Re: How was my Firewall HACKED???

From: Juha Laiho (Juha.Laiho@iki.fi)
Date: 06/23/02


From: Juha Laiho <Juha.Laiho@iki.fi>
Date: Sun, 23 Jun 2002 11:42:01 GMT


[some chapters reordered from the original]

"chackerd01" <chackerd01@attbi.com> said:
>Finally got a broadband connection, so I setup an old computer with Red Hat
>6.0 (kernel 2.2.5-15) to do firewall and IP masquerading for my local
>network. Everything appeared to be working fine. Port scans from grc.com
>showed all ports as "stealthed".
...
>After a couple weeks of 24/7 connection to the internet I noticed several
>status messages on the console (see below). After evaluating them and the
>system, I realized that someone had gained root access through the internet,

Hmm. That seems quite an odd situation. grc.com showing that everything
is stealthed and still someone getting in... but it seems I have an
explanation. I just ran the grc.com scan against my machine, and checked
what I see from them. It might well be that their scan does check for
everything that needs to be checked on a typical Windows machine. Still,
it's far from a thorough check - it just checks a small subset of ports.
Perhaps they should note the limitations of their scan.

With this fact, I'd guess the hole might be an old version of sshd or
an old print spooler - and having said that, I'm rather certain these
are not the only possibilities. But at least those ports weren't checked
by grc.

>I have ipchains setup to DENY access on the following ports: ftp,
>telnet, www, imap, smtp, finger, pop-3, auth, 135, https, 445, 512, and
>5000. I also have all of the daemons in inetd.con disabled.

As someone else said, deny all, then accept selectively.

F.ex. here are some of my ipchains rules as dumped by ipchains-save,
but with comments inserted. The generic setup is that my home LAN
is attached to eth0 and eth1 is connected to my ISP. In addition I have
some forward rules (to allow connections from other machines in my home
LAN), but what comes to security, this is the most critical set.

:input ACCEPT
:forward DENY
:output ACCEPT
# Allow my ISPs DHCP server (actually I got bitten by this when the
# DHCP server address changed..)
-A input -s a.a.a.a/255.255.255.255 67:67 -d 255.255.255.255/255.255.255.255 68:68 -i eth1 -p 17 -j ACCEPT -l
# Reject ident protocol queries from some machines
# (this is just to prevent logging of ident queries that come from
# "expected" loations such as my ISPs mail server). Rejecct instead
# of drop to provide and active negative response to the other party;
# dropping would cause the other party to time out waiting for the
# response, thus causing a longish (30-60s typical) delay on outgoing
# mail.
-A input -s b.b.b.b/255.255.255.255 -d 0.0.0.0/0.0.0.0 113:113 -p 6 -j REJECT
-A input -s c.c.c.c/255.255.255.255 -d 0.0.0.0/0.0.0.0 113:113 -p 6 -j REJECT
# Reject and log all other ident queries
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 113:113 -p 6 -j REJECT -l
# Just drop and log all other TCP SYN packets (TCP SYN is the packet that
# initiates a TCP connection)
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j DENY -l -y
# Accept ntp traffic to my chosen time providers
-A input -s d.d.d.d/255.255.255.255 123:123 -d 0.0.0.0/0.0.0.0 -i eth1 -p 17 -j ACCEPT
-A input -s e.e.e.e/255.255.255.255 123:123 -d 0.0.0.0/0.0.0.0 -i eth1 -p 17 -j ACCEPT
# Accept TCP response packets (I have /proc/sys/net/ipv4/ip_local_port_range
# set to these values
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 32768:61000 -i eth1 -p 6 -j ACCEPT
# Accept DNS query responses from my ISPs name servers
-A input -s f.f.f.f/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 32768:61000 -i eth1 -p 17 -j ACCEPT
-A input -s g.g.g.g/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 32768:61000 -i eth1 -p 17 -j ACCEPT
-A input -s h.h.h.h/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 32768:65535 -i eth1 -p 17 -j ACCEPT
# Accept select ICMP protocol subtypes (destination unreachable,
# ping responses, things like that)
-A input -s 0.0.0.0/0.0.0.0 18:18 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 14:14 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 12:12 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 5:5 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 11:11 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 3:3 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 0:0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
# Drop and log everything that made it up to here
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j DENY -l

So, all in all I allow very few connections initiated from the outside.
However, the first step is to prune your system of all unneeded listening
processes. See "netstat -tupln" for listing of the listening sockets
(more reliable than running a scanner!) and processes attached to them.
Then start going through every process to determine whether or not
you need to have that running (and how to prevent it from starting, if
you find it unnecessary). After weeding out the unnecessary services
tighten up the ipchains settings.

However, at this moment you cannot rely on the integrity of your
system. Various parts may now be replaced with parts of the rootkit,
possibly making system commands return false responses, like hiding
other parts of the rootkit (such as "ls" that wouldn't list some
file names, and "netstat" that wouldn't list some connections).
The canonical advise at that situation is that you take your system
offline, back up the data you had there and do a complete reinstall.

I'd suggest to go to RedHat 7.2 or later. They're already set up better
wrt security -- but still the base install isn't necessarily secure, so
you'll need to at least apply the released updates for those servers
you expose to the outside world. With 7.2, there is another choice
for ipchains called iptables, which can be set up for tighter access
control than that provided by ipchains. Also, when you get the hang of
iptables, it's somewhat easier to maintain.

Of course there are distributions other than RH, some even being more
secure out-of-the-box than RH is, so RH72/RH73 isn't the only choice.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)



Relevant Pages

  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect client to server 2003
    ... you need to reconfigure the IP schema of your SBS ... On the SBS 2003 Server open the Server Management console. ... On the Connection Type page, click Broadband, and then click Next. ... Alternate DNS server, type the IP addresses that are provided by your ISP ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Networking Question - VLANs on SBS 2003 Premium SP1
    ... port on the old router so I now have a segregated WLAN. ... be sure you do not enable any DHCP server in internal network. ... On the Connection Type page, click Broadband, and then click Next. ... On the Network Connection, You must enable and configure the network ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)