" router. It is a firewall, but damn it should route properly also. I can understand how it could eat the packet if it had to route across interfaces, but in this case it should send it back out the same interface it received it on. But don't hold me to that as I'm not a Cisco guru. Like you mentioned though, I can only ping from the PIX to the eth1 on the linux box and I can't even do that from one of the other inside hosts. So, it just may be the PIX at fault here. Brian On Fri, Sep 5, 2014 at 1:42 PM, Aaron Joyner wrote: > A PIX is not a router. Say it again to yourself. A PIX is not a router. > > I am repeating like a parrot that phrase that another long time TriLUG > member once repeated to me with equal conviction. I seem to recall that > because of the PIX's design as a firewall, it will not do arbitrary > routing, mostly as a (mis)"feature" to protect you from inadvertently > bypassing it's security. > > I believe what's happening is that you have all of the routing configured > correctly, but instead of forwarding the packet like you expect, the PIX is > dropping it on the floor. You can confirm this: > 1) from an arbitrary host on the .9 network, ping 192.168.8.1 > 2) On the ubuntu box, run: > tcpdump -i eth0 icmp > > You *should* see the packet arrive on the eth0 interface, but you *won't* > because the PIX ate it. This will allow you to remove the Ubuntu box from > suspicion, as it can't forward a packet that it isn't receiving. > > Happy routing, > Aaron S. Joyner > From brb.lists at gmail.com Fri Sep 5 13:55:40 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 13:55:40 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: Message-ID: Hosts are sending their packets to the default gw, which is the PIX. On Fri, Sep 5, 2014 at 1:44 PM, Joseph Mack NA3T wrote: > On Fri, 5 Sep 2014, Brian Blater wrote: > > Hi all, >> >> I know this has got to be something simple, but I just can't figure out >> what is wrong. >> >> I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the main >> network and Eth1 connects to a small/private network. Eth0 is on the >> inside >> network of a PIX 515e and has internet access. Here's a simple pic: >> >> internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) >> >> The PIX is the default gateway for ubuntu eth0 as well as all the host on >> the .9 network. I have added a route on the PIX to send traffic from the >> .9 >> network to the IP of the ubuntu box. From the PIX I can ping eth1 of the >> ubuntu box, but not a device on that .8 network. >> >> I've enable routing on the ubuntu box (ip_forward is set to 1). >> >> No other boxes on the .9 network can even ping eth1 on the ubuntu box. >> >> What in the world am I missing here? I've done several google searches and >> all of them point to enabling ip_forward and make sure iptables is not >> blocking anything. IP tables is currently off on the ubuntu box. >> >> Anyone have any ideas? >> > > do the machines you're pinging from have a route to 192.168.8.0/24 or are > all the pings being sent to the default gw? > > Joe > > >> Thanks, >> Brian >> >> > -- > Joseph Mack NA3T EME(B,D), FM05lw North Carolina > jmack (at) wm7d (dot) net - azimuthal equidistant map > generator at http://www.wm7d.net/azproj.shtml > Homepage http://www.austintek.com/ It's GNU/Linux! > > -- > This message was sent to: Brian Blater > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/ > options/trilug/brb.lists%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > From brb.lists at gmail.com Fri Sep 5 13:56:35 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 13:56:35 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: Sorry for the confusion. .98 = .8 and .99 = .9 On Fri, Sep 5, 2014 at 1:49 PM, Bill Farrow wrote: > On Fri, Sep 5, 2014 at 1:42 PM, Brian Blater wrote: > > # ip route show > > default via 192.168.99.1 dev eth0 metric 100 > > 192.168.98.0/24 dev eth1 proto kernel scope link src 192.168.98.10 > > 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.214 > > Shouldn't it also have routes for the 192.168.8.0 and 192.168.9.0 networks > ? > > Bill > -- > This message was sent to: Brian Blater > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > From aaron at joyner.ws Fri Sep 5 14:02:19 2014 From: aaron at joyner.ws (Aaron Joyner) Date: Fri, 5 Sep 2014 14:02:19 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: On Fri, Sep 5, 2014 at 1:54 PM, Brian Blater wrote: > Yes, A PIX is not a "true" router. It is a firewall, but damn it should > route properly also. > I couldn't agree more. That's why I wouldn't buy one, and in the rare case where I've inherited one, I replaced it with a commodity *NIX box forthwith. :-) > I can understand how it could eat the packet if it had to route across > interfaces, but in this case it should send it back out the same interface > it received it on. But don't hold me to that as I'm not a Cisco guru. > Now now, Cisco knows