Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-20-2007, 10:33 PM
|
#1
|
Member
Registered: Dec 2006
Posts: 606
Rep:
|
Iptables Problem
Hello all expert Linux Security administrator,
i have a noob question about iptables rules.
How to track the three way handshake and drop any new connection ?
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
What does this two rules mean ?
I also want to block any unset SYS and ACK tcp-flags.
I totally a newbie in networking and Linux.
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP 0 -- anywhere anywhere state NEW ctstate NEW
DROP 0 -- anywhere anywhere state NEW
DROP 0 -f anywhere anywhere
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
RH-Firewall-1-INPUT 0 -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 180 hit_count: 2 name: SSH side: source
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
|
This is all my rule and whether these all rules are safe enough?
Thanks for your help.
Your help is greatly appreciated by me and others.
|
|
|
07-22-2007, 09:29 AM
|
#2
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
Nothing beats really understanding the fundamentals of iptables. I found this to be about the best there is for learning the basics:
http://iptables-tutorial.frozentux.n...-tutorial.html
You'll be able to answer your own questions, with a little effort, which when it comes to iptables is well worth it.
|
|
|
07-26-2007, 03:34 AM
|
#3
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
Hello all, latest news from Peter_APIIT.
My system has been compromised. How i know the system is been compromised.
The iptables firewall rules has changed. My etc/sysconfig/iptables-config has been deleted.
Moreover, my state share object(State library) also been deleted.
How i can block my ISP hacked during netowrk initialization because i realised my ISP always hacked during the initialization of the connection.
I just don't understand how he can remove the files and gain root access to my pc.
I have afick, Bastille, File Integrity checker and AIDE installed.
I think i should beg for any helps.
Please help me. No internet no life.
|
|
|
07-26-2007, 03:35 AM
|
#4
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
I think i should format the pc but how can prevent this no happen next time ?
Please help.
A serious issue.
|
|
|
07-26-2007, 05:00 AM
|
#5
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
How can i restore to previous stage without fresh reinstall ?
I ahve downloaded the mkCDrec_v0.9.7.tar.gz
but i haven't backup my system.
I will get crazy if this happen once again.
Please don't come to MaLay*. The Internet ISP(Tm***) is pretty sucks here.
|
|
|
07-26-2007, 08:24 AM
|
#6
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
Wow. I definitely would do a fresh install, with the computer NOT connected to the internet.
And afterward I would boot the machine fully also disconnected, then connect the line and start network services. I suspect there's more than just iptables at play here. To my knowledge iptables rules are initialized before the interface. In any event get yourself a solid set of rules in place before connecting.
This recent tread (below) has a good, simple rule set. You can comment out (or delete) the rules that deal with services you do not use:
http://www.linuxquestions.org/questi...d.php?t=569202
(the last post has a well refined rule set)
BTW how do you connect? Dial up? DSL? And what distribution are you using? Most distributions allow you to select which partitions will be formatted during install, you can leave the /home directory intact and not lose much of your personalizations. (and all your documents should be in /home)
That tutorial I posted above really nailed the concepts for me. It's a lot of work, but well worth the peace of mind.
I have to admit I'm rather spoiled here, my home was one of the first
on the planet to have residential broadband. We were randomly selected as a test market many years ago. But I do sympathize with your plight, no doubt government has their hands in this business where you are at. (they pretty much do everywhere, but in different ways) Governments, for those who haven't been paying attention, are getting increasingly paranoid these days. They probably want to know what everybody is up to. I'd be interested to seeing the forensics of your "hacked" machine, deleting things from your machine is pretty extreme, a crime in my neck of the woods.
Anyway, best of luck, and be well,
cat
|
|
|
07-26-2007, 09:27 PM
|
#7
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
This is the output of tcpdump 06:23:41.294388 IP ns1.tm.net.my.domain > 192.168.1.34.32784: 13838- 0/13/0 (266)
where my ISP already enter to my pc.
|
|
|
07-26-2007, 09:30 PM
|
#8
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
My connection type is DSL. I using Fedora 7.
What difference between module conntrack and state. I have both rules but still cannot block them.
Thanks for your help.
|
|
|
07-27-2007, 12:37 AM
|
#9
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by Peter_APIIT
This is the output of tcpdump 06:23:41.294388 IP ns1.tm.net.my.domain > 192.168.1.34.32784: 13838- 0/13/0 (266)
where my ISP already enter to my pc.
|
Given the hostname of that server (ns1.tm...) that's very likely to be a nameserver for DNS resolution (you can check using nslookup or dig). In the future, if you see strange traffic like that, you can see what application/PID is involved using netstat -pantu and look for that corresponding port.
Could you explain further why you think your system has been hacked? I haven't seen anything you've posted so far that is conclusive evidence. It is normal for there to be traffic between your network and your ISP. Things like DNS resolution and DHCP are fairly commonly seen packets. Regarding the iptables-config modification, I believe Mandriva still uses msec which (depending on your security level) does a regular system check that will make modifications to various system files, in particular it will rollback modifications it believes are insecure and it will reload the iptables ruleset from a preset config file.
Last edited by Capt_Caveman; 07-27-2007 at 12:38 AM.
|
|
|
07-27-2007, 12:47 AM
|
#10
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by Peter_APIIT
My connection type is DSL. I using Fedora 7.
What difference between module conntrack and state. I have both rules but still cannot block them.
Thanks for your help.
|
Could you explain how you are trying to block them? If the traffic is indeed DNS hostname resolution, then it's likely going to be in the RELATED state. You're requesting a webpage or whatever and the system needs to resolve the hostname, hence it makes a DNS request and the reply from your ISP would be RELATED.
|
|
|
07-27-2007, 04:26 AM
|
#11
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
The rules is in the post 1.
This website only accept ESTABLISHED, whereby i accept both RELATED,ESTABLISHED.
http://www.sns.ias.edu/~jns/wp/2006/...-it-work/?p=17
Which one is true.
My ISP always hacked during the initial connection.
Thanks for your help.
A billion thanks again.
|
|
|
07-27-2007, 04:53 AM
|
#12
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
This is my latest iptables rules but this still hacked by ISP. DO i need to remove the related.
As i know stateful firewall only applied to tcp protocol.
Quote:
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 DROP 0 -f 0.0.0.0/0 0.0.0.0/0
2 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
4 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW state INVALID,NEW
5 DROP udp -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW state INVALID,NEW
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21 ctstate ESTABLISHED state ESTABLISHED
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
10 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
11 DROP icmp -- 0.0.0.0/0 0.0.0.0/0
12 RH-Firewall-1-INPUT 0 -- 0.0.0.0/0 0.0.0.0/0
13 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
14 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
15 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:31337 dpt:31337
16 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,ESTABLISHED state NEW,ESTABLISHED
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain RH-Firewall-1-INPUT (1 references)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
2 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
7 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
|
|
|
|
07-27-2007, 07:03 PM
|
#13
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by Peter_APIIT
The rules is in the post 1.
My ISP always hacked during the initial connection.
|
Please explain what you mean by this. It is very unlikely that your ISP is trying to break into your system.
|
|
|
07-27-2007, 07:49 PM
|
#14
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
message deleted
Last edited by catworld; 07-29-2007 at 01:01 AM.
|
|
|
07-28-2007, 01:23 AM
|
#15
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
They have deleted all my rules before. That why i post this thread for help. I won;t simple saying that my iSP is ahcked me.
All /etc/sysconfig/iptables is deleted.
Do i need to remove the realted ?
A billion thank to you all.
|
|
|
All times are GMT -5. The time now is 02:50 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|