LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-19-2021, 02:15 PM   #1
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Rep: Reputation: Disabled
request to help with setting up IP TABLES // (tcpdump and Maltrail involved)


Hello,
i had eventual problem with breaching to linux, but i am not network professional,

Start of the story was, that my network meter showed big upload while i was downloading,

So i run tcpdump (1), to confirm external network activity.
Afterwards i used chkrootkit (2) and rkhunter (3), which said that it is POSSIBLE to have malicious software.
I run clamscan (ClamAV) (4) on every directory from '/' separately (i had to exclude /home), no infectious but many 32485 total errors in /sys.
However running simultaneously Maltrail (5), showed two strange actions (ID1 and ID2)


Code:
ID		1			        2
threat		ee881995			ae3a2c5e
sensor		eve				eve
events		2				1
serverity	medium				medium
first_seen	19th 15:14:52			19th 11:35:49
last_seen	19th 15:14:53			19th 11:35:49
sparlkine		
src_ip		10.8.8.50 [LAN]			10.0.2.51 [LAN]
src_port	42099 and 53949			46857
dst_ip		103.86.99.99 [SG]		103.86.96.100 [AU]
dst_port	53 (dns)			53 (dns)
proto		UDP				UDP
type		(tiny).cc			(w569ut7zbkiqf5b).xyz
trail		domain (suspicious)		domain (suspicious)
infor   	(static)			(static)
Before i would consider rebuilding my system, i suppose to first tame the hole, but i have small idea about IP TABLES or properly grounded knowledge about networking on the level.

I use default settings of ufw and firewall on the router.
My network looks like : modem (router) >> proper asus router with up to date firmware, firewall, vpn and wifi >> devices

May i ask for reccomendations, if there is something that i suppose to do better on linux settings?

Code:
$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  5.180.62.159         anywhere            
ACCEPT     all  --  5.180.62.159         anywhere            
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             5.180.62.159        
ACCEPT     all  --  anywhere             5.180.62.159        
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-user-input (1 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination         

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

Last edited by hkjz; 03-19-2021 at 02:25 PM.
 
Old 03-20-2021, 12:29 PM   #2
Gad
Member
 
Registered: May 2013
Distribution: FreeBSD 12.2-RELEASE
Posts: 533

Rep: Reputation: 113Reputation: 113
Block inbound DNS on both TCP / UDP port 53, it possible you may be experiencing a DDOS. DNS queries should not be coming into your private network unless I have misinterpreted your logs.

Just a rule of thumb for firewalls. Block everything and only open what is needed. That is just my suggestion and preference

Last edited by Gad; 03-20-2021 at 12:31 PM.
 
1 members found this post helpful.
Old 03-22-2021, 02:03 PM   #3
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Gad View Post
Block inbound DNS on both TCP / UDP port 53, it possible you may be experiencing a DDOS. DNS queries should not be coming into your private network unless I have misinterpreted your logs.

Just a rule of thumb for firewalls. Block everything and only open what is needed. That is just my suggestion and preference
Hey, thanks for reaching out, i read what i could about IP tables,
https://www.suse.com/c/basic-iptables-tutorial/
https://www.digitalocean.com/communi...e-your-servers
https://www.digitalocean.com/communi...s-and-commands
https://www.rosehosting.com/blog/blo...-debianubuntu/

and now they look like this -

Code:
$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
ACCEPT     udp  --  anywhere             anywhere             multiport dports 80,443

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             multiport dports 80,443
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
nordvpn configuration file is for sure UDP type https://nordvpn.com/ovpn/, that is why i added udp (properly?)
anyways, with such a set up I CANNOT LOAD ANY SITES, however my upload and download are active because of two IPs, which further i add to the drop rules

Code:
sudo iptables -I INPUT -s 149.154.0.0 -j DROP
sudo iptables -I INPUT -s 91.108.0.0 -j DROP
sudo iptables -I OUTPUT -s 149.154.0.0 -j DROP
sudo iptables -I OUTPUT -s 91.108.0.0 -j DROP
Definitely there is something going on, and after i figure out how to block it properly, i will flush the system, and set up proper rules again.

Would you have any hints how you set up your rules?
 
