LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-21-2006, 12:36 AM   #1
tgo
Member
 
Registered: Dec 2004
Posts: 125

Rep: Reputation: 15
Post prevent connect back with iptables


The title pretty much explains my question. I have a 3 nic gateway running linux/iptables and I am wondering how I could prevent reverse connect attacks on inside hosts.

Syns are blocked, and all other incomings connections on the public interface so I am ok that direction but I cannot necesarly do that the other direction as it would make the network pretty useless.

Since the outgoing connections whether its tcp/udp will look like normal traffic making connections I am having a hard time thinking of a solution. I had thought about only allowing connections to certain ports but then the attacker could modify his code to also use those parts which ruins the idea.

From googling and searching these forums it seems as not many people have discussed this before ( unless i totally missed something or there is another widely used term for 'reverse connect' ). I know some people will read this and say 'THIS IS WHAT AN IDS IS FOR', but I was hoping there would be a different way to do it.
 
Old 07-21-2006, 01:22 AM   #2
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Thats true its a big threat.

But what can you do about it? A client connects to a webserver, read a page containing a command and executes it. Then it request a (nonexistent) page containing the answer.

That's 1 way of doing it. There are something like 10 ways that I know, some are really hard to track (combining Artificial Intelligence and a lot of imagination..)

Well first you should be sure that nobody manages to get in your network. I know its a stupid answer but still.. the core problem is here. If you ask yourself this question in your post then it means that you believe that your network is already very secure.

If you are scared by an internal user installing this, you can block traffic by time (after 8 in the evening, no more traffic). Its easy to implement but does not solve all.

How can you caracterize a reverse backdoor.. thats the question and the answer is not easy.


A few studies exist in this way, search for this:

moltunnel
tcpstatflow
NetEntropy

Its used to detect tunnels

The thing is that these tools can be fooled. But then you are fighting against skilled crackers. You can't do anything against somebody who is very skilled and determined... face it.

Last edited by nx5000; 07-21-2006 at 01:24 AM.
 
Old 07-21-2006, 07:02 PM   #3
tgo
Member
 
Registered: Dec 2004
Posts: 125

Original Poster
Rep: Reputation: 15
talking it over with more people in irc and it seems as if there is no way to really block unless you whitelist some ports but then you have the problem of them using those same ports. I think only IDS can handle this.
 
Old 02-06-2007, 12:39 PM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Since 2 month, tcpstatflow can be integrated into snort.
More info on their website.
The original patch is here:
http://geocities.com/fryxar/snort_co..._detection.txt
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables firewall falls back to default after reboot lx3000 Linux - Security 8 03-31-2006 04:02 PM
ssh connect back shell? tubbay Linux - General 1 06-14-2004 12:13 PM
translating an iptables command back to ipchains reetep Linux - Networking 0 05-15-2004 06:17 PM
iptables prevent some allow some john8675309 Linux - Software 6 02-02-2004 10:38 AM
How can I prevent a certain IP from the LAN to connect to Samba stelmed Linux - Networking 4 05-19-2003 05:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration