iptables rc.firewall file
Ive been getting hammered by an MS-SQL Worm propagation attempt, UDP port 1434.
Im trying to block it like this: /sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -s 0/0 -j DROP My question is, do I need the source (-s 0/0) or could I just leave it out and append the INPUT argument like this: /sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -j DROP |
You shouldn't need to source - by default it will block everything (are you sure it runs over udp though?).
|
My IDS gives me a port # and possible cause. It does not give me a protocol. I looked up (google) "port 1434".
My IDS says, "MS-SQL Worm propagation attempt"... So does google but I got conflicting stories. So I blocked 1434 TCP & UDP. I tried this today & cleared my logs(still awaiting on the outcome): # block MS-SQL Worm propagation attempt /sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 1434 -s 0/0 -j DROP /sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1434 -s 0/0 -j DROP # Logging TCP ports 1024 - 65535, but 1434 /sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j LOG /sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j LOG # STEALTHING TCP ports 1024 - 65535, but 1434 /sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j DROP /sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j DROP Im also trying to stealth TCP 1024 - 65535. I read that I couldnt have 2 rules addressing the same port, so I excluded it from my Log & drop/stealth between 1024 - 65535. I hope that works... |
All times are GMT -5. The time now is 09:36 PM. |