Old 03-22-2021, 02:07 PM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,526
Blog Entries: 3

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Rather than the -L option for iptables the utilities iptables-save and iptables-restore will produce output that is both easier to read and easier to modify.
 
Old 03-22-2021, 03:02 PM   #5
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Rather than the -L option for iptables the utilities iptables-save and iptables-restore will produce output that is both easier to read and easier to modify.
Doesnt seem to really work.
Save probably saves stuff, becasue there is not output
restore seems to load and load and load, so i kill the process after some time.


Beside i have this solution below
Code:
#!/bin/bash
#
# iptables firewall script
# https://www.rosehosting.com
#

IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

#
# Block abusing IPs 
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}")
fi

#
# Save settings
#
echo " * SAVING RULES"

if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
fi

iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules
i modified it from original by deleting this ports from original solution
Code:
echo " * allowing ssh on port 5622"
echo " * allowing ftp on port 21"
echo " * allowing smtp on port 25"
echo " * allowing submission on port 587"
echo " * allowing imaps on port 993"
echo " * allowing pop3s on port 995"
echo " * allowing imap on port 143"
echo " * allowing pop3 on port 110"
should i keep this part of the code?
Code:
echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
now outcome is
Code:
$ sudo iptables -nvL
Chain INPUT (policy DROP 81009 packets, 118M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW
  221  107K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   19  2123 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
   19  2123 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 121K packets, 8993K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
and it is much better. today i was under strong bombarding. it is not over though, i still notice noice with

Code:
sudo tcpdump
I am nevertherless happy to find first milestone solution to close this event.


What next steps i suppose to take? My operation system most has to be exchanged.
What would you say about other devices in the network? Sometimes i see phone or other laptop from the network pinging me on tcpdum,
but mostly connections comes from cloudfront and amazon servers.

What are the rules in this part of digital universe?

i found this great article
https://www.linuxquestions.org/quest...or-4175582819/
which was mentioned by the author here
https://www.linuxquestions.org/quest...ed-4175610682/

Quote:
Originally Posted by sundialsvcs View Post
Dwarvish door
sundialsvcs are you still out there?


