Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I RECENTLY RAN NETSTAT -PANTU AT A FRIEND OF MINES PC AT HOME. IT SHOW A ESTABLISHED CONNECTIONS ON A PORT THAT LOOKED SUSPICIOUS. IT TURNS OUT THAT IT WAS A BACK DOOR PROGRAM. IN LINUX, HOW WOULD I MANUALLY DISCONNECT AN ALREADY ESTABLISHED CONNECTIONS?
You could kill the listening process using the PID number you got from the netstat output. If your friend has a backdoor installed on his system, then he'll need to do alot more than kill the individual connection if he wants his system to be considered even remotely secure. A full wipe and re-installation from trusted media is the only solution for a security breach of that magnitude. Also if you/he plan on doing any forensic analysis of the system, then killing the connection is going to be an immediate tipoff that the compromise has been detected. You're better off either immediately pulling the network cable or trying to sniff/intercept the connection.
Btw, please don't post in all caps as it is annoying to read.
Last edited by Capt_Caveman; 08-29-2005 at 10:17 PM.
I guess if I keep annoying Captain Caveman then I will never get a response from you ever. I will be more diligent and pay alot more attention to my grammitical edicate. Now back to the question. Can you please give me an example of killing the pid (syntax)
Matir you are the man and thanks to mr caveman for his input as well. This is a stupid question but I am going to throw this out there. My question is as such:
1 - A good set of standard security measures would be iptables rules, snort (IDS), tripwire, syslogger and etc.. to prevent most want to be hackers out of your system. Would this be feasable. I would like to create a script that would run every couple of minutes (3 min)and check for establish connections to your system using netstat and I would set up a criteria saying that if your not this certain IP (allowing only certain IP from the outside world) to disconnect you by sending the output of the script to kill the pid using the netstat command. The reason I would use this would be if all of the other security items failed then my script would definately kick them off and or just modify my script to put any IP that is not valid or allowed from the oustide in to add that to my iptables block rule or put it in my host/deny.
give me some feedback thanks.
Last edited by metallica1973; 08-30-2005 at 04:28 PM.
If all else failed(firewall, ids and etc..)I could use netstat to see the established connection. Basically it works like such:
every 3 min my script checks for established connections, if there is a connection that is established while I am on the system then boom disconnects that intruder and adds them to my block rule in IPTABLES. Like you were saying under IPTABLES I would only allow a certain IP address (from work)to my system at home. My system should one have one connection comming from the outside in and that is just me at work looking at my system. If I am at home and I my scripts sees another established connection other then the one I specify them it would flag and add the rogue IP to the IPTABLES - Block rule and this would be an extra added step of security. thanks
In this case... if he (somehow) gets around the firewall, the only way would require a source IP being one of the ones allowed by the firewall... and thus the connection would show as coming from there.