Re: Iptables - attack - please help
From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 07/17/05
- Previous message: Chris Cox: "Re: Dictionary sshd attacks"
- In reply to: xixi2244_at_yahoo.com: "Iptables - attack - please help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Jul 2005 08:23:55 -0000
Hi,
On 2005-07-16, xixi2244@yahoo.com <xixi2244@yahoo.com> wrote:
> Hi,
>
> I have a linux firewall(iptables) protecting a winwos network. My
> network was slow so tried to look at the netstats of my firewall
>
> unix 3 [ ] STREAM CONNECTED 4580
> .
> .
> .
> unix 4 [ ] STREAM CONNECTED 3778
> /tmp/.X11-unix/X0
>
These are connections your firewall is making to its-self but in a manner
that is far more efficient than TCP/UDP. Ignore them, its harmless...
> these connections keep increasing the longer my firewall is up. Last
> time i checked the anount of data going out of my network was more than
> than coming in.
>
Could be a trojan/worm scanning which is then killing your network due to
your bizarre firewall rules...
> These are some of the rules I am using.
>
'Some'? Why not _all_, really makes our lives easier to look for the problem
if we have all the information :(
> echo 'specific rule set'
> iptables -N specific-rule-set
>
> #Syn-flood protection. RETURN returns control to previous rule chain
> iptables -N syn-flood
> iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 4
> -j RETURN
> iptables -A syn-flood -j DROP
>
erm....you know the moment you network is infected with a trojan/worm your
firewall will not protect you and it wipes out the Internet connection for
everyone else. Its easy to come across port scanning algorithms that go at
400 hosts per second, if you are limiting to one a second, the trojan will
soak up all the available 'syn's and no-one gets any service.
You need to dump/scrap/burn your firewall ruleset I am afraid. Two reasons,
one you are one of those ghastly evil people who insist on using the 'DROP'
action rather than the 'REJECT' one[1]; you might think it makes you more
secure but it does not and when it comes to diagnostics[2] it makes your life
difficult.
You need to flip the rules on their head and start off with a firewall (this
is afterall the first golden rule of firewall administration) a 100% blocked
network, nothing is to go through. Then as people complain that things do
not work you then poke holes in your firewall for. If you want to make use
of a 'limit' rule you _only_ apply it to the *valid* traffic otherwise if
some macilious software fires up then you want it contained without affecting
anyone else.
When it comes to whitelisting be brutal and unforgiving. If some needs SMTP
permission do *not* whitelist port 25, whitelist port 25 to a particular IP
and no where else. A lot of trojans/viruses will mail directly to the
destination without using the local SMTP server; this is a way to stop them
dead in their tracks and also a vector to get your firewall to email you to
tell you some is infected on your network.
I have uploaded to my website[3] a copy of the firewall ruleset I configured
for my families Internet connection back at home which has to be
gaming/younger brother safe so it should be a good starting point for you.
Hopefully its good, when my friends have used it as a template they have
found themselves poking more holes in it rather than closing them up so it
should be safe, but if anyone finds a problem I would like to hear :
Today would be a good day to start learning how to use ethereal/tcpdump[4] to
munch on packets directly so you can see what is going through your Internet
connection and also what a random application does to try to use the Internet
if you are forced to unblock an app with no information available online
about it.
Cheers
Alex
[1] http://support.metronet.co.uk/security/dubious-firewall-techniques.xhtml1
[2] even in your example, all you the client machines are seeing probably is
a stalled Internet connection with no error messages other than
'timed out'. If you used REJECT then the machines would be saying
connection refused which if occured when trying to access, say
google.com, then you know its your firewall at fault.
[3] http://www.digriz.org.uk/active to be used with iptables-restore
[4] http://www.ethereal.com/
> #Furtive port scanner
> iptables -N port-scan
> iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
> --limit 1/s -j RETURN
> iptables -A port-scan -j DROP
> #attach timeouts above to rule-set
> iptables -A specific-rule-set -p tcp --syn -j syn-flood
> iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j
> port-scan
>
> #AUTH Server Reject ident probes with a tcp reset. Some mail-servers
> #won't accept mail if an ident probe is dropped instead of rejected
> iptables -A specific-rule-set -i $external -p tcp --dport 113 -j REJECT
> --reject-with tcp-reset
> iptables -A specific-rule-set -i $external -p tcp --dport smtp -j DROP
> iptables -A specific-rule-set -i $external -p udp --dport smtp -j DROP
> iptables -A specific-rule-set -i $external -p tcp --dport ssh -j ACCEPT
> iptables -A specific-rule-set -i $external -p udp --dport ssh -j ACCEPT
> iptables -A specific-rule-set -i $external -p tcp --dport www -j DROP
> iptables -A specific-rule-set -i $external -p udp --dport www -j DROP
> iptables -A specific-rule-set -i $external -p tcp --dport imap -j DROP
> iptables -A specific-rule-set -i $external -p udp --dport imap -j DROP
> iptables -A specific-rule-set -i $external -p tcp --dport pop3 -j DROP
> iptables -A specific-rule-set -i $external -p udp --dport pop3 -j DROP
> #iptables -A specific-rule-set -i $external -p tcp --dport imaps -j
> ACCEPT
> iptables -A specific-rule-set -i $internal -p udp --dport 4396 -j DROP
> iptables -A specific-rule-set -i $internal -p tcp --dport 4396 -j DROP
> iptables -A specific-rule-set -o $external -p udp --dport 4396 -j DROP
> iptables -A specific-rule-set -o $external -p tcp --dport 4396 -j DROP
>
> iptables -A specific-rule-set -i $internal -p udp --dport 1024:65535 -j
> DROP
> iptables -A specific-rule-set -i $internal -p tcp --dport 1024:65535 -j
> DROP
> iptables -A specific-rule-set -o $external -p udp --dport 1024:65535 -j
> DROP
> iptables -A specific-rule-set -o $external -p tcp --dport 1024:65535 -j
> DROP
>
> I am scanning my computer with f-prot viruus scan. I am a newbie Please
> help.
>
> Thanks,
> Yuon.
>
- Previous message: Chris Cox: "Re: Dictionary sshd attacks"
- In reply to: xixi2244_at_yahoo.com: "Iptables - attack - please help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