and here is part of the log, which was made accessible with the code above

Code:
Mar 22 21:15:00 mx kernel: [33763.801904] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:60:03:08:9d:5c:36:08:00 SRC=192.168.50.17 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=8791 PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:03 mx kernel: [33766.771748] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=224 TOS=0x00 PREC=0x00 TTL=64 ID=49413 DF PROTO=UDP SPT=138 DPT=138 LEN=204 
Mar 22 21:15:05 mx kernel: [33768.819760] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=224 TOS=0x00 PREC=0x00 TTL=64 ID=51315 DF PROTO=UDP SPT=138 DPT=138 LEN=204 
Mar 22 21:15:07 mx kernel: [33770.868173] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=224 TOS=0x00 PREC=0x00 TTL=64 ID=53235 DF PROTO=UDP SPT=138 DPT=138 LEN=204 
Mar 22 21:15:07 mx kernel: [33770.868205] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=53236 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:09 mx kernel: [33772.813505] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55153 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:09 mx kernel: [33772.813547] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55154 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:11 mx kernel: [33774.861489] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55532 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:11 mx kernel: [33774.861512] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55533 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:11 mx kernel: [33775.211097] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=4980 DF PROTO=2 
Mar 22 21:15:13 mx kernel: [33776.807526] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55985 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:13 mx kernel: [33776.807546] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=55986 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:15 mx kernel: [33778.856434] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=57533 DF PROTO=UDP SPT=137 DPT=137 LEN=76 
Mar 22 21:15:15 mx kernel: [33778.856470] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=212 TOS=0x00 PREC=0x00 TTL=64 ID=57534 DF PROTO=UDP SPT=138 DPT=138 LEN=192 
Mar 22 21:15:15 mx kernel: [33778.856494] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=57535 DF PROTO=UDP SPT=138 DPT=138 LEN=217 
Mar 22 21:15:15 mx kernel: [33778.856514] IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=192.168.50.255 LEN=242 TOS=0x00 PREC=0x00 TTL=64 ID=57536 DF PROTO=UDP SPT=138 DPT=138 LEN=222 
Mar 22 21:15:31 mx kernel: [33795.207969] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=13570 DF PROTO=2 
Mar 22 21:15:51 mx kernel: [33815.208944] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=17262 DF PROTO=2 
Mar 22 21:16:11 mx kernel: [33835.212152] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=35752 DF PROTO=2 
Mar 22 21:16:31 mx kernel: [33855.212275] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=49195 DF PROTO=2 
Mar 22 21:16:44 mx kernel: [33867.534626] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=140 TOS=0x00 PREC=0x00 TTL=255 ID=25620 PROTO=UDP SPT=5353 DPT=5353 LEN=120 
Mar 22 21:16:45 mx kernel: [33868.558579] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=140 TOS=0x00 PREC=0x00 TTL=255 ID=22393 PROTO=UDP SPT=5353 DPT=5353 LEN=120 
Mar 22 21:16:51 mx kernel: [33875.214367] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=519 DF PROTO=2 
Mar 22 21:17:11 mx kernel: [33895.220049] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=1731 DF PROTO=2 
Mar 22 21:17:31 mx kernel: [33915.223127] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=15094 DF PROTO=2 
Mar 22 21:17:43 mx kernel: [33927.131950] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=9381 PROTO=UDP SPT=5353 DPT=5353 LEN=78 
Mar 22 21:17:44 mx kernel: [33928.157378] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=13509 PROTO=UDP SPT=5353 DPT=5353 LEN=78 
Mar 22 21:17:46 mx kernel: [33930.101357] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=116 TOS=0x00 PREC=0x00 TTL=255 ID=51545 PROTO=UDP SPT=5353 DPT=5353 LEN=96 
Mar 22 21:17:47 mx kernel: [33931.023223] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=116 TOS=0x00 PREC=0x00 TTL=255 ID=22276 PROTO=UDP SPT=5353 DPT=5353 LEN=96 
Mar 22 21:17:47 mx kernel: [33931.125594] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:48:43:7c:88:86:61:08:00 SRC=192.168.50.237 DST=224.0.0.251 LEN=98 TOS=0x00 PREC=0x00 TTL=255 ID=9601 PROTO=UDP SPT=5353 DPT=5353 LEN=78 
Mar 22 21:17:51 mx kernel: [33935.217430] IN=wlan0 OUT= MAC=f8:59:71:af:ad:cf:0c:9d:92:01:d0:58:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=25396 DF PROTO=2
interesting is that everywhere is the same
SRC=192.168.50.1
SRC= The source ip-address from where the packet originated

Last edited by hkjz; 03-22-2021 at 03:44 PM.
 
Old 03-23-2021, 01:07 AM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,526
Blog Entries: 3

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by hkjz View Post
Doesnt seem to really work.
Save probably saves stuff, becasue there is not output
iptables-save will send to standard output. If there was no output, there were no iptables rules to be saved. The saving would be done via a redirection using > or tee.
 
Old 03-23-2021, 05:49 AM   #7
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
iptables-save will send to standard output. If there was no output, there were no iptables rules to be saved. The saving would be done via a redirection using > or tee.
I found this

Code:
sudo sh -c "iptables-save > /etc/iptables.rules"

Code:
$ cat iptables.rules 
# Generated by xtables-save v1.8.2 on Tue Mar 23 11:32:49 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [25400:2316886]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Tue Mar 23 11:32:49 2021
# Generated by xtables-save v1.8.2 on Tue Mar 23 11:32:49 2021
*nat
:PREROUTING ACCEPT [133:8348]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [569:39050]
:OUTPUT ACCEPT [569:39050]
COMMIT
However you could have in mind different solution,
anyways you were right, after computer reboot IPtables were not saved, and i had to run the script mentioned in previous post again.


That means i suppose to make iptable configurations to load on every reboot.
There are couple ways, one is to add the script for example above, to the `crontab -e @reboot`, to make the rules persistent,
or use install `iptables-persistent`. During installation, program asked me, if i would like to save current rules. Lets see outcome after reboot.
 
Old 03-23-2021, 08:13 AM   #8
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,526
Blog Entries: 3

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by hkjz View Post
I found this

Code:
sudo sh -c "iptables-save > /etc/iptables.rules"
Yes, that's one way. Another would be using tee instead:

Code:
sudo iptables-save | sudo tee /etc/iptables.rules
Either way works though all that was one of the reasons I chose to upgrade to nftables instead.
 
Old 03-23-2021, 09:37 AM   #9
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
Ouch!,

i just learn pieces of iptables, to learn that nftables exists, and
"nftables replaces the legacy iptables portions of Netfilter"
source : https://en.wikipedia.org/wiki/Nftables

here is man of nftables :
https://wiki.nftables.org/wiki-nftab....php/Main_Page

Lovely, maybe i could learn using it.. when more structural important issues, would be solved.
==========================================

There are some mysteries on my network behaviour, and firewall can just cut out some of external movement

just a moment ago, all my processors went up to 100%, for a short second, while dcudump shown this

Code:
15:29:02.275120 IP KIED.DomainGi.mdns > 224.0.0.251.mdns: 0 [2q] [1au] PTR (QU)? _companion-link._tcp.local. PTR (QU)? _sleep-proxy._udp.local. (97)
15:29:03.300823 IP KIED.DomainGi.mdns > 224.0.0.251.mdns: 0 [2q] [1au] PTR (QM)? _companion-link._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (97)
while KIED is other device in the network,
why would it like to communicate to me anyways AND make the processors to do the computation? Computing what?

==========================================

"Dwarvish Door" solution seems like a multiple step challenge,
https://www.linuxquestions.org/quest...or-4175582819/
but i am only at the first step. It may take some time to make other step.

i would post here success story, and if you would have any recommendations, of the cases you find important, please don't hesitate to post.
 
Old 03-24-2021, 05:52 PM   #10
OlgaM
Member
 
Registered: Mar 2019
Distribution: Debian Buster
Posts: 50

Rep: Reputation: Disabled
I understood that it's impossible to kill all hacker's activities. But these steps helps me a lot:

1. Nftables logs.
Excellent book about nftables and security is Linux Firewalls" Fourth Edition by Steve Suehring. Check this post:

https://www.linuxquestions.org/quest...ot-4175649319/

Edit /etc/nftables.conf:
Code:
#!/usr/sbin/nft -f flush ruleset 
table inet filter { chain input { type filter hook input priority 0; counter; policy accept; log prefix "New Input packets: "; } chain forward { type filter hook forward priority 0; counter; policy accept; } chain output { type filter hook output priority 0; counter; policy accept; log prefix "New Output packets: "; } }
More info here

2. Audit daemon logs

3. Check cron jobs.

4. Edit router's settings and divide network on small subnets. I use network mask 255.255.255.252 ( mask on one host)

5 Edit /etc/network/interfaces and use static ip. More info here:

https://www.linuxquestions.org/quest...gs-4175677127/

6. Check if remote terminal exists and close it. More info here.

7. Edit sysctl.conf to prevent SYN-flood attack etc.

8. When i am not using laptop i turn off wlan in bios.

9 Turn off bluetooth in bios.

10. Set up counter and use commands:
"systemctl stop networking" and "nft list ruleset" to check if packets still going when internet is down.

Last edited by OlgaM; 03-24-2021 at 06:56 PM.
 
Old 04-01-2021, 11:06 AM   #11
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by OlgaM View Post
I understood that it's impossible to kill all hacker's activities. But these steps helps me a lot:

1. Nftables logs.
Excellent book about nftables and security is Linux Firewalls" Fourth Edition by Steve Suehring. Check this post:

https://www.linuxquestions.org/quest...ot-4175649319/

Edit /etc/nftables.conf:
Code:
#!/usr/sbin/nft -f flush ruleset 
table inet filter { chain input { type filter hook input priority 0; counter; policy accept; log prefix "New Input packets: "; } chain forward { type filter hook forward priority 0; counter; policy accept; } chain output { type filter hook output priority 0; counter; policy accept; log prefix "New Output packets: "; } }
More info here

2. Audit daemon logs

3. Check cron jobs.

4. Edit router's settings and divide network on small subnets. I use network mask 255.255.255.252 ( mask on one host)

5 Edit /etc/network/interfaces and use static ip. More info here:

https://www.linuxquestions.org/quest...gs-4175677127/

6. Check if remote terminal exists and close it. More info here.

7. