Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't mean to come across as a "Pedantic Troll". I think you are correct in terms of the application, of letting others pay X for the appearance of using the public IP space and in this content, the problem and solution would make sense. This is NOT how I interpreted or even envisioned the problem from the stated definition, which was decidedly lacking in details. I envisioned a form of corporate network with remote users connecting via VPN to access shared resources. In this regard, the choice of words does matter and except for this fact, I don't care what we call it.
Note the inversion on the address, meaning if NOT 127.0.0.1, then drop it with log.
None of these rules will cover the case of a "VPN user" from spamming root or the OP.
I still assert, however, that if this type of activity is a problem that using a firewall is alone is not a safe approach but that they really need to address this issue in Sendmail too. This is a matter of proper network security practice. Unfortunately, when confronted with things that they don't want to hear, the novice user often times ignores the advice. Often times this is followed with return posts of "help my system has been compromised".
I don't mean to come across as a "Pedantic Troll".
My apologies, that was not aimed at you - it was a generalisation of how 'religious' some people are about such matters.
Quote:
Originally Posted by Noway2
I still assert, however, that if this type of activity is a problem that using a firewall is alone is not a safe approach but that they really need to address this issue in Sendmail too.
Indeed, but having some fire-walling is a good starting point and it's better to have it, than not to have it IMHO. It certainly will drop the SMTP packets the OP wants dropped, but as you indicate more savvy users may be able to 'break in' if they are so inclined.
As for Sendmail, personally I've not used it for some time so I cannot speak of it as an MTA or it's place in the security of things - other than to mention that I believe it is considered insecure by people with a much better systems level knowledge than I posses.
Perhaps some ideas on how to better secure the OP's box would be more useful than to wave fingers and tut? I'm sure you have a great deal of experience and can positively contribute to tightening it up for the OP.
Unless it's a trick question, just dropping traffic on the VPN where the destination port = 25 should suffice for the majority of spam.
However, there are other submission ports you may want to add like 465 & 587. There are probably others that are non standard. One of my clients has MTA's listening on 2525 for example.
I'd probably log - then drop - offending packets btw.
yep, and its why simple L4 filters are kinda useless these days. we need to use tools that "know" what the stream looks like 4-7. palo alto seems to be doing a ok job of that.
why would this "VPN" be able to send anything outbound? whats the purpose of this "VPN"? i will assume that "all of my outbound ports are open" is meant to mean "i do not filter any outbound destination udp or tcp ports".
Quote:
Originally Posted by Noway2
Just drop the output for port 25:
Code:
iptables -A OUTPUT -p tcp --dport 25 -j DROP
What do you mean by log and detect? If you have no SMTP servers, nothing will be sending out. If you keep port 25, and other submission ports, on your gateway output closed, then any zombie applications won't be able to spam out on those ports.
If you want to look to see if any applications are running that are listening on port 25 you can use netsat (as root: netstat -pane | grep 25)
i think OP means he does not filter any outbound connectivity, hence a wide open outbound pipe from any of those "VPN" segments. so if someone has a IP from one of those segments they could connect tcp-25 (or any port) to a external server. i think thats what he means, a tad confused when he mentions sendmail.
if the "server" is used as a gateway then i guess the allowed ports it provides needs to be defined. block all, allow few might be an ok approach. allow just src=VPN dst=tcp-443, tcp-80, udp-53. do the "VPN" clients need anything more than that (this says "no smtp for you")? if the server itself has sendmail then obviously it needs dst=tcp-25 and sendmail should be configured correctly to keep vpn'ers from using it.
Last edited by Linux_Kidd; 10-25-2011 at 12:28 PM.
In this instance I understand the OP as meaning he/she provides a service for customers where for X $£ they effectively 'appear' to come from his IP. Typically used for a number of reasons - sometimes grey/nefarious, sometimes to avoid geographical restrictions, sometimes just for privacy of a kind. If my understanding of the OP's instance is incorrect then I sincerely apologise.
Correct.
Quote:
Originally Posted by Linux_Kidd
why would this "VPN" be able to send anything outbound? whats the purpose of this "VPN"? i will assume that "all of my outbound ports are open" is meant to mean "i do not filter any outbound destination udp or tcp ports".
Correct, not at the moment.
That was the issue, I was trying to block port 25 but only for the VPN network.
Then there were a few posts about just blocking outgoing port 25.
I have sendmail on the server sending emails out as necessary but I don't want a VPN user to be able to use the tunnel to send anything out form their client on port 25, 2525, or other.
So, I need to allow my legitimate emails out but drop any email spam by the client (this however blocks all their email clients too).
So, would it be best to block as follows:
iptables -A OUTPUT -p tcp --dport 25 -s 10.8.0.0/24 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -s 172.16.0.0/24 -j DROP
plus add other ports
I guess I cannot use 127.0.0.1 because when a user is connected via VPN, they will be in the network?
I guess I cannot use 127.0.0.1 because when a user is connected via VPN, they will be in the network?
127.0.0.1 is a non route-able address that designates the loopback address on the NIC card itself. As long as you are not giving your users the IP address of the server, you should be able to allow this address without problem. Ideally, you should be giving them a designated block of addresses in their own subnet.
In actuality, the more I think about your situation, the more I wonder if you wouldn't be best served by using a filtering proxy on the gateway for your users. This would restrict them to use of http and https traffic, as well as any others you chose to allow, such as ftp. As I said, ideally you will be giving them a designated block of addresses that is reserved for this purpose. You should then separate YOUR personal and business systems from this block, at least logically.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.