A couple days ago I had my box comprimised in such a way that the attacker used FTP to download something to my filesystem. I'd like to use iptables to shut off FTP out of my box. Also would like to block possibility of IRC outbound. Basically anything outbound that isn't necessary for my webserver to deliver pages.

Any recommendations for what the iptables command would look like? I have shorewall installed, I just don't know how to craft the filter for what I want to do.

BTW- I've already got a stand-alone router blocking access to all ports except SSH (22) and http (80). I think I just need to block outbound connections from my computer, which the router doesn't really support.

Appreciatively,

di11rod

If all you want it http and ssh, then drop everything and just allow those:

iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT


However, in addition, you should shut down all the services that you aren't using. If you aren't using FTP, shut down the daemon. Its a whole lot harder to attack what aint there.

Do you know what they did to your machine? If you haven't investigated, they may very well still have access. Unplug it from the net, and don't plug it back in until you are sure you have a clean, uncompromised box.

Hangdog,

Hey, thanks for the recommendation.

Let me doublecheck with you your suggestion before I try it...

When I said they 'used FTP to download something" I mean that they performed some operation that launched an ftp client on my box to download something from a computer in Brazil. They were not connecting to my own ftp service.

So could I still use your syntax to block ftp connections sourcing from my server?

Appreciatively,

di11rod

The rules I posted should block everything outbound except ports 80 and 22. Basically the iptables -P OUTPUT DROP sets the OUTPUT default to DROP and prevents anything from getting out of your box and the two ACCEPT rules allow only traffic orginating from ports 80 and 22 to go out. With iptables, packets are compared to the rules and handled according to the first rule they match. If they don't match any rule, they are handled according to the table default.

But were they authorized users in the first place? If you had created accounts for them and gave them normal user privileges, then OK. In this case they were just using normal programs to download files you didn't like. Its your box and you get to set the rules. However, if you didn't create accounts for them, then they gained access somehow; your box is seriously compromised and you've got a real problem on your hands. In this case it doesn't matter what rules are in your firewall because they may completely own your box and can change the rules at will.

Hangdog,

thanks for the additional clarification.

I couldn't tell for sure what happened. I was monitoring the 'intrusion' from my linksys router's outbound log. It showed a connection from my box to the brazilian computer's ftp port (21). I'm not sure, but it could be that they were hitting my ftp server and it was responding to failed login attempts. I don't have any user accounts on this server other than my own. I disconnected the box within a couple of minutes of that log entry. I then saw the brazillian computer on the inbound log hitting ports 21 and 113. 113 is closed by the router. So if they were installing an app that listens to another port, I am pretty certain they would not be able to connect, anyway.

I've got snort and tripwire installed and running (after this 'attack) and am watching the box very closely. I have also copied everything of importants off this box. I don't have the time or patience to reformat and build from scratch without more evidence of an intrusion.

thanks for your advice,

di11rod

I'll let this drop, but before I do, I just want to point out one final time that you may have a very hacked box. From your descriptions, your router was forwarding only ports 22 and 80. If you were seeing outbound ftp traffic from your box, that suggests very strongly that someone gained access. And if they did gain access, it is likely they still have it. At this point, tripwire may be useless since it could be monitoring altered files and if someone does have access they may also alter Snort's logs. Even the files you copied are suspect.


Good luck and if you do notice anything funny, pull the plug and ask for help in the Security forum.