what's best for you, and they want to help you keep from hurting yourself with their equipment. Consequentially, they've disabled that feature so you'll follow their design best practices, keep your network devices segmented into the appropriate roles at the appropriate levels, and have routers do routing and firewalls do firewalling. Please purchase an appropriate device for that task from your authorized Cisco reseller. :) Like you mentioned though, I can only ping from the PIX to the eth1 on the > linux box and I can't even do that from one of the other inside hosts. So, > it just may be the PIX at fault here. You have the tools to assign blame appropriately. What does tcpdump say? Are the packets arriving on Ubuntu's eth0? Does "same-security-traffic permit intra-interface" on the PIX change that behavior? Aaron S. Joyner From brb.lists at gmail.com Fri Sep 5 14:04:21 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 14:04:21 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: Message-ID: I think I see what you're getting at on the client machines, but that is what I'm trying to avoid (having to add routes to each client for this network. I really want them to send the packets to the default gw which would then send the packets to the linux machine for this other network. On Fri, Sep 5, 2014 at 1:48 PM, wrote: > > On Fri, 5 Sep 2014, Brian Blater wrote: > > > >> Hi all, > >> > >> I know this has got to be something simple, but I just can't figure out > >> what is wrong. > >> > >> I have an Ubuntu 12.04 server that has two nics. Eth0 connects to the > >> main > >> network and Eth1 connects to a small/private network. Eth0 is on the > >> inside > >> network of a PIX 515e and has internet access. Here's a simple pic: > >> > >> internet --- PIX --- (192.168.9.0/24) --- Ubuntu --- (192.168.8.0/24) > >> > >> The PIX is the default gateway for ubuntu eth0 as well as all the host > >> on > >> the .9 network. I have added a route on the PIX to send traffic from the > >> .9 > >> network to the IP of the ubuntu box. From the PIX I can ping eth1 of the > >> ubuntu box, but not a device on that .8 network. > >> > >> I've enable routing on the ubuntu box (ip_forward is set to 1). > >> > >> No other boxes on the .9 network can even ping eth1 on the ubuntu box. > >> > >> What in the world am I missing here? I've done several google searches > >> and > >> all of them point to enabling ip_forward and make sure iptables is not > >> blocking anything. IP tables is currently off on the ubuntu box. > >> > >> Anyone have any ideas? > > > > do the machines you're pinging from have a route to 192.168.8.0/24 or > are > > all > > the pings being sent to the default gw? > > > > Joe > > > The brain fog is clearing away. I took another look at the diagram and it > reminded me of trying to reach a LAN segment from a VPN interface which > requires routes or LAN translations. > > Brian, take a look at these links: > http://allanmcrae.com/2013/09/routing-traffic-with-openvpn/ > > Specifically, the part about IPTables set up after enabling forwarding and > > > http://rbgeek.wordpress.com/2012/12/13/openvpn-server-on-ubuntu-12-04-behind-nat/ > > the part about look at the routing table on client machines. > -- > This message was sent to: Brian Blater > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > From brb.lists at gmail.com Fri Sep 5 14:15:34 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 14:15:34 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: On Fri, Sep 5, 2014 at 2:02 PM, Aaron Joyner wrote: > On Fri, Sep 5, 2014 at 1:54 PM, Brian Blater wrote: > > > Yes, A PIX is not a "true" router. It is a firewall, but damn it should > > route properly also. > > > > I couldn't agree more. That's why I wouldn't buy one, and in the rare case > where I've inherited one, I replaced it with a commodity *NIX box > forthwith. :-) > Now, now - don't be a cisco hater. :) As it stands I did inherit this Cisco PIX and a few others. I'm using these PIXes at home and it is where I test things that I may do at work (someday) or to just play to learn new things. I started with *NIX boxes as firewalls, long ago, but I could never wrap my head around iptables, just like at work I'm struggling to wrap my head around Juniper "speak". > > > I can understand how it could eat the packet if it had to route across > > interfaces, but in this case it should send it back out the same > interface > > it received it on. But don't hold me to that as I'm not a Cisco guru. > > > > Now now, Cisco knows what's best for you, and they want to help you keep > from hurting yourself with their equipment. Consequentially, they've > disabled that feature so you'll follow their design best practices, keep > your network devices segmented into the appropriate roles at the > appropriate levels, and have routers do routing and firewalls do > firewalling. Please purchase an appropriate device