LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-01-2004, 08:08 PM   #1
scorbett
Member
 
Registered: May 2002
Location: Canada
Distribution: Slackware, Mandriva, RedHat
Posts: 46

Rep: Reputation: 15
Egress filtering


I do egress filtering on my server to minimize the damage that could occur if somebody somehow manages to root the box. I guess my thinking is like this: say somebody gets in with user-level access... with egress filtering in place, they wouldn't be able to use my box to dos any other box. The only allowed outbound port is smtp.

Every now and then I see a bunch of log messages relating to some traffic that got blocked trying to go out a high numbered port. Something like this:

Quote:
From (my server's IP) - 21 packets
To xxx.xxx.xxx.xxx - 9 packets
Service: 17101 (tcp/17101) (IPT OUT_FIREWALL:,none,eth0) - 9 packets
To xxx.xxx.xxx.xxx - 1 packet
Service: 1710 (tcp/1710) (IPT OUT_FIREWALL:,none,eth0) - 1 packet
To xxx.xxx.xxx.xxx - 10 packets
Service: 33404 (tcp/33404) (IPT OUT_FIREWALL:,none,eth0) - 5 packets
Service: 33406 (tcp/33406) (IPT OUT_FIREWALL:,none,eth0) - 5 packets
To xxx.xxx.xxx.xxx - 1 packet
Service: 18851 (tcp/18851) (IPT OUT_FIREWALL:,none,eth0) - 1 packet
This makes me nervous! Why is my server trying to send outbound packets on these high-numbered ports? The only server software I'm running is Postfix for mail and Apache for http traffic. IPTables is good enough to tell me that the outgoing traffic was blocked, but doesn't tell me what piece of software was trying to send the data. Some days it doesn't happen at all, other days hundreds of packets will be blocked. Should I be worried? What could be causing this?

My other question is more general... is egress filtering worth the effort? Does anybody else out there do it? Does it increase my security tangibly? I mean, if somebody roots the box, the first thing they'd do is disable iptables so is my egress filtering scheme really doing any good?
 
Old 11-01-2004, 08:57 PM   #2
macburton
LQ Newbie
 
Registered: Oct 2004
Posts: 14

Rep: Reputation: 0
Once you box is infected with a rootkit it is owned by the devil. What if the trojaned iptables/netfilter software logs in messages about traffic being blocked but still passes the traffic along. The hacker becomes the master of your box after installing the rootkit. He does not become god though; you still own the power switch . Try to look at intrusion detection systems if you really want to be sure.
 
Old 11-03-2004, 11:15 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
Well, it's sort of difficult to tell without having both the source and destination port. I do use egress filtering myself, just in case one of my boxen ever gets compromised it won't be able to send spoofed packets for a DDoS, to conceal scanning, etc. Also, in the unlikely case where someone did manage to associate with my W/LAN, they wouldn't be able to send out spoofed traffic either.

Oh, I suppose I could point out that you could have even more strict egress filtering, such as restricting outbound connections to only use the ports and destination addresses that are valid for your usage. You could restrict outbound SMTP connections to only go to your ISP's SMTP sever, for instance. That would almost completely prevent a spambot from ever being able to use your box if it compromised any account other than root. I'm sure you could think of other interesting scenarios.

Last edited by chort; 11-03-2004 at 11:17 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IP Filtering wadesmart Ubuntu 1 08-04-2005 10:34 AM
filtering Ammad Linux - General 2 03-19-2005 08:12 AM
Filtering device? dee3lmo Linux - Security 1 07-22-2004 02:57 AM
Procmail not filtering WiWa Linux - Networking 0 07-06-2004 02:22 PM
Sendmail Spam filtering and Virus filtering MrJoshua Linux - General 2 04-03-2003 10:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration