Re: Router Hacked?

Randy Yates <yates@xxxxxxxx> writes:

Hi Todd et al.,

After reading the Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
I was feeling smug that I was safe since I locked up ssh.

HOWEVER, I'm now much more nervous. I don't understand why I'm able to
ssh to an outside host on the standard port 22 when my router is
configured to block port 22.

Outbound or inbound?

Typically consumer routers (Linksys, et al) block the establishment of
incoming connections from the internet, but allow TCP flows that
originate from inside (LAN) to the outside (WAN/Internet). That'd be
a simple explanation of a stateful packet inspection (SPI) firewall,
which understands and tracks TCP connections as a whole.

A packet filtering firewall doesn't have a notion of "connections" per
se, but just individual packets. The older packet filtering firwalls
would block inbound TCP SYN requests, but wouldn't block inbound TCP
ACKs or FINs.

Could it be that my router has been hacked?

Always possible, but the symptoms you describe are normal near as I
can tell. Egress filtering (i.e. filtering of what's outbound)
isn't common in consumer routers.

By the way, is there a way to configure the router so that only
outgoing connections on port 22 should be allowed?

Sure, with a router of sufficient flexibility could allow you to
construct such a tightly defined filtering policy. "Block connections
from the LAN destined for any external host, with protocol TCP,
destination port 22" would be the complete thought of such a block.

But if that's your only rule, you'd break all other internet traffic
to/from your LAN (i.e. web surfing, IM, updates, etc). tcp/80 and
tcp/443 outbound requests would be blocked, so you wouldn't get any
web requests out, for instance.

That is, can I configure the router so that only SSH connectsion
FROM my internal machine TO an outside machine are allowed through,
while any INCOMING connections on port 22 remain blocked?

Your router is likely already configured as such, with the exception
that in addition to alowing outbound connections with a destination
port of tcp/22, it's allowing arbitrary outbound connections.

Best Regards,
--
Todd H.
http://www.toddh.net/
.

Relevant Pages

  • Re: IP filtering
    ... One will allow all connections to ... port 80 and second rule will deny everything else. ... > Is this because live connections ignore any filtering you ...
    (microsoft.public.win2000.security)
  • Re: Need help with bandwidth management . . .
    ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ...
    (alt.internet.wireless)
  • Re: Iptables FTP question
    ... for secondary connections. ... Some ftp servers don't allow passive mode because it is less safe from ... algs that allow port mode for client machines. ...
    (comp.security.firewalls)
  • Re: Need Help on setting up a small home site.
    ... > told me that I have to open that port and forward request to my ... computer is the first network device. ... connections to port 80, so that they can be routed through to something ... > So if U don't consider it rude to post a long config file here, ...
    (comp.infosystems.www.servers.unix)
  • Re: Looking for program that emails me when dhcp addr changes
    ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
    (comp.security.ssh)