Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A couple days ago I had my box comprimised in such a way that the attacker used FTP to download something to my filesystem. I'd like to use iptables to shut off FTP out of my box. Also would like to block possibility of IRC outbound. Basically anything outbound that isn't necessary for my webserver to deliver pages.
Any recommendations for what the iptables command would look like? I have shorewall installed, I just don't know how to craft the filter for what I want to do.
BTW- I've already got a stand-alone router blocking access to all ports except SSH (22) and http (80). I think I just need to block outbound connections from my computer, which the router doesn't really support.
If all you want it http and ssh, then drop everything and just allow those:
iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
However, in addition, you should shut down all the services that you aren't using. If you aren't using FTP, shut down the daemon. Its a whole lot harder to attack what aint there.
Quote:
A couple days ago I had my box comprimised in such a way that the attacker used FTP to download something to my filesystem.
Do you know what they did to your machine? If you haven't investigated, they may very well still have access. Unplug it from the net, and don't plug it back in until you are sure you have a clean, uncompromised box.
Let me doublecheck with you your suggestion before I try it...
When I said they 'used FTP to download something" I mean that they performed some operation that launched an ftp client on my box to download something from a computer in Brazil. They were not connecting to my own ftp service.
So could I still use your syntax to block ftp connections sourcing from my server?
The rules I posted should block everything outbound except ports 80 and 22. Basically the iptables -P OUTPUT DROP sets the OUTPUT default to DROP and prevents anything from getting out of your box and the two ACCEPT rules allow only traffic orginating from ports 80 and 22 to go out. With iptables, packets are compared to the rules and handled according to the first rule they match. If they don't match any rule, they are handled according to the table default.
Quote:
When I said they 'used FTP to download something" I mean that they performed some operation that launched an ftp client on my box to download something from a computer in Brazil. They were not connecting to my own ftp service.
But were they authorized users in the first place? If you had created accounts for them and gave them normal user privileges, then OK. In this case they were just using normal programs to download files you didn't like. Its your box and you get to set the rules. However, if you didn't create accounts for them, then they gained access somehow; your box is seriously compromised and you've got a real problem on your hands. In this case it doesn't matter what rules are in your firewall because they may completely own your box and can change the rules at will.
I couldn't tell for sure what happened. I was monitoring the 'intrusion' from my linksys router's outbound log. It showed a connection from my box to the brazilian computer's ftp port (21). I'm not sure, but it could be that they were hitting my ftp server and it was responding to failed login attempts. I don't have any user accounts on this server other than my own. I disconnected the box within a couple of minutes of that log entry. I then saw the brazillian computer on the inbound log hitting ports 21 and 113. 113 is closed by the router. So if they were installing an app that listens to another port, I am pretty certain they would not be able to connect, anyway.
I've got snort and tripwire installed and running (after this 'attack) and am watching the box very closely. I have also copied everything of importants off this box. I don't have the time or patience to reformat and build from scratch without more evidence of an intrusion.
I've got snort and tripwire installed and running (after this 'attack) and am watching the box very closely. I have also copied everything of importants off this box. I don't have the time or patience to reformat and build from scratch without more evidence of an intrusion
I'll let this drop, but before I do, I just want to point out one final time that you may have a very hacked box. From your descriptions, your router was forwarding only ports 22 and 80. If you were seeing outbound ftp traffic from your box, that suggests very strongly that someone gained access. And if they did gain access, it is likely they still have it. At this point, tripwire may be useless since it could be monitoring altered files and if someone does have access they may also alter Snort's logs. Even the files you copied are suspect.
Good luck and if you do notice anything funny, pull the plug and ask for help in the Security forum.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.