Profile Details

Toggle Sidebar
Loading cover... Drag cover to reposition
Recent updates
  • Arnaud Forster
    Arnaud Forster replied to a discussion, System hacked ?

    Hello Nick,
    Yes, the logs come from my clearos system ; the arp -n came from my workstation. Can't make a new one yet because the computer is halted .. I'll see tomorrow .. but my knowledges are here limited ...:(
    Thanks for your help :)

  • Arnaud Forster
    Arnaud Forster started a new discussion, System hacked ?

    System hacked ?

    Hello all,
    I've a problem on my network and here my knowledges are limited so ...
    First we have been blocked by spamhaus project using the XBL tool. It seems a computer of my newtork sent some spam 3 days ago. the problem for me is to know which one ... so I began to have a look on the my COS logs files and I discovered I could not start the intrusion and detection components !
    in my logs, I've the following :

    pr 18 08:50:01 srv-cos systemd: Starting Session 11429 of user root.
    Apr 18 08:50:01 srv-cos systemd: Started Session 11430 of user root.
    Apr 18 08:50:01 srv-cos systemd: Starting Session 11430 of user root.
    Apr 18 08:50:01 srv-cos systemd: Started Session 11428 of user root.
    Apr 18 08:50:01 srv-cos systemd: Starting Session 11428 of user root.
    Apr 18 08:50:01 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
    Apr 18 08:50:31 srv-cos systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
    Apr 18 08:50:31 srv-cos snortsam: /etc/rc.d/init.d/snortsam: ligne 15 : [: = : opérateur unaire attendu
    Apr 18 08:50:31 srv-cos snortsam: Stopping snortsam: [ÉCHOUÉ]
    Apr 18 08:50:31 srv-cos systemd: Stopped SYSV: SnortSAM dynamic firewall plug-in for Snort.
    Apr 18 08:50:32 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
    Apr 18 08:50:33 srv-cos systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
    Apr 18 08:50:33 srv-cos snortsam: /etc/rc.d/init.d/snortsam: ligne 15 : [: = : opérateur unaire attendu
    Apr 18 08:50:33 srv-cos snortsam: Starting snortsam: ... delaying[ OK ]
    Apr 18 08:50:33 srv-cos systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
    Apr 18 08:51:02 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
    Apr 18 08:51:03 srv-cos systemd: Stopping SYSV: Snort Network Intrusion Detection System...
    Apr 18 08:51:04 srv-cos systemd: Stopped SYSV: Snort Network Intrusion Detection System.
    Apr 18 08:51:06 srv-cos systemd: Starting SYSV: Snort Network Intrusion Detection System...
    Apr 18 08:51:06 srv-cos systemd: Started SYSV: Snort Network Intrusion Detection System.
    Apr 18 08:51:21 srv-cos systemd: Stopping SYSV: Snort Network Intrusion Detection System...
    Apr 18 08:51:21 srv-cos systemd: Stopped SYSV: Snort Network Intrusion Detection System.
    Apr 18 08:51:21 srv-cos systemd: Starting SYSV: Snort Network Intrusion Detection System...
    Apr 18 08:51:21 srv-cos systemd: Started SYSV: Snort Network Intrusion Detection System.

    it seems the the IP adress is used by another system because when I do a #arp -n on my ClearOS server, I don't get the same mac address as the one on the log ...
    #arp -n : 192.168.100.120 ether 3c:d9:2b:58:33:5d C eth6

    I dont know here if got my system hacked ... and what to do ..

    Thanks for your help

  • Hello Nick :)
    Yes but I was thinking, as these are 2 physicals interfaces, having 2 different ip adress in the same subnet could do the trick.. as you said ClearOS will be lost with that solution ...
    As I already migrated my old ISA server, I have now 2 separate ClearOS in my network in the same subnet. Of course, each one is connected to its own wan subnet and dont even know about the other :) Maybe I did not think enough :)
    Well, if I want to use 2 differents subnet as I'm planning to do, I'll have to change the IP address of the call center and all my phones, so I need to be sure it's going to work or my collegues are going to kill me :) (or maybe they will be happy not being disturbed anymore ;) )
    Thanks :)

  • @Duncan - Hello, I made half way till now .. mean the first WAN connection (data) is working fine. As I'll be on holiday next week, I dont want to make too big changes but I'm going to makea a short try next friday.
    But because I should modify my call center and all my phones, I'm going to try the following :
    - My first LAN card is configured and working with the IP adress 192.168.100.1 ; it's the default gateway for my network (except call center).
    - Actually, I've a small ClearOS system for my VOIP with it's own internet connection and the LAN ip adresse 192.168.100.3. My call center is configured to use it as gateway. So, I'll stop that machine and configure my second lan card with the IP adresse 192.168.100.3 (with that, no change will habe to be made to my call center). Then I'll configure my second WAN connection, too. Finally, I'll try to add the ip rules as you described in your previous post :)

  • woaw !
    Thanks so much, going to try that .
    In the meantime I was wondering with the multi-wan component : according to the fact that my 1st lan interface is 192.168.100.1 and is acting as the gateway for my standard network (computers) ; if we have the source-base route with that ip address (192.168.100.1) to my 1st wan interface.. all the traffic from 192.168.100.1 should use the 1st wan interface ?

  • Thanks very much Nick, I'm going to make a test like this and let you know whats happened :)

  • Thanks very much Nick :)
    Yes I installed the multi-wan component. There there's a option called 'Source-based Routes'. If I understand correctly I should configure it like the pic I joined according to the fact that eth0 and eth1 are my WAN interfaces and 192.168.100.1/24 and 192.168.80/24 my 2 LAN subnets :) If someone can confirm that, it would be great :)

  • Thanks Nick :) I was just wondering which way was the best ... and I dont know howto attrib a WAN interface for each subnet .. maybe with iproutes ? And I've computers with special software connected to the IP phones... is COS able to route traffice between subnets ?

    Thanks for your help :)

  • Thank you Nick :)
    In fact, i've now 2 different systems : 1 windows ISA firewall with a WAN connexion for the data and a ClearOS system acting as gateway with it's own WAN connexion for the VOIP. I want to remove the whole and installed a new ClearOS system with the 2 WAN connexions. Id like now to make 2 subnets (virtual or Vlans ?) and telling Clearos that subnet 1 has to use the WAN #1 and the subnet 2 the WAN #2 . But I dont know the best way to do it. I've 4 ethernet cards so every advice is welcomed :) Here's a pic of what I plan to do ...
    Thanks

  • 2 Wans, 1 for data and 1 for voip

    Good morning,
    I'm migrating my Windows Servers to a new ClearOS system. Till now, we had 2 firewalls ; eacht with it's own LAN Ip adresse (same subnet) and each with a permanent public WAN IP adress. The first firewall was acting as gateway for the internet connection and the second for our VOIP system.
    I'm building a new ClearOS System with 2 WAN interfaces but I was wondering howto tell our VOIP system to use the #2 wan interface and computers the #1wan interface. Can I create 2 LAN interfaces with different IP addresses on the same subnet and use them as gateways .. but them howto connect each LAN interface with the WAN ones ? using the multi-wan component and the "Destination Port Rules" ?
    Thanks for your help and telle me is my explications are not clear :) thanks