Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: RPM Distros,Mostly Mandrake Forks;Drake Tools/Utilities all the way!GO MAGEIA!!!
Posts: 986
Rep:
How does a FireWall determine the type of attack?
I would like to see the code of the packets that my firewall blocks and wondered how FireStarter; or the like, determines what type of service the attack was. Is it just based on what ports they target or is there more?
Thanks for your expertise!
So it's just the port they are using? If they target port 22, it HAS to be a SSH attack?
Possible, or more likely a random port scan looking for a system with a vulnerable port. Random port scans are a fact of life on the internet and have been for years. Bad guys are always looking for easy marks.
If you are getting lots of them, you could install Fail2Ban.
Distribution: RPM Distros,Mostly Mandrake Forks;Drake Tools/Utilities all the way!GO MAGEIA!!!
Posts: 986
Original Poster
Rep:
I tried to get information on a phishing attack and investigated a few other attacks that FireStarter had blocked.They were from a French Server like the equivalent to 'Go Daddy' or something. I could not get a IP address on them,just a domain name and I could notify the administrator ,(the hacker) of malicious acts by their server, LOL. I suspect that France has weak hacking laws so the hackers tend to have proxy servers in that country.
Thank you for the link on Fail2ban. I will have some fun with it.
Last edited by theKbStockpiler; 10-16-2017 at 10:41 AM.
Reason: learning to spell
So it's just the port they are using? If they target port 22, it HAS to be a SSH attack?
Not necessarily. I see all kinds of HTTP-based attacks on ports running SSH. Some crackers just throw everything at the wall and then see what sticks. Check your logs, to see the failed attempts. Depending on your distro you may find the relevant data in /var/log/auth if you have an SSH server running.
My guess is that they build inventory lists so they know where to hit when a vulnerability becomes known.
As for automated blocking, fail2ban has the name recognition but I would say to also check sshguard. Despite the name it covers about the same use-cases as fail2ban but has several advantages over it including IPv6 support. Compare the two and then make a choice as to which one is the best fit for your case, if automated blocking is your thing.
A firewall is stupid. It sees an incoming packet and decides what to do with it. That's it. It does not look at the content of the packets.
Requests to connect to a TCP/IP service will always reference a "well-known port." So, if it's port #22, you know what the outsider must be trying to connect to.
If you want to actually protect your system, use OpenVPN with the tls-auth feature and one-of-a-kind digital certificates. Cause all other services to "listen" only to the virtual network adapter that represents an OpenVPN-connected client, and use firewalls to prevent direct access to-or-from the outside world.
When you do this, you create a secret(!) door that can only be discovered, let alone entered, by someone bearing the proper non-revoked credentials. All of the traffic passing in or out is securely encrypted, even though the users do not perceive the presence of encryption at all and need take no further special precautions. (The remote system simply appears to be "part of the local network.") The server and each client can securely identify each other, so you are certain who it is you're talking to.
There are no "open ports" to be scanned, and the presence of the OpenVPN server cannot be detected. (Some routers are capable of supporting OpenVPN "in the box.")
So if you like the sound of "number of unauthorized access attempts: Zero", this is the technology for you.
Last edited by sundialsvcs; 10-18-2017 at 09:06 AM.
Distribution: RPM Distros,Mostly Mandrake Forks;Drake Tools/Utilities all the way!GO MAGEIA!!!
Posts: 986
Original Poster
Rep:
Thanks for all of the great advise. I'm working on Fail2ban right now just for the experience and plan on moving to OpenVPN as well.
I tried doing a web search on "How data gets back to a hacker with a spoofed address" and besides for a go-between it does not seem possible but than some suggest that it is possible.
Are the attacks a 'One Shot thing' with the hackers IP in the packet if my O.S gets infected?
Thanks for your expertise!
Last edited by theKbStockpiler; 10-18-2017 at 04:07 PM.
Are the attacks a 'One Shot thing' with the hackers IP in the packet if my O.S gets infected?
Remember: "a digital computer is a machine, not a biological organism." Therefore, it cannot "get infected." (In spite of the advertising campaigns that refer to malicious software as "viruses.")
You can "catch a cold" if you walk into an elevator in which someone else with a cold just sneezed, and if your immune system does not successfully fight it off. But a digital computer is just not like that. It runs programming, that's it, that's all. Unfortunately, it might "run programming" that you didn't know had been introduced to it, and this "programming" might have malicious intent. But there are relatively simple and effective ways to prevent that.
Remember also that most computer exploits are simply "crimes of opportunity." Robots throw attempts at tens-of-thousands of IP addresses. They don't "know you," nor do they care about you, nor have they singled you out. They're basically looking for "doors that are unlocked," owned by users who aren't paying the slightest bit of attention.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.