Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is in direct relation to my recent trojan attack by some script kiddie. I know Linux has a built in firewall through ipchains, but what is your complete firewall/logging solution? I'm not running a server, so I don't want any inbound connections coming in without me starting them. I thought something like Firestarter would do this nicely. I was wrong. It looks like I am now going to have to reinstall in order to completely rid myself of this, it's disabled my system quite thoroughly.
IIRC, Firestarter is just a tool for making and loading rules, its not a firewall implementation in itself, and I don't know if it does checking, or relies on netfilter/ipchains to come up with error msgs. For accepting incoming TCP traffic you initiated you would specify "! -y" in a rule, the outgoing doesnt need "-y" IIRC, because youll be initiating the connection anyway. Note due to protocols this only works with TCP type connections.
in the end I don't think there's a "total firewall solution", carefully crafted rules are the best you can have, the essence is tho, if youve got no servers running (or startable) ppl can connect to, you should be safe on that part.
If you wherent running any servers the only way I can think of you getting infected by a trojan are downloading "goodies" tru http/ftp, or tru DCC, or IM type communications or and executing those incoming files, which is considered a Bad Thing. If that wasnt it, and you re-checked your logs/xinetd.conf/runlevel/netstat you wherent running any unnecessary stuff, Im curious what it was, plz run chkrootkit (checkrootkit.org) to find out if you don't know, else share if you can.
I would reinstall completely, or these things have a habit of coming back when you least except them.
The only safe network is a unplugged one. "That's how you get the C2 Cert for NT boxes" anyway as unSpawn has pointed out there are several methods to improve the current security level.
Patch the box for every known security bug.
Then only run the services you need to run, disabling all the others at start-up.
On the firewall side you need to do this:
Then set rules that don't allow any access from outside ip addresses to ports below 1024.
Then set rules that only allow sourceful ip addresses that are trusted to connect to particular ports. "like trusted DNS servers"
Then set rules to not trust your own internal ip addresses to port that it should connect to internally. "spoof protection, include 127.0.0.1 and Broadcast addresses"
Then set rules to deny ICMP types that shouldn't talk to your IP address.
Then set rules to deny all UDP accept from your DNS from source port 53.
Then set flood protecting by switching on SYS cookies and SYN timeouts, also set IP defrag so packets are reassembled before the firewall, also switch of redirects and stop your system from allowing them.
Then also disallow any system that requests a SYN flag to your IP address without you making the handshake in the first place.
Then create a network architect that shields each system from it's co-system on the network for damage control, like a Multi-DMZ with Multi tri-homed firewalls.
Oh yes, then use stateful inspection to check that protocols that are FTP or HTTP are just that.
This is just some of the stuff you need to do, but if you stick to these rules it will make it much harder to break into.
Yes, I reinstalled. I'm really patiently awaiting Red Hat 7.2 and maybe the firewall implementation will be a little easier to understand. Until then, I just printed out a bunch of rules tutorials, so, I'm going to try to learn a bit.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.