LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-21-2004, 03:12 AM   #1
knutove1728
Member
 
Registered: Oct 2004
Location: Norway
Distribution: Redhat FC2
Posts: 44

Rep: Reputation: 15
Hacked or not?


3 weeks after fresh install of Redhat Fedora core 2 things started to happened. First I couldn't get into the setup of my broadband router connected to the internet using http://<ip-address of the router> in the browser address field. I had to replace the router with a new one. Then after a while I should for some reason restart the iptables service I got an error in line 26 in the iptables script. The COMMIT line. I had to comment out the COMMIT line and the error disappeared. I cant quote the file because somehow I lost it. I was after applying a new firewall script called iptables and thought I saved the original. I'm afraid I'm not quite familiar with iptables since in my old RH7.2 distro used ipchains and never had any problems or suspect being hacked. Anyway here is my new iptables script.

#!/bin/bash
IPTABLES="/sbin/iptables"
# Load required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE

# Then flush all rules
/sbin/iptables -F
/sbin/iptables -t nat -F

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE





/sbin/iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s ! 192.168.0.0/24 -j DROP

# Disallow NEW and INVALID incoming or forwarded packets from eth0.
/sbin/iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

# port 113 is evil
/sbin/iptables -A INPUT --protocol udp --source-port 113 -j DROP
/sbin/iptables -A INPUT --protocol udp --destination-port 113 -j DROP

/sbin/iptables -A INPUT --protocol tcp --source-port 25 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 80 -j ACCEPT
#/sbin/iptables -A INPUT --protocol udp --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 111 -j DROP
/sbin/iptables -A INPUT --protocol tcp --source-port 139 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 138 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 137 -j DROP


$IPTABLES -A INPUT -i lo -j ACCEPT

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j dropwall
#Accept my 2 lan windozes
$IPTABLES -A INPUT -s 192.168.0.4 -d 0/0 -p all -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT


/etc/rc.d/init.d/iptables restart

/sbin/iptables-save > /etc/sysconfig/iptables
#********************END OF SCRIPT***********
I found the script on google and edited a little. As I said I'm a newbie to this.
Ok. First trouble. The last line save command doesn't save this roules in /etc/sysconfig/iptables
I pico it and get nothing in the file.

But when I ran the script I get no errors and iptables use the rules. It prints out OK to this. It put rules to ACCEPT: filter,nat [OK]
I cant quote these outputs because it's printed in norwegian.

Second trouble:
When I type /sbin/iptables -nvL filer I get this:

[root@ove root]# /sbin/iptables -nvL filter
iptables: Table does not exist (do you need to insmod?)
[root@ove root]#

And I don't understand this because the nessessary modules for iptables is loaded. And it says table does not exist meaning in my opinion I don't have no protection at all. Or I'm I wrong?
I get the same answer with -nvL nat
Before all the trouble I could check both filter status ant nat typing this commands. So I'm really worried if I've been hacked or is it only a bug in FC2.

In my old rh7.2 I could type rpm -V kernel to see if the kernel was changed (MD5 as an answer)
but here the same command shows nothing. No dots as in rh7.2 which tells me it's all ok.
I'm really worried about what happened to my system and need help to solve this.
 
Old 11-21-2004, 03:32 AM   #2
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 475Reputation: 475Reputation: 475Reputation: 475Reputation: 475
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 11-21-2004, 10:46 AM   #3
jailbait
LQ Guru
 
Registered: Feb 2003
Location: Virginia, USA
Distribution: Debian 12
Posts: 8,334

Rep: Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547
"I'm really worried about what happened to my system and need help to solve this."

Here are two links which might help you:

http://www.devx.com/security/Article/22442

http://wiki.linuxquestions.org/wiki/Security


--------------------------------------
Steve Stites
 
Old 11-21-2004, 09:04 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Try specifying the table using the -t option, like this:

iptables -t filter -nVL
-and-
iptables -t nat -nvL

------
With the rpm verify command (rpm -V package), if the package doesn't fail any verifications then there will be no output, it will just return a fresh command line (no dots).

---
With regards to the iptables script, move the iptables-save before the iptables restart. I believe that they way your doing it flushes the rules you just loaded, restarts iptables and then loads the old rules. Also might help to add a debugging message in the script to make sure that it doesn't fail out somewhere.

------
In general though, it doesn't sound like you've been hacked. Just sounds like you're adjusting to the quirks of a new system.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration