LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-31-2004, 12:15 PM   #1
revenant
LQ Newbie
 
Registered: Mar 2004
Distribution: SuSE 9.0
Posts: 14

Rep: Reputation: 0
What to do during an attack?


Hi,

I'm running Slackware 9.1 which I only installed this week, so I'm not experianced at all. I am up to date in my patches, I run no unnecessary services, and I have a basic firewall up. Here is my firewall script:

# Drop everything

iptables -P INPUT DROP

iptables -P FORWARD DROP

# Allow established connections and programs that use loopback

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Allow ssh to connect

iptables -A INPUT -p tcp --dport 22 -i ppp0 -j ACCEPT

#end script

Now... I'm being attacked, right now, as I type this. I'm not getting much beyond port scans but I have friends (who use the same ISP) who are also being scanned, and taking more serious attacks (All Windows users behind Sygate). The attacks are all coming from the same IP#

So my main question is, can anybody see any serious problems with my security that I should worry about? And, what is the best way to react in a situation like this? Is there any way I can trace them and report them to their ISP?

Any help you can give me would be appreciated. This is a bit much for a newbie such as I.

Last edited by revenant; 03-31-2004 at 12:22 PM.
 
Old 03-31-2004, 12:33 PM   #2
320mb
Senior Member
 
Registered: Nov 2002
Location: pikes peak
Distribution: Slackware, LFS
Posts: 2,577

Rep: Reputation: 48
http://home.earthlink.net/~milk4unme/

d/l and read the 2 pdf files here
 
Old 03-31-2004, 12:53 PM   #3
revenant
LQ Newbie
 
Registered: Mar 2004
Distribution: SuSE 9.0
Posts: 14

Original Poster
Rep: Reputation: 0
I'll do that, thanks.

But for now, I scanned them right back and found masses of open ports. I also found that they are from the French ISP Wanadoo. Tomorrow I'll call my ISP and tell them about it, maybe they can notify these Wanadoo people and some action can be taken. At least since I scanned them, their own attacks seem to have stopped.

What a piss off...

Again, thanks for the help, I'll be sure to read over those.
 
Old 03-31-2004, 02:56 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
I'm not getting much beyond port scans
...which you can ignore if you're not interested. Else install an IDS like Snort. It's reporting will be much more verbose compared to firewall rules, in some cases it'll name the tool, any (possibly) malicious activity in a way you could determine the threat level.

(...)taking more serious attacks (All Windows users behind Sygate). The attacks are all coming from the same IP[/i]
What is serious in your opinion?
Post the IP?


So my main question is, can anybody see any serious problems with my security that I should worry about? And, what is the best way to react in a situation like this? Is there any way I can trace them and report them to their ISP?
No, i see nothing worrying in this picture. If you're not running services and don't harass ppl on the 'net, then the amount of scannage done IMHO largely depends on if you're on a "popular" network range (lotsa innocent sheep with insecure boxen, ranges for worms to scan, etc etc), if the previous user of the IP (ppp, right?) did stuff ranging from waging war on IRC to ghosting P2P connections (which can be mistaken for scans). Of course there are other options, but without a tool like Snort it will be much harder for you to assess what exactly comes across the ocean...

If it persists, notifying their ISP would be SOP, but that usually doesn't get you nowhere. Blocking and not logging is your alternative. Since you scanned them, is it a Wintendo box?

If you want a comprehensive overview of security measures and such, please check out the LQ FAQ: Security references.


//moderator.note:
320mb:
d/l and read the 2 pdf files here
320mb, I want you to stop spamming we should D/L these PDF's. In the first place they're just conversions of the Linux Administrators Guide and the Network Administrators Guide, second offering PDF's doesn't constitute an answer at LQ. If you can't offer an answer to a security question, please have the general netiquette to move on to a question you're willing to put some effort answering in. If you disagree, please take it up with me by email. TIA.
 
Old 03-31-2004, 08:29 PM   #5
tunnelit
LQ Newbie
 
Registered: Mar 2004
Posts: 9

Rep: Reputation: 0
Disabling Services?

Hello,

I hope I'm not intruding in this conversation unwanted. I had a few related questions and after reading about excessive postings I thought I would just try and jump into this one instead of creating a new post.

How can I shutdown this X11 service? What is it exactly? I'm running RH 9 by the way.

(The 65534 ports scanned but not shown below are in state: closed)
Port State Service
6000/tcp open X11

Thank you.
 
Old 04-01-2004, 08:19 AM   #6
revenant
LQ Newbie
 
Registered: Mar 2004
Distribution: SuSE 9.0
Posts: 14

Original Poster
Rep: Reputation: 0
Hello unSpawn,

The more serious attacks I mentioned are pretty vague. In my friends words, his fire wall "went nuts" and he was disconnected. He dialed back in and the same happened again not long later.

The scans are still happening every few minutes even today, but now most of them come from IP addresses owned by my ISP (in Australia.) Maybe from compromised computers?

I'm just guessing, I really know nothing about security beyond what I have learned in the past week.

A couple of IP's that have come up more than once today are 203.221.244.149 and 203.220.216.53

I'm reading up on snort now, but it looks like I'm just going to have to wait this out. If nothing else it has motivated me to learn more about my systems security.

Thank you for all your help, its very much appreciated.
 
Old 04-01-2004, 11:29 AM   #7
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Scans happen every hour. The attacker is looking for a misconfiguration of a service. The most famous scan pattern is the proxy service (tcp/1080).

So, if you have to install a new service you must careful at the configuration time because it may be proven fatal!
 
Old 04-01-2004, 12:43 PM   #8
mrcheeks
Senior Member
 
Registered: Mar 2004
Location: far enough
Distribution: OS X 10.6.7
Posts: 1,690

Rep: Reputation: 52
install portsentry(block scan and ip address), installe snort, configure your firewall too well, use a gui if necessary, and add "--no-listen tcp" option to X server startup(port 6000) or your startx command(if you start X from console).

shorewall is easier than "direct iptables rules"

test your firewall at sygate site
nmap your ip adress

Last edited by mrcheeks; 04-01-2004 at 12:47 PM.
 
Old 04-01-2004, 11:50 PM   #9
nick_krym
Member
 
Registered: Sep 2002
Location: The Netherlands
Posts: 38

Rep: Reputation: 15
unSpawn: Don't you think that instead of spoon feeding him the answer, it would be better to point him in the right direction and let him find the answer himself. In doing so, he will also learn alot more about Linux security. Also, what is wrong with posting a few e-books, as I allready said, it will help him get the answer, and in the process he will learn alot of useful info.

Thanks, Nick
 
Old 04-02-2004, 12:18 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
unSpawn: Don't you think that instead of spoon feeding him the answer, it would be better to point him in the right direction and let him find the answer himself.
First of all I usually don't talk much about approaches to solving problems here. Most of the time people do not want an elaborate explanation, background information let alone know about structurising troubleshooting and whatnot, but just want an answer. If that constitutes spoonfeeding ppl info, then I'm as guilty as hell all of my life and everywhere I've been.

Define "better". What is the "best" approach? What's the "best" way to tell a security expert, a forensics expert, a colo admin, a DBA, a manager, a student, a newbie? How do you assess, except by reading between the lines, how much effort ppl want to put in it?


In doing so, he will also learn alot more about Linux security.
I agree, but partially. Solving one problem doesn't make ppl knowledgable, unless you know what and where to look for. This isn't a newbie thing tho. A lot of professionals struggle with it too. Myself, I'm still learning, and there's A LOT I know zilch about.


Also, what is wrong with posting a few e-books,
Well, the deeper significance of this is that it's not even the "official" URI for those. NAG, SAG or whatever they're called have official URI's where they're (sposed to be) updated. My problem with posting these URI's is twofold really: they do not constitute an answer themselves (you could as well say RTM) unless you point to the relevant chapter and secondly 320 has been posting the PDF's URI twice w/o adding anything of himself, which to me means as much as being unhelpful (the NG or mailinglist way). At LQ, we gotta do more than just post URI's. As moderator I operate under the same rules. I do regularly point ppl to the LQ FAQ: Security references, but you'll usually see that in conjunction with an answer or at least me pointing to the relevant part.



*1. Nick, if you're willing, add the answer like I should have given it to him. Don't worry about completeness or failing etc, etc, it's the effort that counts IMHO. Hopefully I can learn something there too.

*2. If you've got more meta questions or want to constructively discuss spreading the nfo, you're invited to take this up with me by email. Hopefully I can learn something from you.


Last edited by unSpawn; 04-02-2004 at 12:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What attack could this be??? darrel Linux - Security 10 02-26-2005 10:10 PM
hacker attack? zetsui Linux - General 4 08-04-2003 06:03 AM
Sendmail Attack m0rl0ck Linux - Security 4 07-04-2003 04:08 AM
Help I am UNDER ATTACK... needamiracle Linux - Security 28 04-22-2003 12:06 PM
Any attack? vcheah Linux - Security 1 12-07-2001 01:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration