LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   is there such thing as a lockdown command? (https://www.linuxquestions.org/questions/linux-security-4/is-there-such-thing-as-a-lockdown-command-313328/)

poiuytrewq 04-14-2005 06:09 PM
is there such thing as a lockdown command?
 
i wasnt sure wether to post this in networking or in here, it applies equaly to both. but im just wondering if there is such thing as a lockdown command or something.
for instance, you know someone is trying to hack into your system, but you are out of the house/office for the day. so you ssh into your computer and run lock-down-now-!-panic!!!)
the idea is that your computer will keep running, but lock itself out of the out side world (turn off http, ftp, ssh, vnc, samba, email etc) untill you can get to the physical computer, and look over everything (security settings etc) make sure every thing is safe, and then put the machine back on line

chbin 04-14-2005 06:40 PM
Yeah you could bring down the ethernet. Depending on you setup it may be different but on slack...

$ sh /etc/rc.d/rc.inet1 eth_down 1

You could also remove the ethernet module from the kernel to gaurentee that nothing is ever going to get in or out.

$modprobe -r "name of eth mod"

Of course once you run the first one, you'll be locked out and wont be able to run the second. You could put both lines in a script and then just run the script.

You could also use iptables to block all traffic on eth1 or whatever. BLOCK_ALL rule, but if someone already hacked your box, it may not work. So the first method is better. It pretty much gaurentees your net is down.

zhangmaike 04-14-2005 06:54 PM
ifconfig INTERFACE down

will turn off the network interface INTERFACE. So, if you're network device is called eth0 (as is quite common)

ifconfig eth0 down

will effectively kill the internet on your computer. (Note, if you run this remotely, your connection will obviously be terminated... and you usually need root priveleges to run this)

poiuytrewq 04-15-2005 03:54 PM
thanks guys

unSpawn 04-16-2005 06:53 AM
First thing you want to do is to harden the box (please see the security references, top of the page), then decide which services you need open tot the public or for only a few IP's (or ranges) , then set those IP ACL's in their daemon config, /etc/hosts.{allow,deny} or xinetd config. Next install Snort and a 3rd party app called Guardian. Snort will detect all sorts of network probing and other anomalies. Tune Snort so it doesn't react to everything (say disable telnetd rules if you don't run telenetd (which you shouldn't)). Set up Guardian to block incoming traffic using Snort log output. It will add temporary rules that will block traffic from offending IP addresses for a period.

While I did run some boobytraps on some boxen I *never* did run them for network traffic as it would be too easy to DoS a box (another easy way to DoS yourself would be using something like Portsentry with blocking caps enabled). I did run checks on binary tampering, so if say your procutils or ls goes wonkers, yeah, that'll be a good time to go 'telinit 1'.


All times are GMT -5. The time now is 01:55 AM.