LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-14-2007, 03:12 AM   #1
iSlinky
LQ Newbie
 
Registered: Sep 2007
Posts: 3

Rep: Reputation: Disabled
Audit laptop for IRC


I'm taking my machine onto a network later today, but this is a very secure network. I need to ensure that there is no form of IRC connection leaving my machine, as if anything leaves, it will be detected and my machine will become useless on the network. Can somebody advise me on the best way to audit the whole machine and remove any form of IRC which might pop out of my interface?

I've checked netstat... nothing
I've remove all irc references from /etc/services

What else should I check?
 
Old 09-14-2007, 05:27 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by iSlinky View Post
I've remove all irc references from /etc/services
This file only serves documentation purposes for you and for programs such as netstat, etc. You've actually made it a bit harder for you to detect an IRC connection by doing this. Your changes have no effect on the box's security, revert them if possible.

In the situation you describe, I would suggest you simply tighten-up your host's firewall regarding outgoing traffic, to make sure no IRC traffic sneaks out. Granted, there really shouldn't be any IRC traffic sneaking out in the first place if you aren't using IRC, but well it's additional peace of mind.

First, ask yourself what is the traffic you *need* to be able to leave your box. Then, set your firewall to only allow those types of packets. For example, let's say you only needed to be able to surf the Web. This would mean you want to allow outgoing DNS, HTTP, and HTTPS packets. Your setup could look like:
Code:
iptables -P OUTPUT DROP

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
The last line will give you a heads-up if any unwanted packets were filtered while trying to leave the box (you'll need to monitor syslog in order to see). I don't know how familiar you are with iptables, so if you have any questions please let us know. If you could post your current iptables setup when you reply it would be great:
Code:
iptables -nvL
Also, what distro are you using?

Last edited by win32sux; 09-14-2007 at 06:05 AM. Reason: Spelling fixes.
 
Old 09-14-2007, 05:50 AM   #3
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Quote:
What else should I check?
A book on Linux?
 
  


Reply

Tags
audit, detection, irc, port, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Set Up An IRC Server And Anope IRC Services LXer Syndicated Linux News 0 02-02-2007 12:24 AM
security audit? nabil_boussetta Linux - Security 1 07-07-2004 03:38 AM
How speak irc client and irc server program? mech Linux - Networking 1 03-31-2004 05:23 PM
Audit Pranesh Linux - Software 0 08-05-2003 09:13 AM
Audit Daemon in RH 7.3 oulevon Linux - Security 1 08-06-2002 07:20 AM


All times are GMT -5. The time now is 04:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration