IPSEC et étrange connexion vers une IP inconnue

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

IPSEC et étrange connexion vers une IP inconnue

Raphael Berlamont
Bonjour,

j'ai remarqué ce comportement depuis un petit moment, mais je voulais
voir s'il persistait : j'ai des tentatives de connexion de ma passerelle
VPN vers «187.170.255.239» :

Extrait des logs (/var/log/daemon):
====================
Jul  1 03:48:05 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
Jul  1 07:19:11 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
Jul  1 08:12:56 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_PAYLOAD_TYPE
Jul  1 08:24:24 vpn-concentrator isakmpd[24851]: transport_send_messages: giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer 187.170.255.239:4500
Jul  1 10:15:52 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
Jul  1 12:18:28 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
Jul  1 14:56:05 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
Jul  1 18:40:36 vpn-concentrator isakmpd[24851]: transport_send_messages: giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer 187.170.255.239:4500
Jul  1 19:35:44 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
Jul  1 19:41:10 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
====================

J'ai un firewall entre le concentrateur VPN et internet, et celui-ci me
remonte effectivement des infos :
====================
OpenBSD-4.9 anubisA ~ # zcat /var/log/pflog.2.gz | tcpdump -netttr - host 187.170.255.239
tcpdump: WARNING: snaplen raised from 116 to 160
Jul 01 18:25:16.487292 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
Jul 01 18:25:23.489131 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
Jul 01 18:25:32.499208 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
Jul 01 18:25:43.519604 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
Jul 01 18:30:01.480510 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
Jul 01 18:30:08.483302 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
Jul 01 18:30:17.493823 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
Jul 01 18:30:28.503715 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
Jul 01 18:40:09.423678 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
Jul 01 18:40:16.426097 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
Jul 01 18:40:25.436956 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
Jul 01 18:40:36.447905 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
        cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
OpenBSD-4.9 anubisA ~ #
====================

Alors que je n'ai RIEN dans les fichiers de conf de mon concentrateur
VPN qui fait référence à cette IP :
====================
OpenBSD-4.9 vpn-concentrator ~ # grep -R 187.170.255.239 /etc/
OpenBSD-4.9 vpn-concentrator ~ #
====================

Je rencontrait déjà le problème avec la 4.6 il me semble.
Pour info, cette passerelle VPN a été installée from scratch (ce n'est
pas un upgrade), en netinstall, depuis des FTP officiels.

Quelqu'un rencontre-t-il le même comportement?

Bon week-end.
--
Raph



________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

Francois Pussault-2
mefies toi de cette adresse elle fait partie de la blacklist des 13 pilliers DNS




                187.170.0.0/16 UNINET   AS8151
                   187.170.224.0/19 UNINET   AS8151 (not announced)
Base Record Name IP Reverse Route AS
dsl-187-170-255-239-dyn.prod-infinitum.com.mx ptr 187.170.255.239
Mexico
        187.170.0.0/16
UNINET
        AS8151
UNINET S.A. de C.V.
mx   com.mx   prod-infinitum.com.mx  
Graph

187.170.255
Lexically nearby names (31)

187.170.18.71.in-addr.arpa
187.170.2.in-addr.arpa
187.170.200.in-addr.arpa
187.170.207.in-addr.arpa
187.170.209.in-addr.arpa
187.170.210.in-addr.arpa
187.170.216.in-addr.arpa
187.170.222.broad.hg.hl.dynamic.163data.com.cn
187.170.223.87.dynamic.jazztel.es
187.170.232.72.static.reverse.ltdomains.com
187.170.24.in-addr.arpa
187.170.241.83.in-addr.dgcsystems.net
187.170.249.ozerki.net
187.170.36.72.static.reverse.layeredtech.com
187.170.36.72.static.reverse.ltdomains.com
187.170.38.86.ip.erdves.lt
187.170.41.192.rev-dns.cs.ait.ac.th
187.170.46.78.clients.your-server.de
187.170.61.broad.xw.sh.dynamic.163data.com.cn
187.170.62.59.broad.yc.jx.dynamic.163data.com.cn
187.170.62.in-addr.arpa
187.170.64-86.rev.gaoland.net
187.170.65-86.rev.gaoland.net
187.170.66.218.broad.qz.fj.dynamic.163data.com.cn
187.170.68.in-addr.arpa
187.170.69.in-addr.arpa
187.170.71.218.broad.nb.zj.dynamic.163data.com.cn
187.170.71.in-addr.arpa
187.170.72.218.broad.jh.zj.dynamic.163data.com.cn
187.170.73.218.broad.wz.zj.dynamic.163data.com.cn
187.170.74.218.broad.sx.zj.dynamic.163data.com.cn