for that task from your > authorized Cisco reseller. :) > I think that is the problem with most companies now days - be it Cisco, M$, Apple whatever. Do it their way as it is always the only way. Like you mentioned though, I can only ping from the PIX to the eth1 on the > > linux box and I can't even do that from one of the other inside hosts. > So, > > it just may be the PIX at fault here. > > > You have the tools to assign blame appropriately. What does tcpdump say? > Ok, so I did a test here (haven't done a tcpdump yet) on my main linux box that sites on the same .99 network as the ubuntu box. I added a static route to 192.168.98.0/24 to go to the ubuntu box as the gw. Now when I ping the eth1 IP (happens to be .98.10) I get a reply. But I can't ping the device .98.241 from my linux box. So, I think that can rule out the PIX as dropping the packets since I get the same response taking the PIX out of the picture. > Are the packets arriving on Ubuntu's eth0? > > Does "same-security-traffic permit intra-interface" on the PIX change that > behavior? > > Aaron S. Joyner > -- > This message was sent to: Brian Blater > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > From aaron at joyner.ws Fri Sep 5 14:19:49 2014 From: aaron at joyner.ws (Aaron Joyner) Date: Fri, 5 Sep 2014 14:19:49 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: Does 98.241 have a default gateway (or a route for .99.0/24) pointing back to 192.168.98.10? Sounds like by putting the route in place on the linux box you got past the pix, now you can ping eth1's IP, and you can probably deliver packets to the 192.168.98.0/24 network, but hosts on that network don't know how to route back to 192.168.99.0/24. On Fri, Sep 5, 2014 at 2:15 PM, Brian Blater wrote: > On Fri, Sep 5, 2014 at 2:02 PM, Aaron Joyner wrote: > > > On Fri, Sep 5, 2014 at 1:54 PM, Brian Blater > wrote: > > > > > Yes, A PIX is not a "true" router. It is a firewall, but damn it should > > > route properly also. > > > > > > > I couldn't agree more. That's why I wouldn't buy one, and in the rare > case > > where I've inherited one, I replaced it with a commodity *NIX box > > forthwith. :-) > > > > Now, now - don't be a cisco hater. :) As it stands I did inherit this Cisco > PIX and a few others. I'm using these PIXes at home and it is where I test > things that I may do at work (someday) or to just play to learn new things. > I started with *NIX boxes as firewalls, long ago, but I could never wrap my > head around iptables, just like at work I'm struggling to wrap my head > around Juniper "speak". > > > > > > > I can understand how it could eat the packet if it had to route across > > > interfaces, but in this case it should send it back out the same > > interface > > > it received it on. But don't hold me to that as I'm not a Cisco guru. > > > > > > > Now now, Cisco knows what's best for you, and they want to help you keep > > from hurting yourself with their equipment. Consequentially, they've > > disabled that feature so you'll follow their design best practices, keep > > your network devices segmented into the appropriate roles at the > > appropriate levels, and have routers do routing and firewalls do > > firewalling. Please purchase an appropriate device for that task from > your > > authorized Cisco reseller. :) > > > > I think that is the problem with most companies now days - be it Cisco, M$, > Apple whatever. Do it their way as it is always the only way. > > Like you mentioned though, I can only ping from the PIX to the eth1 on the > > > linux box and I can't even do that from one of the other inside hosts. > > So, > > > it just may be the PIX at fault here. > > > > > > You have the tools to assign blame appropriately. What does tcpdump say? > > > > Ok, so I did a test here (haven't done a tcpdump yet) on my main linux box > that sites on the same .99 network as the ubuntu box. I added a static > route to 192.168.98.0/24 to go to the ubuntu box as the gw. Now when I > ping > the eth1 IP (happens to be .98.10) I get a reply. But I can't ping the > device .98.241 from my linux box. So, I think that can rule out the PIX as > dropping the packets since I get the same response taking the PIX out of > the picture. > > > > Are the packets arriving on Ubuntu's eth0? > > > > Does "same-security-traffic permit intra-interface" on the PIX change > that > > behavior? > > > > Aaron S. Joyner > > -- > > This message was sent to: Brian Blater > > To unsubscribe, send a blank message to trilug-leave at trilug.org from > that > > address. > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > > Unsubscribe or edit options on the web : > > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com > > Welcome to TriLUG: http://trilug.org/welcome > > > -- > This message was sent to: Aaron S. Joyner > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws > Welcome to TriLUG: http://trilug.org/welcome > From jmack at wm7d.net Fri Sep 5 14:20:29 2014 From: jmack at wm7d.net (Joseph Mack NA3T) Date: Fri, 5 Sep 2014 11:20:29 -0700 (PDT) Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: Message-ID: On Fri, 5 Sep 2014, Brian Blater wrote: > I think I see what you're getting at on the client machines, but that is > what I'm trying to avoid (having to add routes to each client for this > network. I really want them to send the packets to the default gw which > would then send the packets to the linux machine for this other network. on the default gw box do this ip route add x.x.8.0/24 via x.x.9.ip_on_outside_of_unbuntu_box dev eth_inside_IPX_box then go to a client and do #route -C then ping the x.x.8.x network. icmp redirects should send x.x.8.x packets to the outside of the ubuntu box Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! From brb.lists at gmail.com Fri Sep 5 14:30:18 2014 From: brb.lists at gmail.com (Brian Blater) Date: Fri, 5 Sep 2014 14:30:18 -0400 Subject: [TriLUG] Linux Routing - why isn't it working? In-Reply-To: References: <26D8B923-035B-42C2-A1B7-705201F6A5B6@noway2.thruhere.net> Message-ID: On Fri, Sep 5, 2014 at 2:19 PM, Aaron Joyner wrote: > Does 98.241 have a default gateway (or a route for .99.0/24) pointing back > to 192.168.98.10? > > Sounds like by putting the route in place on the linux box you got past the > pix, now you can ping eth1's IP, and you can probably deliver packets to > the 192.168.98.0/24 network, but hosts on that network don't know how to > route back to 192.168.99.0/24. > > Yes, and for giggles I did the tcpdump and it showed the packets arriving on eth0 of the ubuntu box whether they went through the PIX or via a route directly to the box. I think you hit on the key with the default gateway for the devices on the .98.0 network. All the devices on that network (other than the ubuntu box) are IP cameras and I don't think they were configured with a gw. I need to check that. I only wanted them to communicate with the Ubuntu box (it is running Zoneminder). I bet that is it. The packet can't go anywhere from the .98.241 device because of no gw. See it was something dumb after all. It's only now that I need to troubleshoot something that I thought about using the ubuntu box as a router so I could look at those devices from the main network. DOH!!! I'll put a box on the .98 network and see if I can access them that way as a test. From rvestal at trilug.org Fri Sep 5 22:12:40 2014 From: rvestal at trilug.org (Roy Vestal) Date: Fri, 05 Sep 2014 22:12:40 -0400 Subject: [TriLUG] Durham LUG - Linux Gaming with Steam - Wed Sept 10 In-Reply-To: References: Message-ID: <540A6D98.4080403@trilug.org> Hey Bill, I can't get there in person. Are you guys going to stream it by chance? -Roy On 9/5/14 8:47 AM, Bill Farrow wrote: > The Durham Linux User Group is holding a meetup event next week on > Linux Gaming with Steam and Steam OS. > > Topic: Discuss Linux Gaming with Steam and Steam OS > Date: Wednesday, September 10, 2014, 7pm > Location: Bull City Coworking, 112 S Duke St, Durham, NC > Refreshments: Beer and Pizza > RSVP: http://www.meetup.com/LinuxUserGroup/ > > > TriLUG would like to encourage and support other Linux User Groups in the area. > > Bill From wcchandler at gmail.com Sat Sep 6 12:38:42 2014 From: wcchandler at gmail.com (William Chandler) Date: Sat, 6 Sep 2014 12:38:42 -0400 Subject: [TriLUG] Show TriLUG: murmur - stupid pinging web app Message-ID: In preparation of this week's lightning talk I've been hard at work finishing up some rough edges on a hobby project of mine. It's called murmur. I hate the name. It's pretty stupid... but I've been too lazy to create a new project and all that mess. So, whatever. https://github.com/wcchandler/murmur demo: http://apps.0x0f.io/murmur/?conf=demo Got too many extra features I'd like to add but I've been forcing myself to keep it simple and avoid "feature creep". I'd be thrilled if anybody looked at this. One other person uses the predecessor this replaces and I'm always giddy when he talks about it. If I present on Thursday I'll be showing y'a'll how to set it up on your own server and show off some things you might monitor. Cheers, buckaroos! --William From jbroome at gmail.com Sat Sep 6 12:54:52 2014 From: jbroome at gmail.com (John Broome) Date: Sat, 6 Sep 2014 12:54:52 -0400 Subject: [TriLUG] Show TriLUG: murmur - stupid pinging web app In-Reply-To: References: Message-ID: The config comments are spectacular. ?Nice job! From:?William Chandler Reply:?Triangle Linux Users Group General Discussion > Date:?September 6, 2014 at 12:38:54 PM To:?Triangle Linux Users Group General Discussion > Subject:? [TriLUG] Show TriLUG: murmur - stupid pinging web app In preparation of this week's lightning talk I've been hard at work finishing up some rough edges on a hobby project of mine. It's called murmur. I hate the name. It's pretty stupid... but I've been too lazy to create a new project and all that mess. So, whatever. https://github.com/wcchandler/murmur demo: http://apps.0x0f.io/murmur/?conf=demo Got too many extra features I'd like to add but I've been forcing myself to keep it simple and avoid "feature creep". I'd be thrilled if anybody looked at this. One other person uses the predecessor this replaces and I'm always giddy when he talks about it. If I present on Thursday I'll be showing y'a'll how to set it up on your own server and show off some things you might monitor. Cheers, buckaroos! --William From dboth at millennium-technology.com Sat Sep 6 19:30:09 2014 From: dboth at millennium-technology.com (David Both) Date: Sat, 06 Sep 2014 19:30:09 -0400 Subject: [TriLUG] Web attack? Message-ID: <540B9901.5070701@millennium-technology.com> I run a few web sites and have noticed some interesting activity on two of them today. One set of web sites is out of my home business and another is one that I manage at a remote location and I am getting constant stream of connections that look like the following. 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a continuous load of anywhere from 4-8 connections on my own server and upwards of 100-125 connections on the remote one. Almost all connections seem to be from Europe and west Asia, France, Netherlands, Great Britain, Afganistan, Russia, and a few others. Other servers I manage remotely do not have anything similar happening. I found this because htop was showing a somewhat higher than normal CPU usage for each of these hosts. Nothing overwhelming but enough to make a noticeable difference from usual. Do any of you who run web servers see anything similar? Due to the fact that the number of connections on each server seems relatively constant and the IP addresses of the sources are constantly changing, I wonder if the apparent source might be an anonymizing network such as TOR. Any information would be helpful. -- ********************************************************* David P. Both, RHCE Millennium Technology Consulting LLC Raleigh, NC, USA 919-389-8678 dboth at millennium-technology.com www.millennium-technology.com www.databook.bz - Home of the DataBook for Linux DataBook is a Registered Trademark of David Both ********************************************************* This communication may be unlawfully collected and stored by the National Security Agency (NSA) in secret. The parties to this email do not consent to the retrieving or storing of this communication and any related metadata, as well as printing, copying, re-transmitting, disseminating, or otherwise using it. If you believe you have received this communication in error, please delete it immediately. From ken at mack-z.com Sat Sep 6 19:33:26 2014 From: ken at mack-z.com (Ken MacKenzie) Date: Sat, 6 Sep 2014 19:33:26 -0400 Subject: [TriLUG] Web attack? In-Reply-To: <540B9901.5070701@millennium-technology.com> References: <540B9901.5070701@millennium-technology.com> Message-ID: Do you have fail2ban setup. That would be my first suggestion. On Sep 6, 2014 7:30 PM, "David Both" wrote: > I run a few web sites and have noticed some interesting activity on two of > them today. One set of web sites is out of my home business and another is > one that I manage at a remote location and I am getting constant stream of > connections that look like the following. > > > 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a > continuous load of anywhere from 4-8 connections on my own server and > upwards of 100-125 connections on the remote one. Almost all connections > seem to be from Europe and west Asia, France, Netherlands, Great Britain, > Afganistan, Russia, and a few others. > > Other servers I manage remotely do not have anything similar happening. > > I found this because htop was showing a somewhat higher than normal CPU > usage for each of these hosts. Nothing overwhelming but enough to make a > noticeable difference from usual. > > Do any of you who run web servers see anything similar? > > Due to the fact that the number of connections on each server seems > relatively constant and the IP addresses of the sources are constantly > changing, I wonder if the apparent source might be an anonymizing network > such as TOR. > > Any information would be helpful. > > > -- > > > ********************************************************* > David P. Both, RHCE > Millennium Technology Consulting LLC > Raleigh, NC, USA > 919-389-8678 > > dboth at millennium-technology.com > > www.millennium-technology.com > www.databook.bz - Home of the DataBook for Linux > DataBook is a Registered Trademark of David Both > ********************************************************* > This communication may be unlawfully collected and stored by the National > Security Agency (NSA) in secret. The parties to this email do not consent > to the retrieving or storing of this communication and any related > metadata, as well as