LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-29-2005, 04:37 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Rep: Reputation: 58
Disconnect An Established Connection


I RECENTLY RAN NETSTAT -PANTU AT A FRIEND OF MINES PC AT HOME. IT SHOW A ESTABLISHED CONNECTIONS ON A PORT THAT LOOKED SUSPICIOUS. IT TURNS OUT THAT IT WAS A BACK DOOR PROGRAM. IN LINUX, HOW WOULD I MANUALLY DISCONNECT AN ALREADY ESTABLISHED CONNECTIONS?
 
Old 08-29-2005, 10:16 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You could kill the listening process using the PID number you got from the netstat output. If your friend has a backdoor installed on his system, then he'll need to do alot more than kill the individual connection if he wants his system to be considered even remotely secure. A full wipe and re-installation from trusted media is the only solution for a security breach of that magnitude. Also if you/he plan on doing any forensic analysis of the system, then killing the connection is going to be an immediate tipoff that the compromise has been detected. You're better off either immediately pulling the network cable or trying to sniff/intercept the connection.

Btw, please don't post in all caps as it is annoying to read.

Last edited by Capt_Caveman; 08-29-2005 at 10:17 PM.
 
Old 08-30-2005, 12:05 PM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
I guess if I keep annoying Captain Caveman then I will never get a response from you ever. I will be more diligent and pay alot more attention to my grammitical edicate. Now back to the question. Can you please give me an example of killing the pid (syntax)
 
Old 08-30-2005, 12:58 PM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Using this sample line from netstat -pantu on my machine:
Code:
tcp        0      0 131.XX.155.XX:41786     64.233.187.99:80        ESTABLISHED 9650/firefox-bin
At the end where you see 9650/firefox-bin, 9650 is the PID. So you can kill the process from the console with 'kill 9650'.
 
Old 08-30-2005, 04:26 PM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
Matir you are the man and thanks to mr caveman for his input as well. This is a stupid question but I am going to throw this out there. My question is as such:

1 - A good set of standard security measures would be iptables rules, snort (IDS), tripwire, syslogger and etc.. to prevent most want to be hackers out of your system. Would this be feasable. I would like to create a script that would run every couple of minutes (3 min)and check for establish connections to your system using netstat and I would set up a criteria saying that if your not this certain IP (allowing only certain IP from the outside world) to disconnect you by sending the output of the script to kill the pid using the netstat command. The reason I would use this would be if all of the other security items failed then my script would definately kick them off and or just modify my script to put any IP that is not valid or allowed from the oustide in to add that to my iptables block rule or put it in my host/deny.

give me some feedback thanks.

Last edited by metallica1973; 08-30-2005 at 04:28 PM.
 
Old 08-30-2005, 09:33 PM   #6
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Why don't you just use a firewall to only allow certain connections?
 
Old 08-31-2005, 04:49 PM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
If all else failed(firewall, ids and etc..)I could use netstat to see the established connection. Basically it works like such:

every 3 min my script checks for established connections, if there is a connection that is established while I am on the system then boom disconnects that intruder and adds them to my block rule in IPTABLES. Like you were saying under IPTABLES I would only allow a certain IP address (from work)to my system at home. My system should one have one connection comming from the outside in and that is just me at work looking at my system. If I am at home and I my scripts sees another established connection other then the one I specify them it would flag and add the rogue IP to the IPTABLES - Block rule and this would be an extra added step of security. thanks
 
Old 08-31-2005, 05:00 PM   #8
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
And a simple:
Code:
iptables -A INPUT -j ACCEPT -p tcp --dport 22 -s IP.AT.WO.RK
iptables -A INPUT -j DROP -p tcp --dport 22
Would not achieve the same?
 
Old 08-31-2005, 05:53 PM   #9
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
Matir,

you are the man. true but what happens if a cracker gets past the firewall?
 
Old 08-31-2005, 07:50 PM   #10
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
In this case... if he (somehow) gets around the firewall, the only way would require a source IP being one of the ones allowed by the firewall... and thus the connection would show as coming from there.
 
Old 08-31-2005, 08:13 PM   #11
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
Matir,

Many thanks to all of your responses. I have much respect!
 
Old 08-31-2005, 09:15 PM   #12
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
No problem. Just trying to help where I can.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Time out in Connection established state if no Data flows on that connection asurya Linux - Networking 2 04-10-2005 03:54 PM
Time out in Connection established state asurya Linux - Newbie 1 04-10-2005 03:48 PM
How to reset established connection? G-Fox Linux - Networking 4 10-02-2003 02:53 PM
Will select fail if connection couldn't be established? ruchika Linux - Software 0 09-10-2003 11:39 AM
problems with established connection nbc Linux - Newbie 1 08-16-2001 01:11 AM


All times are GMT -5. The time now is 11:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration