LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   request to help with setting up IP TABLES // (tcpdump and Maltrail involved) (https://www.linuxquestions.org/questions/linux-security-4/request-to-help-with-setting-up-ip-tables-tcpdump-and-maltrail-involved-4175692335/)

hkjz 03-19-2021 02:15 PM

request to help with setting up IP TABLES // (tcpdump and Maltrail involved)
 
Hello,
i had eventual problem with breaching to linux, but i am not network professional,

Start of the story was, that my network meter showed big upload while i was downloading,

So i run tcpdump (1), to confirm external network activity.
Afterwards i used chkrootkit (2) and rkhunter (3), which said that it is POSSIBLE to have malicious software.
I run clamscan (ClamAV) (4) on every directory from '/' separately (i had to exclude /home), no infectious but many 32485 total errors in /sys.
However running simultaneously Maltrail (5), showed two strange actions (ID1 and ID2)


Code:

ID                1                                2
threat                ee881995                        ae3a2c5e
sensor                eve                                eve
events                2                                1
serverity        medium                                medium
first_seen        19th 15:14:52                        19th 11:35:49
last_seen        19th 15:14:53                        19th 11:35:49
sparlkine               
src_ip                10.8.8.50 [LAN]                        10.0.2.51 [LAN]
src_port        42099 and 53949                        46857
dst_ip                103.86.99.99 [SG]                103.86.96.100 [AU]
dst_port        53 (dns)                        53 (dns)
proto                UDP                                UDP
type                (tiny).cc                        (w569ut7zbkiqf5b).xyz
trail                domain (suspicious)                domain (suspicious)
infor          (static)                        (static)

Before i would consider rebuilding my system, i suppose to first tame the hole, but i have small idea about IP TABLES or properly grounded knowledge about networking on the level.

I use default settings of ufw and firewall on the router.
My network looks like : modem (router) >> proper asus router with up to date firmware, firewall, vpn and wifi >> devices

May i ask for reccomendations, if there is something that i suppose to do better on linux settings?

Code:

$ sudo iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  5.180.62.159        anywhere           
ACCEPT    all  --  5.180.62.159        anywhere           
ufw-before-logging-input  all  --  anywhere            anywhere           
ufw-before-input  all  --  anywhere            anywhere           
ufw-after-input  all  --  anywhere            anywhere           
ufw-after-logging-input  all  --  anywhere            anywhere           
ufw-reject-input  all  --  anywhere            anywhere           
ufw-track-input  all  --  anywhere            anywhere           

Chain FORWARD (policy DROP)
target    prot opt source              destination       
ufw-before-logging-forward  all  --  anywhere            anywhere           
ufw-before-forward  all  --  anywhere            anywhere           
ufw-after-forward  all  --  anywhere            anywhere           
ufw-after-logging-forward  all  --  anywhere            anywhere           
ufw-reject-forward  all  --  anywhere            anywhere           
ufw-track-forward  all  --  anywhere            anywhere           

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            5.180.62.159       
ACCEPT    all  --  anywhere            5.180.62.159       
ufw-before-logging-output  all  --  anywhere            anywhere           
ufw-before-output  all  --  anywhere            anywhere           
ufw-after-output  all  --  anywhere            anywhere           
ufw-after-logging-output  all  --  anywhere            anywhere           
ufw-reject-output  all  --  anywhere            anywhere           
ufw-track-output  all  --  anywhere            anywhere           

Chain ufw-before-logging-input (1 references)
target    prot opt source              destination       

Chain ufw-before-logging-output (1 references)
target    prot opt source              destination       

Chain ufw-before-logging-forward (1 references)
target    prot opt source              destination       

Chain ufw-before-input (1 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere            ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere            anywhere            ctstate INVALID
DROP      all  --  anywhere            anywhere            ctstate INVALID
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere            anywhere           
ACCEPT    udp  --  anywhere            224.0.0.251          udp dpt:mdns
ACCEPT    udp  --  anywhere            239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere            anywhere           

Chain ufw-before-output (1 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere            ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere            anywhere           

Chain ufw-before-forward (1 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            ctstate RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
ufw-user-forward  all  --  anywhere            anywhere           

Chain ufw-after-input (1 references)
target    prot opt source              destination       
ufw-skip-to-policy-input  udp  --  anywhere            anywhere            udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere            anywhere            udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere            anywhere            tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere            anywhere            tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere            anywhere            udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere            anywhere            udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere            anywhere            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
target    prot opt source              destination       

Chain ufw-after-forward (1 references)
target    prot opt source              destination       

Chain ufw-after-logging-input (1 references)
target    prot opt source              destination       
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target    prot opt source              destination       

Chain ufw-after-logging-forward (1 references)
target    prot opt source              destination       
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
target    prot opt source              destination       

Chain ufw-reject-output (1 references)
target    prot opt source              destination       

Chain ufw-reject-forward (1 references)
target    prot opt source              destination       

Chain ufw-track-input (1 references)
target    prot opt source              destination       

Chain ufw-track-output (1 references)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere            ctstate NEW
ACCEPT    udp  --  anywhere            anywhere            ctstate NEW

Chain ufw-track-forward (1 references)
target    prot opt source              destination       

Chain ufw-logging-deny (2 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere            ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
target    prot opt source              destination       
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
target    prot opt source              destination       
DROP      all  --  anywhere            anywhere           

Chain ufw-skip-to-policy-output (0 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain ufw-skip-to-policy-forward (0 references)
target    prot opt source              destination       
DROP      all  --  anywhere            anywhere           

Chain ufw-not-local (1 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type LOCAL
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type MULTICAST
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere            anywhere            limit: avg 3/min burst 10
DROP      all  --  anywhere            anywhere           

Chain ufw-user-input (1 references)
target    prot opt source              destination       

Chain ufw-user-output (1 references)
target    prot opt source              destination       

Chain ufw-user-forward (1 references)
target    prot opt source              destination       

Chain ufw-user-logging-input (0 references)
target    prot opt source              destination       

Chain ufw-user-logging-output (0 references)
target    prot opt source              destination       

Chain ufw-user-logging-forward (0 references)
target    prot opt source              destination       

Chain ufw-user-limit (0 references)
target    prot opt source              destination       
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere


Gad 03-20-2021 12:29 PM

Block inbound DNS on both TCP / UDP port 53, it possible you may be experiencing a DDOS. DNS queries should not be coming into your private network unless I have misinterpreted your logs.

Just a rule of thumb for firewalls. Block everything and only open what is needed. That is just my suggestion and preference

hkjz 03-22-2021 02:03 PM

Quote:

Originally Posted by Gad (Post 6232444)
Block inbound DNS on both TCP / UDP port 53, it possible you may be experiencing a DDOS. DNS queries should not be coming into your private network unless I have misinterpreted your logs.

Just a rule of thumb for firewalls. Block everything and only open what is needed. That is just my suggestion and preference

Hey, thanks for reaching out, i read what i could about IP tables,
https://www.suse.com/c/basic-iptables-tutorial/
https://www.digitalocean.com/communi...e-your-servers
https://www.digitalocean.com/communi...s-and-commands
https://www.rosehosting.com/blog/blo...-debianubuntu/

and now they look like this -

Code:

$ sudo iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere            multiport dports http,https
ACCEPT    udp  --  anywhere            anywhere            multiport dports 80,443

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    udp  --  anywhere            anywhere            multiport dports 80,443
ACCEPT    tcp  --  anywhere            anywhere            multiport dports http,https

nordvpn configuration file is for sure UDP type https://nordvpn.com/ovpn/, that is why i added udp (properly?)
anyways, with such a set up I CANNOT LOAD ANY SITES, however my upload and download are active because of two IPs, which further i add to the drop rules

Code:

sudo iptables -I INPUT -s 149.154.0.0 -j DROP
sudo iptables -I INPUT -s 91.108.0.0 -j DROP
sudo iptables -I OUTPUT -s 149.154.0.0 -j DROP
sudo iptables -I OUTPUT -s 91.108.0.0 -j DROP

Definitely there is something going on, and after i figure out how to block it properly, i will flush the system, and set up proper rules again.

Would you have any hints how you set up your rules?

Turbocapitalist 03-22-2021 02:07 PM

Rather than the -L option for iptables the utilities iptables-save and iptables-restore will produce output that is both easier to read and easier to modify.

hkjz 03-22-2021 03:02 PM

Quote:

Originally Posted by Turbocapitalist (Post 6233041)
Rather than the -L option for iptables the utilities iptables-save and iptables-restore will produce output that is both easier to read and easier to modify.

Doesnt seem to really work.
Save probably saves stuff, becasue there is not output
restore seems to load and load and load, so i kill the process after some time.