analysis
...
contact
...
Blacklists
blocklist link status description
servfail
black.uribl.com   link  
grey.uribl.com   link  
red.uribl.com   link  
white.uribl.com   link  
multi.uribl.com   link  
green
bl.deadbeef.com  
in.dnsbl.org  
ex.dnsbl.org  
zebl.zoneedit.com  
rddn.dnsbl.net.au  
postmaster.rfc-ignorant.org   link  
dsn.rfc-ignorant.org   link  
abuse.rfc-ignorant.org   link  
whois.rfc-ignorant.org   link  
bogusmx.rfc-ignorant.org   link  
badconf.rhsbl.sorbs.net  
nomail.rhsbl.sorbs.net  
rhsbl.ahbl.org  
jwrh.dnsbl.net.au  
dnsrbl.swinog.ch   link  
multi.surbl.org   link  
dyndns.rbl.jp  


md5:434b553bb85b40de2b0dfc9e0aeea70e:1187.170.255
md5:96de3f767006af7cc62fcdc756a4e626:17.170.255
md5:149e9677a5989fd342ae44213df68868:170
md5:112b73b521994f1b6304b20dcfed5168:170.255
md5:459d93faaff7299577c01e992fdf4a0d:170255
md5:24751fe23cb8f9519f90a60cd8d73c06:178.170.255
md5:cbc1cabba3b83d66a990c66e673cf1e6:18.170.255
md5:dd4bc90230becdf3bfe3d65213090943:18.7170.255
md5:31fefc0e570cb3860f2a6d4b38c6490d:187
md5:5e0811ab5c31777640164f1df715cc43:187..170.255
md5:6e7506bf327058a92fda549f8ead336c:187.10.255
md5:723a63fa6842b2b800017f1d9dc7ff63:187.107.255
md5:dd6f5343eebc3a3f9247ecb79ad93210:187.1170.255
md5:492978cba485067cb79c1fdf58cb9b48:187.17.0255
md5:6e52a0f8cfd33cf19a8bf1b41307c245:187.17.255
md5:474ca8d7e2f39e2d834a598afb7d0a53:187.170
md5:190fa32a833c2e55acf5e669f82fdc2f:187.170..255
md5:2076600541976355c702f3963f0b4928:187.170.2255
md5:24e78e7646ecf7341a75939672cda746:187.170.25
md5:26180250e6ef4a32864a7aa085745c54:187.170.255
md5:211ccaf8bbe9aec85ad9e999313b7b31:187.170.2555
md5:7cfdf4ca0568a1b0b31a7caf0e44330d:187.170.525
md5:6f5ff2afa1de102455ae07edd35369ba:187.170.55
md5:73543c693f3c05c95ea81e06a8556f34:187.1700.255
md5:a6b924e61094dc09d8cdf52fcc037d0f:187.1702.55
md5:463781e584f9a006c423a9dcd72f3534:187.170255
md5:c88b890232948a4d1977bc7b5e6df48f:187.1770.255
md5:a9e1403ba4a84d52f842b4317039ebb9:187.70.255
md5:25a29a76ac2ff7f0315f16c8cd3e9560:187.710.255
md5:29d0f36a1fb560aeda5f40bd1f712735:1871.70.255
md5:626d153870c209264d56d7907d910527:187170
md5:6af63ded25120dd9187954c3b3982851:187170.255
md5:7957813a98216be3309ebcdcafade60b:187170255
md5:c1a646c9f081c786f46a5950cea54060:1877.170.255
md5:d4f9f8eb7b9e123735bb4117c7a1317c:1887.170.255
md5:fe131d7f5a6b38b23cc967316c13dae2:255
md5:90e21c9bc160db0623989f74cc325fef:817.170.255
md5:1c18eddc22d8d3a9ad797be4414d223a:87.170.255
Whois
Whois information is fetched in the background



> ----------------------------------------
> From: Raphael Berlamont <[hidden email]>
> Sent: Fri Jul 01 21:46:20 CEST 2011
> To: <[hidden email]>
> Subject: [obsdfr-misc] IPSEC et étrange connexion vers une IP inconnue
>
>
> Bonjour,
>
> j'ai remarqué ce comportement depuis un petit moment, mais je voulais
> voir s'il persistait : j'ai des tentatives de connexion de ma passerelle
> VPN vers «187.170.255.239» :
>
> Extrait des logs (/var/log/daemon):
> ====================
> Jul  1 03:48:05 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> Jul  1 07:19:11 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> Jul  1 08:12:56 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_PAYLOAD_TYPE
> Jul  1 08:24:24 vpn-concentrator isakmpd[24851]: transport_send_messages: giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer 187.170.255.239:4500
> Jul  1 10:15:52 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> Jul  1 12:18:28 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> Jul  1 14:56:05 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> Jul  1 18:40:36 vpn-concentrator isakmpd[24851]: transport_send_messages: giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer 187.170.255.239:4500
> Jul  1 19:35:44 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> Jul  1 19:41:10 vpn-concentrator isakmpd[24851]: dropped message from 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> ====================
>
> J'ai un firewall entre le concentrateur VPN et internet, et celui-ci me
> remonte effectivement des infos :
> ====================
> OpenBSD-4.9 anubisA ~ # zcat /var/log/pflog.2.gz | tcpdump -netttr - host 187.170.255.239
> tcpdump: WARNING: snaplen raised from 116 to 160
> Jul 01 18:25:16.487292 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
> Jul 01 18:25:23.489131 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
> Jul 01 18:25:32.499208 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
> Jul 01 18:25:43.519604 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len: 76
> Jul 01 18:30:01.480510 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
> Jul 01 18:30:08.483302 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
> Jul 01 18:30:17.493823 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
> Jul 01 18:30:28.503715 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len: 76
> Jul 01 18:40:09.423678 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
> Jul 01 18:40:16.426097 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
> Jul 01 18:40:25.436956 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
> Jul 01 18:40:36.447905 rule 43/(match) block in on vr2: 172.16.2.3.4500 > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
>         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len: 300
> OpenBSD-4.9 anubisA ~ #
> ====================
>
> Alors que je n'ai RIEN dans les fichiers de conf de mon concentrateur
> VPN qui fait référence à cette IP :
> ====================
> OpenBSD-4.9 vpn-concentrator ~ # grep -R 187.170.255.239 /etc/
> OpenBSD-4.9 vpn-concentrator ~ #
> ====================
>
> Je rencontrait déjà le problème avec la 4.6 il me semble.
> Pour info, cette passerelle VPN a été installée from scratch (ce n'est
> pas un upgrade), en netinstall, depuis des FTP officiels.
>
> Quelqu'un rencontre-t-il le même comportement?
>
> Bon week-end.
> --
> Raph
>
>
>
> ________________________________
> French OpenBSD mailing list
> [hidden email]
> http://www.openbsd-france.org/communaute.php
>


Cordialement
Francois Pussault
3701 - 8 rue Marcel Pagnol
31100 Toulouse 
France 
+33 6 17 230 820   +33 5 34 365 269
[hidden email]

________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

Raphael Berlamont
Le vendredi 01 juillet 2011 à 21:51 +0200, Francois Pussault a écrit :
> mefies toi de cette adresse elle fait partie de la blacklist des 13 pilliers DNS

Merci. Comment as-tu obtenu ces infos? Je n'ai pas tout ça avec un
simple whois…
--
Raph



________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

SDL-8
In reply to this post by Francois Pussault-2
ah, il serait intéressant de faire une checklist des adresses dangereuses
pour le site openbsd-fr, je veux bien le faire si on me donne la matiére
premiére :). Pour la biére a lutins, j'ai eu ma dose :).

Le 1 juillet 2011 21:51, Francois Pussault <[hidden email]> a
écrit :

> mefies toi de cette adresse elle fait partie de la blacklist des 13
> pilliers DNS
>
>
>
>
>                187.170.0.0/16 UNINET   AS8151
>                   187.170.224.0/19 UNINET   AS8151 (not announced)
> Base    Record  Name    IP      Reverse Route   AS
> dsl-187-170-255-239-dyn.prod-infinitum.com.mx   ptr     187.170.255.239
> Mexico
>        187.170.0.0/16
> UNINET
>        AS8151
> UNINET S.A. de C.V.
> mx   com.mx   prod-infinitum.com.mx
> Graph
>
> 187.170.255
> Lexically nearby names (31)
>
> 187.170.18.71.in-addr.arpa
> 187.170.2.in-addr.arpa
> 187.170.200.in-addr.arpa
> 187.170.207.in-addr.arpa
> 187.170.209.in-addr.arpa
> 187.170.210.in-addr.arpa
> 187.170.216.in-addr.arpa
> 187.170.222.broad.hg.hl.dynamic.163data.com.cn
> 187.170.223.87.dynamic.jazztel.es
> 187.170.232.72.static.reverse.ltdomains.com
> 187.170.24.in-addr.arpa
> 187.170.241.83.in-addr.dgcsystems.net
> 187.170.249.ozerki.net
> 187.170.36.72.static.reverse.layeredtech.com
> 187.170.36.72.static.reverse.ltdomains.com
> 187.170.38.86.ip.erdves.lt
> 187.170.41.192.rev-dns.cs.ait.ac.th
> 187.170.46.78.clients.your-server.de
> 187.170.61.broad.xw.sh.dynamic.163data.com.cn
> 187.170.62.59.broad.yc.jx.dynamic.163data.com.cn
> 187.170.62.in-addr.arpa
> 187.170.64-86.rev.gaoland.net
> 187.170.65-86.rev.gaoland.net
> 187.170.66.218.broad.qz.fj.dynamic.163data.com.cn
> 187.170.68.in-addr.arpa
> 187.170.69.in-addr.arpa
> 187.170.71.218.broad.nb.zj.dynamic.163data.com.cn
> 187.170.71.in-addr.arpa
> 187.170.72.218.broad.jh.zj.dynamic.163data.com.cn
> 187.170.73.218.broad.wz.zj.dynamic.163data.com.cn
> 187.170.74.218.broad.sx.zj.dynamic.163data.com.cn
>
> analysis
> ...
> contact
> ...
> Blacklists
> blocklist       link    status  description
> servfail
> black.uribl.com         link
> grey.uribl.com          link
> red.uribl.com   link
> white.uribl.com         link
> multi.uribl.com         link
> green
> bl.deadbeef.com
> in.dnsbl.org
> ex.dnsbl.org
> zebl.zoneedit.com
> rddn.dnsbl.net.au
> postmaster.rfc-ignorant.org     link
> dsn.rfc-ignorant.org    link
> abuse.rfc-ignorant.org          link
> whois.rfc-ignorant.org          link
> bogusmx.rfc-ignorant.org        link
> badconf.rhsbl.sorbs.net
> nomail.rhsbl.sorbs.net
> rhsbl.ahbl.org
> jwrh.dnsbl.net.au
> dnsrbl.swinog.ch        link
> multi.surbl.org         link
> dyndns.rbl.jp
>
>
> md5:434b553bb85b40de2b0dfc9e0aeea70e:1187.170.255
> md5:96de3f767006af7cc62fcdc756a4e626:17.170.255
> md5:149e9677a5989fd342ae44213df68868:170
> md5:112b73b521994f1b6304b20dcfed5168:170.255
> md5:459d93faaff7299577c01e992fdf4a0d:170255
> md5:24751fe23cb8f9519f90a60cd8d73c06:178.170.255
> md5:cbc1cabba3b83d66a990c66e673cf1e6:18.170.255
> md5:dd4bc90230becdf3bfe3d65213090943:18.7170.255
> md5:31fefc0e570cb3860f2a6d4b38c6490d:187
> md5:5e0811ab5c31777640164f1df715cc43:187..170.255
> md5:6e7506bf327058a92fda549f8ead336c:187.10.255
> md5:723a63fa6842b2b800017f1d9dc7ff63:187.107.255
> md5:dd6f5343eebc3a3f9247ecb79ad93210:187.1170.255
> md5:492978cba485067cb79c1fdf58cb9b48:187.17.0255
> md5:6e52a0f8cfd33cf19a8bf1b41307c245:187.17.255
> md5:474ca8d7e2f39e2d834a598afb7d0a53:187.170
> md5:190fa32a833c2e55acf5e669f82fdc2f:187.170..255
> md5:2076600541976355c702f3963f0b4928:187.170.2255
> md5:24e78e7646ecf7341a75939672cda746:187.170.25
> md5:26180250e6ef4a32864a7aa085745c54:187.170.255
> md5:211ccaf8bbe9aec85ad9e999313b7b31:187.170.2555
> md5:7cfdf4ca0568a1b0b31a7caf0e44330d:187.170.525
> md5:6f5ff2afa1de102455ae07edd35369ba:187.170.55
> md5:73543c693f3c05c95ea81e06a8556f34:187.1700.255
> md5:a6b924e61094dc09d8cdf52fcc037d0f:187.1702.55
> md5:463781e584f9a006c423a9dcd72f3534:187.170255
> md5:c88b890232948a4d1977bc7b5e6df48f:187.1770.255
> md5:a9e1403ba4a84d52f842b4317039ebb9:187.70.255
> md5:25a29a76ac2ff7f0315f16c8cd3e9560:187.710.255
> md5:29d0f36a1fb560aeda5f40bd1f712735:1871.70.255
> md5:626d153870c209264d56d7907d910527:187170
> md5:6af63ded25120dd9187954c3b3982851:187170.255
> md5:7957813a98216be3309ebcdcafade60b:187170255
> md5:c1a646c9f081c786f46a5950cea54060:1877.170.255
> md5:d4f9f8eb7b9e123735bb4117c7a1317c:1887.170.255
> md5:fe131d7f5a6b38b23cc967316c13dae2:255
> md5:90e21c9bc160db0623989f74cc325fef:817.170.255
> md5:1c18eddc22d8d3a9ad797be4414d223a:87.170.255
> Whois
> Whois information is fetched in the background
>
>
>
> > ----------------------------------------
> > From: Raphael Berlamont <[hidden email]>
> > Sent: Fri Jul 01 21:46:20 CEST 2011
> > To: <[hidden email]>
> > Subject: [obsdfr-misc] IPSEC et étrange connexion vers une IP inconnue
> >
> >
> > Bonjour,
> >
> > j'ai remarqué ce comportement depuis un petit moment, mais je voulais
> > voir s'il persistait : j'ai des tentatives de connexion de ma passerelle
> > VPN vers «187.170.255.239» :
> >
> > Extrait des logs (/var/log/daemon):
> > ====================
> > Jul  1 03:48:05 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > Jul  1 07:19:11 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > Jul  1 08:12:56 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_PAYLOAD_TYPE
> > Jul  1 08:24:24 vpn-concentrator isakmpd[24851]: transport_send_messages:
> giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer
> 187.170.255.239:4500
> > Jul  1 10:15:52 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > Jul  1 12:18:28 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > Jul  1 14:56:05 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > Jul  1 18:40:36 vpn-concentrator isakmpd[24851]: transport_send_messages:
> giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer
> 187.170.255.239:4500
> > Jul  1 19:35:44 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > Jul  1 19:41:10 vpn-concentrator isakmpd[24851]: dropped message from
> 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > ====================
> >
> > J'ai un firewall entre le concentrateur VPN et internet, et celui-ci me
> > remonte effectivement des infos :
> > ====================
> > OpenBSD-4.9 anubisA ~ # zcat /var/log/pflog.2.gz | tcpdump -netttr - host
> 187.170.255.239
> > tcpdump: WARNING: snaplen raised from 116 to 160
> > Jul 01 18:25:16.487292 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> 76
> > Jul 01 18:25:23.489131 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> 76
> > Jul 01 18:25:32.499208 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> 76
> > Jul 01 18:25:43.519604 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> 76
> > Jul 01 18:30:01.480510 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> 76
> > Jul 01 18:30:08.483302 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> 76
> > Jul 01 18:30:17.493823 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> 76
> > Jul 01 18:30:28.503715 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> 76
> > Jul 01 18:40:09.423678 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> 300
> > Jul 01 18:40:16.426097 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> 300
> > Jul 01 18:40:25.436956 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> 300
> > Jul 01 18:40:36.447905 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> 300
> > OpenBSD-4.9 anubisA ~ #
> > ====================
> >
> > Alors que je n'ai RIEN dans les fichiers de conf de mon concentrateur
> > VPN qui fait référence à cette IP :
> > ====================
> > OpenBSD-4.9 vpn-concentrator ~ # grep -R 187.170.255.239 /etc/
> > OpenBSD-4.9 vpn-concentrator ~ #
> > ====================
> >
> > Je rencontrait déjà le problème avec la 4.6 il me semble.
> > Pour info, cette passerelle VPN a été installée from scratch (ce n'est
> > pas un upgrade), en netinstall, depuis des FTP officiels.
> >
> > Quelqu'un rencontre-t-il le même comportement?
> >
> > Bon week-end.
> > --
> > Raph
> >
> >
> >
> > ________________________________
> > French OpenBSD mailing list
> > [hidden email]
> > http://www.openbsd-france.org/communaute.php
> >
>
>
> Cordialement
> Francois Pussault
> 3701 - 8 rue Marcel Pagnol
> 31100 Toulouse
> France
> +33 6 17 230 820   +33 5 34 365 269
> [hidden email]
>
> ________________________________
> French OpenBSD mailing list
> [hidden email]
> http://www.openbsd-france.org/communaute.php
>
>
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