printing, copying, re-transmitting, disseminating, or > otherwise using it. If you believe you have received this communication in > error, please delete it immediately. > > -- > This message was sent to: Ken M. > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/ > options/trilug/ken%40mack-z.com > Welcome to TriLUG: http://trilug.org/welcome > From kwoodie at gmail.com Sat Sep 6 19:37:10 2014 From: kwoodie at gmail.com (Keith Woodie) Date: Sat, 6 Sep 2014 19:37:10 -0400 Subject: [TriLUG] Web attack? In-Reply-To: References: <540B9901.5070701@millennium-technology.com> Message-ID: +1 Apache and ssh plugins are great. On Saturday, September 6, 2014, Ken MacKenzie wrote: > Do you have fail2ban setup. That would be my first suggestion. > On Sep 6, 2014 7:30 PM, "David Both" > > wrote: > > > I run a few web sites and have noticed some interesting activity on two > of > > them today. One set of web sites is out of my home business and another > is > > one that I manage at a remote location and I am getting constant stream > of > > connections that look like the following. > > > > > > 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php > > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT > 6.0)" > > 80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" > > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > > > > Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a > > continuous load of anywhere from 4-8 connections on my own server and > > upwards of 100-125 connections on the remote one. Almost all connections > > seem to be from Europe and west Asia, France, Netherlands, Great Britain, > > Afganistan, Russia, and a few others. > > > > Other servers I manage remotely do not have anything similar happening. > > > > I found this because htop was showing a somewhat higher than normal CPU > > usage for each of these hosts. Nothing overwhelming but enough to make a > > noticeable difference from usual. > > > > Do any of you who run web servers see anything similar? > > > > Due to the fact that the number of connections on each server seems > > relatively constant and the IP addresses of the sources are constantly > > changing, I wonder if the apparent source might be an anonymizing network > > such as TOR. > > > > Any information would be helpful. > > > > > > -- > > > > > > ********************************************************* > > David P. Both, RHCE > > Millennium Technology Consulting LLC > > Raleigh, NC, USA > > 919-389-8678 > > > > dboth at millennium-technology.com > > > > www.millennium-technology.com > > www.databook.bz - Home of the DataBook for Linux > > DataBook is a Registered Trademark of David Both > > ********************************************************* > > This communication may be unlawfully collected and stored by the National > > Security Agency (NSA) in secret. The parties to this email do not consent > > to the retrieving or storing of this communication and any related > > metadata, as well as printing, copying, re-transmitting, disseminating, > or > > otherwise using it. If you believe you have received this communication > in > > error, please delete it immediately. > > > > -- > > This message was sent to: Ken M. > > > To unsubscribe, send a blank message to trilug-leave at trilug.org > from that > > address. > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/ > > options/trilug/ken%40mack-z.com > > Welcome to TriLUG: http://trilug.org/welcome > > > -- > This message was sent to: Keith Woodie > > To unsubscribe, send a blank message to trilug-leave at trilug.org > from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/kwoodie%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > -- Keith Woodie From dboth at millennium-technology.com Sat Sep 6 20:34:04 2014 From: dboth at millennium-technology.com (David Both) Date: Sat, 06 Sep 2014 20:34:04 -0400 Subject: [TriLUG] Web attack? In-Reply-To: References: <540B9901.5070701@millennium-technology.com> Message-ID: <540BA7FC.30704@millennium-technology.com> I do. I have enabled the bad-bots but these do not appear to be listed there. I suppose I will have to create a configuration for lots of hits from an IP as I don't see one like that. Since the vast majority of these seen to be looking for specific PHP file I could key on that. Thanks! On 09/06/2014 07:33 PM, Ken MacKenzie wrote: > Do you have fail2ban setup. That would be my first suggestion. > On Sep 6, 2014 7:30 PM, "David Both" > wrote: > >> I run a few web sites and have noticed some interesting activity on two of >> them today. One set of web sites is out of my home business and another is >> one that I manage at a remote location and I am getting constant stream of >> connections that look like the following. >> >> >> 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" >> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" >> 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php >> >> >> Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a >> continuous load of anywhere from 4-8 connections on my own server and >> upwards of 100-125 connections on the remote one. Almost all connections >> seem to be from Europe and west Asia, France, Netherlands, Great Britain, >> Afganistan, Russia, and a few others. >> >> Other servers I manage remotely do not have anything similar happening. >> >> I found this because htop was showing a somewhat higher than normal CPU >> usage for each of these hosts. Nothing overwhelming but enough to make a >> noticeable difference from usual. >> >> Do any of you who run web servers see anything similar? >> >> Due to the fact that the number of connections on each server seems >> relatively constant and the IP addresses of the sources are constantly >> changing, I wonder if the apparent source might be an anonymizing network >> such as TOR. >> >> Any information would be helpful. >> >> >> -- >> >> >> ********************************************************* >> David P. Both, RHCE >> Millennium Technology Consulting LLC >> Raleigh, NC, USA >> 919-389-8678 >> >> dboth at millennium-technology.com >> >> www.millennium-technology.com >> www.databook.bz - Home of the DataBook for Linux >> DataBook is a Registered Trademark of David Both >> ********************************************************* >> This communication may be unlawfully collected and stored by the National >> Security Agency (NSA) in secret. The parties to this email do not consent >> to the retrieving or storing of this communication and any related >> metadata, as well as printing, copying, re-transmitting, disseminating, or >> otherwise using it. If you believe you have received this communication in >> error, please delete it immediately. >> >> -- >> This message was sent to: Ken M. >> To unsubscribe, send a blank message to trilug-leave at trilug.org from that >> address. >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug >> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/ >> options/trilug/ken%40mack-z.com >> Welcome to TriLUG: http://trilug.org/welcome >> >> >> -- >> >> >> ********************************************************* >> David P. Both, RHCE >> Millennium Technology Consulting LLC >> Raleigh, NC, USA >> 919-389-8678 >> >> dboth at millennium-technology.com >> >> www.millennium-technology.com >> www.databook.bz - Home of the DataBook for Linux >> DataBook is a Registered Trademark of David Both >> ********************************************************* >> This communication may be unlawfully collected and stored by the National Security Agency (NSA) in secret. The parties to this email do not consent to the retrieving or storing of this communication and any related metadata, as well as printing, copying, re-transmitting, disseminating, or otherwise using it. If you believe you have received this communication in error, please delete it immediately. >> From ken at mack-z.com Sat Sep 6 20:38:32 2014 From: ken at mack-z.com (Ken M) Date: Sat, 6 Sep 2014 20:38:32 -0400 Subject: [TriLUG] Web attack? In-Reply-To: <540BA7FC.30704@millennium-technology.com> References: <540B9901.5070701@millennium-technology.com> <540BA7FC.30704@millennium-technology.com> Message-ID: Quick googling and i found this: http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/ So they are looking for a wordpress exploit. If you are not serving wordpress I would block based on the request for that. Sent from my iPad > On Sep 6, 2014, at 8:34 PM, David Both wrote: > > I do. I have enabled the bad-bots but these do not appear to be listed there. I suppose I will have to create a configuration for lots of hits from an IP as I don't see one like that. Since the vast majority of these seen to be looking for specific PHP file I could key on that. > > Thanks! From ken at mack-z.com Sat Sep 6 21:15:27 2014 From: ken at mack-z.com (Ken M) Date: Sat, 6 Sep 2014 21:15:27 -0400 Subject: [TriLUG] Web attack? In-Reply-To: References: <540B9901.5070701@millennium-technology.com> <540BA7FC.30704@millennium-technology.com> Message-ID: <4F5B0622-6376-48BD-83D5-E435A52CCD3A@mack-z.com> Retread your original email and since Wordpress is in the equation then check that link for how to deal with that vulnerability. Sent from my iPad > On Sep 6, 2014, at 8:38 PM, Ken M wrote: > > Quick googling and i found this: > http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/ > > So they are looking for a wordpress exploit. If you are not serving wordpress I would block based on the request for that. > > Sent from my iPad > >> On Sep 6, 2014, at 8:34 PM, David Both wrote: >> >> I do. I have enabled the bad-bots but these do not appear to be listed there. I suppose I will have to create a configuration for lots of hits from an IP as I don't see one like that. Since the vast majority of these seen to be looking for specific PHP file I could key on that. >> >> Thanks!