Beside i have this solution below
Code:

#!/bin/bash
#
# iptables firewall script
# https://www.rosehosting.com
#

IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}")
fi

#
# Save settings
#
echo " * SAVING RULES"

if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
fi

iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules

i modified it from original by deleting this ports from original solution
Code:

echo " * allowing ssh on port 5622"
echo " * allowing ftp on port 21"
echo " * allowing smtp on port 25"
echo " * allowing submission on port 587"
echo " * allowing imaps on port 993"
echo " * allowing pop3s on port 995"
echo " * allowing imap on port 143"
echo " * allowing pop3 on port 110"

should i keep this part of the code?
Code:

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

now outcome is
Code:

$ sudo iptables -nvL
Chain INPUT (policy DROP 81009 packets, 118M bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW
  221  107K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW
    0    0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0            icmptype 8
  19  2123 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
  19  2123 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 121K packets, 8993K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    all  --  *      lo      0.0.0.0/0            0.0.0.0/0

and it is much better. today i was under strong bombarding. it is not over though, i still notice noice with

Code:

sudo tcpdump
I am nevertherless happy to find first milestone solution to close this event.


What next steps i suppose to take? My operation system most has to be exchanged.
What would you say about other devices in the network? Sometimes i see phone or other laptop from the network pinging me on tcpdum,
but mostly connections comes from cloudfront and amazon servers.

What are the rules in this part of digital universe?

i found this great article
https://www.linuxquestions.org/quest...or-4175582819/
which was mentioned by the author here
https://www.linuxquestions.org/quest...ed-4175610682/

Quote:

Originally Posted by sundialsvcs (Post 5564644)
Dwarvish door

sundialsvcs are you still out there?


and here is part of the log, which was made accessible with the code above

Code:

Mar 22 21:15:00 mx kernel: [33763.801904] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:60:03:08:9d:5c:36:08:00 SRC=192.168.50.17 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=8791 PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:03 mx kernel: [33766.771748] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=224 TOS=0x00 PREC=0x00 TTL=64 ID=49413 DF PROTO=UDP SPT=138 DPT=138 LEN=204
Mar 22 21:15:05 mx kernel: [33768.819760] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=224 TOS=0x00 PREC=0x00 TTL=64 ID=51315 DF PROTO=UDP SPT=138 DPT=138 LEN=204
Mar 22 21:15:07 mx kernel: [33770.868173] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=224 TOS=0x00 PREC=0x00 TTL=64 ID=53235 DF PROTO=UDP SPT=138 DPT=138 LEN=204
Mar 22 21:15:07 mx kernel: [33770.868205] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=53236 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:09 mx kernel: [33772.813505] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55153 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:09 mx kernel: [33772.813547] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55154 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:11 mx kernel: [33774.861489] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55532 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:11 mx kernel: [33774.861512] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55533 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:11 mx kernel: [33775.211097] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=4980 DF PROTO=2
Mar 22 21:15:13 mx kernel: [33776.807526] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55985 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:13 mx kernel: [33776.807546] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55986 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:15 mx kernel: [33778.856434] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=57533 DF PROTO=UDP SPT=137 DPT=137 LEN=76
Mar 22 21:15:15 mx kernel: [33778.856470] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=212 TOS=0x00 PREC=0x00 TTL=64 ID=57534 DF PROTO=UDP SPT=138 DPT=138 LEN=192
Mar 22 21:15:15 mx kernel: [33778.856494] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=57535 DF PROTO=UDP SPT=138 DPT=138 LEN=217
Mar 22 21:15:15 mx kernel: [33778.856514] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=242 TOS=0x00 PREC=0x00 TTL=64 ID=57536 DF PROTO=UDP SPT=138 DPT=138 LEN=222
Mar 22 21:15:31 mx kernel: [33795.207969] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=13570 DF PROTO=2
Mar 22 21:15:51 mx kernel: [33815.208944] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=17262 DF PROTO=2
Mar 22 21:16:11 mx kernel: [33835.212152] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=35752 DF PROTO=2
Mar 22 21:16:31 mx kernel: [33855.212275] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=49195 DF PROTO=2
Mar 22 21:16:44 mx kernel: [33867.534626] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=140 TOS=0x00 PREC=0x00 TTL=255 ID=25620 PROTO=UDP SPT=5353 DPT=5353 LEN=120
Mar 22 21:16:45 mx kernel: [33868.558579] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=140 TOS=0x00 PREC=0x00 TTL=255 ID=22393 PROTO=UDP SPT=5353 DPT=5353 LEN=120
Mar 22 21:16:51 mx kernel: [33875.214367] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=519 DF PROTO=2
Mar 22 21:17:11 mx kernel: [33895.220049] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=1731 DF PROTO=2
Mar 22 21:17:31 mx kernel: [33915.223127] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=15094 DF PROTO=2
Mar 22 21:17:43 mx kernel: [33927.131950] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=9381 PROTO=UDP SPT=5353 DPT=5353 LEN=78
Mar 22 21:17:44 mx kernel: [33928.157378] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=13509 PROTO=UDP SPT=5353 DPT=5353 LEN=78
Mar 22 21:17:46 mx kernel: [33930.101357] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=116 TOS=0x00 PREC=0x00 TTL=255 ID=51545 PROTO=UDP SPT=5353 DPT=5353 LEN=96
Mar 22 21:17:47 mx kernel: [33931.023223] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=116 TOS=0x00 PREC=0x00 TTL=255 ID=22276 PROTO=UDP SPT=5353 DPT=5353 LEN=96
Mar 22 21:17:47 mx kernel: [33931.125594] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=9601 PROTO=UDP SPT=5353 DPT=5353 LEN=78
Mar 22 21:17:51 mx kernel: [33935.217430] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=25396 DF PROTO=2

interesting is that everywhere is the same
SRC=192.168.50.1
SRC= The source ip-address from where the packet originated

Turbocapitalist 03-23-2021 01:07 AM

Quote:

Originally Posted by hkjz (Post 6233062)
Doesnt seem to really work.
Save probably saves stuff, becasue there is not output

iptables-save will send to standard output. If there was no output, there were no iptables rules to be saved. The saving would be done via a redirection using > or tee.

hkjz 03-23-2021 05:49 AM

Quote:

Originally Posted by Turbocapitalist (Post 6233171)
iptables-save will send to standard output. If there was no output, there were no iptables rules to be saved. The saving would be done via a redirection using > or tee.

I found this

Code:

sudo sh -c "iptables-save > /etc/iptables.rules"

Code:

$ cat iptables.rules
# Generated by xtables-save v1.8.2 on Tue Mar 23 11:32:49 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [25400:2316886]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Tue Mar 23 11:32:49 2021
# Generated by xtables-save v1.8.2 on Tue Mar 23 11:32:49 2021
*nat
:PREROUTING ACCEPT [133:8348]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [569:39050]
:OUTPUT ACCEPT [569:39050]
COMMIT

However you could have in mind different solution,
anyways you were right, after computer reboot IPtables were not saved, and i had to run the script mentioned in previous post again.


That means i suppose to make iptable configurations to load on every reboot.
There are couple ways, one is to add the script for example above, to the `crontab -e @reboot`, to make the rules persistent,
or use install `iptables-persistent`. During installation, program asked me, if i would like to save current rules. Lets see outcome after reboot.

Turbocapitalist 03-23-2021 08:13 AM

Quote:

Originally Posted by hkjz (Post 6233215)
I found this

Code:

sudo sh -c "iptables-save > /etc/iptables.rules"

Yes, that's one way. Another would be using tee instead:

Code:

sudo iptables-save | sudo tee /etc/iptables.rules
Either way works though all that was one of the reasons I chose to upgrade to nftables instead.

hkjz 03-23-2021 09:37 AM

Ouch!,

i just learn pieces of iptables, to learn that nftables exists, and
"nftables replaces the legacy iptables portions of Netfilter"
source : https://en.wikipedia.org/wiki/Nftables

here is man of nftables :
https://wiki.nftables.org/wiki-nftab....php/Main_Page

Lovely, maybe i could learn using it.. when more structural important issues, would be solved.
==========================================

There are some mysteries on my network behaviour, and firewall can just cut out some of external movement

just a moment ago, all my processors went up to 100%, for a short second, while dcudump shown this

Code:

15:29:02.275120 IP KIED.DomainGi.mdns > 224.0.0.251.mdns: 0 [2q] [1au] PTR (QU)? _companion-link._tcp.local. PTR (QU)? _sleep-proxy._udp.local. (97)
15:29:03.300823 IP KIED.DomainGi.mdns > 224.0.0.251.mdns: 0 [2q] [1au] PTR (QM)? _companion-link._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (97)

while KIED is other device in the network,
why would it like to communicate to me anyways AND make the processors to do the computation? Computing what?

==========================================

"Dwarvish Door" solution seems like a multiple step challenge,
https://www.linuxquestions.org/quest...or-4175582819/
but i am only at the first step. It may take some time to make other step.

i would post here success story, and if you would have any recommendations, of the cases you find important, please don't hesitate to post.

OlgaM 03-24-2021 05:52 PM

I understood that it's impossible to kill all hacker's activities. But these steps helps me a lot:

1. Nftables logs.
Excellent book about nftables and security is Linux Firewalls" Fourth Edition by Steve Suehring. Check this post:

https://www.linuxquestions.org/quest...ot-4175649319/

Edit /etc/nftables.conf:
Code:

#!/usr/sbin/nft -f flush ruleset
table inet filter { chain input { type filter hook input priority 0; counter; policy accept; log prefix "New Input packets: "; } chain forward { type filter hook forward priority 0; counter; policy accept; } chain output { type filter hook output priority 0; counter; policy accept; log prefix "New Output packets: "; } }

More info here

2. Audit daemon logs

3. Check cron jobs.

4. Edit router's settings and divide network on small subnets. I use network mask 255.255.255.252 ( mask on one host)

5 Edit /etc/network/interfaces and use static ip. More info here:

https://www.linuxquestions.org/quest...gs-4175677127/

6. Check if remote terminal exists and close it. More info here.

7. Edit sysctl.conf to prevent SYN-flood attack etc.

8. When i am not using laptop i turn off wlan in bios.

9 Turn off bluetooth in bios.

10. Set up counter and use commands:
"systemctl stop networking" and "nft list ruleset" to check if packets still going when internet is down.

hkjz 04-01-2021 11:06 AM

Quote:

Originally Posted by OlgaM (Post 6233825)
I understood that it's impossible to kill all hacker's activities. But these steps helps me a lot:

1. Nftables logs.
Excellent book about nftables and security is Linux Firewalls" Fourth Edition by Steve Suehring. Check this post:

https://www.linuxquestions.org/quest...ot-4175649319/

Edit /etc/nftables.conf:
Code:

#!/usr/sbin/nft -f flush ruleset
table inet filter { chain input { type filter hook input priority 0; counter; policy accept; log prefix "New Input packets: "; } chain forward { type filter hook forward priority 0; counter; policy accept; } chain output { type filter hook output priority 0; counter; policy accept; log prefix "New Output packets: "; } }

More info here

2. Audit daemon logs

3. Check cron jobs.

4. Edit router's settings and divide network on small subnets. I use network mask 255.255.255.252 ( mask on one host)

5 Edit /etc/network/interfaces and use static ip. More info here:

https://www.linuxquestions.org/quest...gs-4175677127/

6. Check if remote terminal exists and close it. More info here.

7. Edit sysctl.conf to prevent SYN-flood attack etc.

8. When i am not using laptop i turn off wlan in bios.

9 Turn off bluetooth in bios.

10. Set up counter and use commands:
"systemctl stop networking" and "nft list ruleset" to check if packets still going when internet is down.


Sounds like you put a lot of effort to organize yourself. Sounds terrific, however now i dont even understand everything you say, no worries though. I'd examined your links (not a book) nand got something for myself.

Turning off blutetooth can be done with service. Check : `sudo sysv-rc-conf` and cross it off.
Systemctl wont work for me unfortunately.

hkjz 04-01-2021 11:16 AM

found it

hkjz 04-06-2021 12:59 PM

Quote:

Originally Posted by OlgaM (Post 6233825)

divide network on small subnets. I use network mask 255.255.255.252 ( mask on one host)

Any good hints on that beside using guest network?

Quote:

Originally Posted by OlgaM (Post 6233825)

Edit sysctl.conf to prevent SYN-flood attack etc.

i came out with such a code

Code:

#!/bin/sh

echo " "
echo " == START == "
echo " * working out 'sysctl'"

SYSCTL=/usr/sbin/sysctl

echo " "
echo " * 9 saved rules "

${SYSCTL} -w net.ipv4.tcp_syncookies=1
${SYSCTL} -w net.ipv4.tcp_max_syn_backlog=3072
${SYSCTL} -w net.ipv4.tcp_synack_retries=0
${SYSCTL} -w net.ipv4.tcp_syn_retries=0
${SYSCTL} -w net.ipv4.conf.all.send_redirects=0
${SYSCTL} -w net.ipv4.conf.all.accept_redirects=0
${SYSCTL} -w net.ipv4.conf.all.forwarding=0
${SYSCTL} -w net.ipv4.icmp_echo_ignore_broadcasts=1
${SYSCTL} -w net.ipv4.icmp_echo_ignore_all=1

echo " "
echo " == FINISH == "

This way you have to use the file on crontab or other startup source.
other option is to use this commnads straight on /etc/sysctl.conf

I share this, maybe other would make use of it as well


All times are GMT -5. The time now is 06:52 PM.