Francois Pussault-2
In reply to this post by Raphael Berlamont
il suffit de regarder les listes robex par exemple



> ----------------------------------------
> From: Raphael Berlamont <[hidden email]>
> Sent: Fri Jul 01 22:48:26 CEST 2011
> To: <[hidden email]>
> Subject: Re: [obsdfr-misc] IPSEC et étrange connexion vers une IP inconnue
>
>
> Le vendredi 01 juillet 2011 à 21:51 +0200, Francois Pussault a écrit :
> > mefies toi de cette adresse elle fait partie de la blacklist des 13 pilliers DNS
>
> Merci. Comment as-tu obtenu ces infos? Je n'ai pas tout ça avec un
> simple whois…
> --
> Raph
>
>
>
> ________________________________
> French OpenBSD mailing list
> [hidden email]
> http://www.openbsd-france.org/communaute.php
>


Cordialement
Francois Pussault
3701 - 8 rue Marcel Pagnol
31100 Toulouse 
France 
+33 6 17 230 820   +33 5 34 365 269
[hidden email]

________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

Francois Pussault-2
In reply to this post by SDL-8
deja on
faire un lien sur www.robtex.com

par exemple
et expliquer pourquoi y aller à chaque trace "etrange" dans les logs des routeurs ou meme auth.log

le fichier que je fourni en exemple c'est toutes les adresses qui ont tenté un login ou un acces
sur un port ferme de mon routeur en 2 ans environ et se sont fait jetées

