big problems

cristi1979 · 07-02-2003, 11:48 PM

I found out that a user who has an account on my network was running a ftp server from his home directory.
I was having VERY HIGH uploads and there was no room for downloads.
How can i stop this from happening again?

thank you in advance.

sorry for my bad english...

phoeniXflame · 07-03-2003, 06:59 AM

restrict bg processes ? filter traffic to your shell boxes to only allow incomming ssh traffic on port 22 (or whatever port you use) ? shoot the user in question ?

unixvillian · 07-03-2003, 01:15 PM

cristi1979, why not set user Quotas...

cristi1979 · 07-03-2003, 06:08 PM

Quote:

shoot the user in question ?

how i can restrict the background processes?

The filters will not help me very much. If he knows how to start a ftp server in the background on a high port on my server, i think he knows how to bypass my filters...

and quotas are not a solution because the binarys of the ftp server were under 1MB...

unSpawn · 07-03-2003, 07:58 PM

how i can restrict the background processes?
Run a daemon for that. Search Freshmeat.net

The filters will not help me very much.
What phoeniXflame means is you should block anyone from trying to set up a connection with any port except TCP/22. Incoming requests for a TCP connection have the SYN flag set, so that should be easy using a restrictive default policy of "DROP" and only allowing SYN's and related traffic for TCP/22.

If he knows how to start a ftp server in the background on a high port on my server, i think he knows how to bypass my filters.
Patch your server with the kernel patches from grsecurity.net, then you can deny any user setting up server and/or client sockets.

and quotas are not a solution because the binarys of the ftp server were under 1MB.
Using user quota's should work, it doesn't look for transfer size but used diskspace and files.

cristi1979 · 07-03-2003, 09:05 PM

thank you.

what i meant with quota was that the guy was copying files from my server and not save them here. We have a large amount of movies here, so i believ he was copying movies. So, because of his uploads we run out of bindwith.

angelrod · 07-03-2003, 09:16 PM

move the movies to an other location and lock the user at one directory. And if you don´t need the ftp service, take it down and only alloy ssh. Also, why a normal user does have the privileges to start services and stuff??

cristi1979 · 07-04-2003, 12:42 AM

Quote:

Also, why a normal user does have the privileges to start services and stuff??

i relly don't know. I am new on the administration of a linux server. He only had access to a normal ftp account. He WAS locket on the home directory. This is why he started a new ftp server.

Is there a way to stop users from having access to start programs?

Robert0380 · 07-04-2003, 01:41 AM

where i worked he had hubs before we went to switches and uploads
(kazaa, morpheous...etc) killed the network connections in certain
buildings so we just physically unplugged a user until we could contact
em and tell em to stop or else their connection would not be restored.

phoeniXflame · 07-04-2003, 08:34 AM

Quote:

Originally posted by cristi1979
The filters will not help me very much. If he knows how to start a ftp server in the background on a high port on my server, i think he knows how to bypass my filters...

a monkey with half a brain could start an ftp server on a high port in the background, if this particular box is only used for shell access for customers etc. etc. then all you have to do is drop all incomming connections APART from those which are aimed at port 22 and which are either NEW or RELATED,ESTABLISHED that way even if he does manage to run a server, no-one else will be able to connect to it, heres a little script that would do it ....

Code:

IPTABLES=/usr/sbin/iptables

# Flush tables and setup default rules
$IPTABLES -F
$IPTABLES --delete-chain
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# INPUT
# Accept established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incomming SSH connections
$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Log and drop everything else
$IPTABLES -A INPUT -j LOG --log-prefix "Incomming packet dropped: "
$IPTABLES -A INPUT -j DROP

# OUTPUT
# Accept established connections
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log and drop everything else
$IPTABLES -A OUTPUT -j LOG --log-prefix "Outgoing packet dropped: "
$IPTABLES -A OUTPUT -j DROP

that should do it, if you need to allow any other incomming connections (if you run an httpd or something) just add a rule similar to the SSH one detailed above, hope that helped

xscousr · 07-04-2003, 08:44 AM

if he has done what you describe he has no doubt broken any security/usage policy that you have in effect (you do have one don't you?)

Delete the account.

Lock the box down with the suggestions above and move on.

cristi1979 · 07-04-2003, 02:48 PM

thank you for the script phoeniXflame.