> ----------------------------------------
> From: SDL <[hidden email]>
> Sent: Fri Jul 01 22:51:42 CEST 2011
> To: <[hidden email]>
> Subject: Re: [obsdfr-misc] IPSEC et étrange connexion vers une IP inconnue
>
>
> ah, il serait intéressant de faire une checklist des adresses dangereuses
> pour le site openbsd-fr, je veux bien le faire si on me donne la matiére
> premiére :). Pour la biére a lutins, j'ai eu ma dose :).
>
> Le 1 juillet 2011 21:51, Francois Pussault <[hidden email]> a
> écrit :
>
> > mefies toi de cette adresse elle fait partie de la blacklist des 13
> > pilliers DNS
> >
> >
> >
> >
> >                187.170.0.0/16 UNINET   AS8151
> >                   187.170.224.0/19 UNINET   AS8151 (not announced)
> > Base    Record  Name    IP      Reverse Route   AS
> > dsl-187-170-255-239-dyn.prod-infinitum.com.mx   ptr     187.170.255.239
> > Mexico
> >        187.170.0.0/16
> > UNINET
> >        AS8151
> > UNINET S.A. de C.V.
> > mx   com.mx   prod-infinitum.com.mx
> > Graph
> >
> > 187.170.255
> > Lexically nearby names (31)
> >
> > 187.170.18.71.in-addr.arpa
> > 187.170.2.in-addr.arpa
> > 187.170.200.in-addr.arpa
> > 187.170.207.in-addr.arpa
> > 187.170.209.in-addr.arpa
> > 187.170.210.in-addr.arpa
> > 187.170.216.in-addr.arpa
> > 187.170.222.broad.hg.hl.dynamic.163data.com.cn
> > 187.170.223.87.dynamic.jazztel.es
> > 187.170.232.72.static.reverse.ltdomains.com
> > 187.170.24.in-addr.arpa
> > 187.170.241.83.in-addr.dgcsystems.net
> > 187.170.249.ozerki.net
> > 187.170.36.72.static.reverse.layeredtech.com
> > 187.170.36.72.static.reverse.ltdomains.com
> > 187.170.38.86.ip.erdves.lt
> > 187.170.41.192.rev-dns.cs.ait.ac.th
> > 187.170.46.78.clients.your-server.de
> > 187.170.61.broad.xw.sh.dynamic.163data.com.cn
> > 187.170.62.59.broad.yc.jx.dynamic.163data.com.cn
> > 187.170.62.in-addr.arpa
> > 187.170.64-86.rev.gaoland.net
> > 187.170.65-86.rev.gaoland.net
> > 187.170.66.218.broad.qz.fj.dynamic.163data.com.cn
> > 187.170.68.in-addr.arpa
> > 187.170.69.in-addr.arpa
> > 187.170.71.218.broad.nb.zj.dynamic.163data.com.cn
> > 187.170.71.in-addr.arpa
> > 187.170.72.218.broad.jh.zj.dynamic.163data.com.cn
> > 187.170.73.218.broad.wz.zj.dynamic.163data.com.cn
> > 187.170.74.218.broad.sx.zj.dynamic.163data.com.cn
> >
> > analysis
> > ...
> > contact
> > ...
> > Blacklists
> > blocklist       link    status  description
> > servfail
> > black.uribl.com         link
> > grey.uribl.com          link
> > red.uribl.com   link
> > white.uribl.com         link
> > multi.uribl.com         link
> > green
> > bl.deadbeef.com
> > in.dnsbl.org
> > ex.dnsbl.org
> > zebl.zoneedit.com
> > rddn.dnsbl.net.au
> > postmaster.rfc-ignorant.org     link
> > dsn.rfc-ignorant.org    link
> > abuse.rfc-ignorant.org          link
> > whois.rfc-ignorant.org          link
> > bogusmx.rfc-ignorant.org        link
> > badconf.rhsbl.sorbs.net
> > nomail.rhsbl.sorbs.net
> > rhsbl.ahbl.org
> > jwrh.dnsbl.net.au
> > dnsrbl.swinog.ch        link
> > multi.surbl.org         link
> > dyndns.rbl.jp
> >
> >
> > md5:434b553bb85b40de2b0dfc9e0aeea70e:1187.170.255
> > md5:96de3f767006af7cc62fcdc756a4e626:17.170.255
> > md5:149e9677a5989fd342ae44213df68868:170
> > md5:112b73b521994f1b6304b20dcfed5168:170.255
> > md5:459d93faaff7299577c01e992fdf4a0d:170255
> > md5:24751fe23cb8f9519f90a60cd8d73c06:178.170.255
> > md5:cbc1cabba3b83d66a990c66e673cf1e6:18.170.255
> > md5:dd4bc90230becdf3bfe3d65213090943:18.7170.255
> > md5:31fefc0e570cb3860f2a6d4b38c6490d:187
> > md5:5e0811ab5c31777640164f1df715cc43:187..170.255
> > md5:6e7506bf327058a92fda549f8ead336c:187.10.255
> > md5:723a63fa6842b2b800017f1d9dc7ff63:187.107.255
> > md5:dd6f5343eebc3a3f9247ecb79ad93210:187.1170.255
> > md5:492978cba485067cb79c1fdf58cb9b48:187.17.0255
> > md5:6e52a0f8cfd33cf19a8bf1b41307c245:187.17.255
> > md5:474ca8d7e2f39e2d834a598afb7d0a53:187.170
> > md5:190fa32a833c2e55acf5e669f82fdc2f:187.170..255
> > md5:2076600541976355c702f3963f0b4928:187.170.2255
> > md5:24e78e7646ecf7341a75939672cda746:187.170.25
> > md5:26180250e6ef4a32864a7aa085745c54:187.170.255
> > md5:211ccaf8bbe9aec85ad9e999313b7b31:187.170.2555
> > md5:7cfdf4ca0568a1b0b31a7caf0e44330d:187.170.525
> > md5:6f5ff2afa1de102455ae07edd35369ba:187.170.55
> > md5:73543c693f3c05c95ea81e06a8556f34:187.1700.255
> > md5:a6b924e61094dc09d8cdf52fcc037d0f:187.1702.55
> > md5:463781e584f9a006c423a9dcd72f3534:187.170255
> > md5:c88b890232948a4d1977bc7b5e6df48f:187.1770.255
> > md5:a9e1403ba4a84d52f842b4317039ebb9:187.70.255
> > md5:25a29a76ac2ff7f0315f16c8cd3e9560:187.710.255
> > md5:29d0f36a1fb560aeda5f40bd1f712735:1871.70.255
> > md5:626d153870c209264d56d7907d910527:187170
> > md5:6af63ded25120dd9187954c3b3982851:187170.255
> > md5:7957813a98216be3309ebcdcafade60b:187170255
> > md5:c1a646c9f081c786f46a5950cea54060:1877.170.255
> > md5:d4f9f8eb7b9e123735bb4117c7a1317c:1887.170.255
> > md5:fe131d7f5a6b38b23cc967316c13dae2:255
> > md5:90e21c9bc160db0623989f74cc325fef:817.170.255
> > md5:1c18eddc22d8d3a9ad797be4414d223a:87.170.255
> > Whois
> > Whois information is fetched in the background
> >
> >
> >
> > > ----------------------------------------
> > > From: Raphael Berlamont <[hidden email]>
> > > Sent: Fri Jul 01 21:46:20 CEST 2011
> > > To: <[hidden email]>
> > > Subject: [obsdfr-misc] IPSEC et étrange connexion vers une IP inconnue
> > >
> > >
> > > Bonjour,
> > >
> > > j'ai remarqué ce comportement depuis un petit moment, mais je voulais
> > > voir s'il persistait : j'ai des tentatives de connexion de ma passerelle
> > > VPN vers «187.170.255.239» :
> > >
> > > Extrait des logs (/var/log/daemon):
> > > ====================
> > > Jul  1 03:48:05 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > Jul  1 07:19:11 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > Jul  1 08:12:56 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_PAYLOAD_TYPE
> > > Jul  1 08:24:24 vpn-concentrator isakmpd[24851]: transport_send_messages:
> > giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer
> > 187.170.255.239:4500
> > > Jul  1 10:15:52 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > Jul  1 12:18:28 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > Jul  1 14:56:05 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > Jul  1 18:40:36 vpn-concentrator isakmpd[24851]: transport_send_messages:
> > giving up on exchange from-10.X.Y.0/18-to-10.X.Y.0/22, no response from peer
> > 187.170.255.239:4500
> > > Jul  1 19:35:44 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > Jul  1 19:41:10 vpn-concentrator isakmpd[24851]: dropped message from
> > 187.170.255.239 port 4500 due to notification type INVALID_COOKIE
> > > ====================
> > >
> > > J'ai un firewall entre le concentrateur VPN et internet, et celui-ci me
> > > remonte effectivement des infos :
> > > ====================
> > > OpenBSD-4.9 anubisA ~ # zcat /var/log/pflog.2.gz | tcpdump -netttr - host
> > 187.170.255.239
> > > tcpdump: WARNING: snaplen raised from 116 to 160
> > > Jul 01 18:25:16.487292 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> > 76
> > > Jul 01 18:25:23.489131 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> > 76
> > > Jul 01 18:25:32.499208 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> > 76
> > > Jul 01 18:25:43.519604 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: fb37c5ad53a6f375->d3ecb71c7c9a309f msgid: 00000000 len:
> > 76
> > > Jul 01 18:30:01.480510 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> > 76
> > > Jul 01 18:30:08.483302 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> > 76
> > > Jul 01 18:30:17.493823 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> > 76
> > > Jul 01 18:30:28.503715 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange ID_PROT encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: 00000000 len:
> > 76
> > > Jul 01 18:40:09.423678 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> > 300
> > > Jul 01 18:40:16.426097 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> > 300
> > > Jul 01 18:40:25.436956 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> > 300
> > > Jul 01 18:40:36.447905 rule 43/(match) block in on vr2: 172.16.2.3.4500 >
> > 187.170.255.239.4500:udpencap: isakmp v1.0 exchange QUICK_MODE encrypted
> > >         cookie: d1e8c1dbc1ab5671->0094e39cbfc1d5b9 msgid: e97767ec len:
> > 300
> > > OpenBSD-4.9 anubisA ~ #
> > > ====================
> > >
> > > Alors que je n'ai RIEN dans les fichiers de conf de mon concentrateur
> > > VPN qui fait référence à cette IP :
> > > ====================
> > > OpenBSD-4.9 vpn-concentrator ~ # grep -R 187.170.255.239 /etc/
> > > OpenBSD-4.9 vpn-concentrator ~ #
> > > ====================
> > >
> > > Je rencontrait déjà le problème avec la 4.6 il me semble.
> > > Pour info, cette passerelle VPN a été installée from scratch (ce n'est
> > > pas un upgrade), en netinstall, depuis des FTP officiels.
> > >
> > > Quelqu'un rencontre-t-il le même comportement?
> > >
> > > Bon week-end.
> > > --
> > > Raph
> > >
> > >
> > >
> > > ________________________________
> > > French OpenBSD mailing list
> > > [hidden email]
> > > http://www.openbsd-france.org/communaute.php
> > >
> >
> >
> > Cordialement
> > Francois Pussault
> > 3701 - 8 rue Marcel Pagnol
> > 31100 Toulouse
> > France
> > +33 6 17 230 820   +33 5 34 365 269
> > [hidden email]
> >
> > ________________________________
> > French OpenBSD mailing list
> > [hidden email]
> > http://www.openbsd-france.org/communaute.php
> >
> >

Cordialement
Francois Pussault
3701 - 8 rue Marcel Pagnol
31100 Toulouse 
France 
+33 6 17 230 820   +33 5 34 365 269
[hidden email]


________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

Raphael Berlamont
In reply to this post by Francois Pussault-2
Le vendredi 01 juillet 2011 à 23:38 +0200, Francois Pussault a écrit :
> il suffit de regarder les listes robex par exemple

http://www.robtex.com/ip/187.170.255.239.html#blacklists
Je ne connaissais pas du tout, merci bien.




________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

SDL-8
Merci pour ces liens et infos

http://www.uribl.com/about.shtml

Le 2 juillet 2011 02:40, Raphael Berlamont <[hidden email]> a
écrit :

> Le vendredi 01 juillet 2011 à 23:38 +0200, Francois Pussault a écrit :
> > il suffit de regarder les listes robex par exemple
>
> http://www.robtex.com/ip/187.170.255.239.html#blacklists
> Je ne connaissais pas du tout, merci bien.
>
>
>
>
> ________________________________
> French OpenBSD mailing list
> [hidden email]
> http://www.openbsd-france.org/communaute.php
>
>
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC et étrange connexion vers une IP inconnue

fjacopin
In reply to this post by Raphael Berlamont
On Fri, Jul 01, 2011 at 09:46:20PM +0200, Raphael Berlamont wrote :
> Bonjour,
>
Bonjour,

> j'ai remarqué ce comportement depuis un petit moment, mais je voulais
> voir s'il persistait : j'ai des tentatives de connexion de ma passerelle
> VPN vers «187.170.255.239» :
>
Qu'est-ce qui te fait dire que ce sont des tentatives de connexion, et
non pas une réponse à un stimulus ? As-tu observé le trafic dans l'autre
sens ?
Il serait peut-être intéressant de capturer tout le trafic dont
l'adresse source ou de destination est 187.170.255.239, sur le premier
équipement directement connecté au WAN.

> Je rencontrait déjà le problème avec la 4.6 il me semble.
> Pour info, cette passerelle VPN a été installée from scratch (ce n'est
> pas un upgrade), en netinstall, depuis des FTP officiels.
>
Était-ce la même adresse IP en 4.6 ?

Par ailleurs, vois-tu du trafic sortir de ton concentrateur VPN, sur le
concentrateur lui-même, à destination de cette adresse ? Il serait
intéressant de laisser tourner un tcpdump là aussi, de façon tout à fait
classique, pour voir dans quelle mesure le trafic est le même que celui
enregistré par le firewall. Si tu rencontres des différences notables,
il est fort probable que ton concentrateur VPN ait été compromis
(tcpdump ne ferait plus correctement son travail si le but serait de
dissimuler un accès après une intrusion).

F.


________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php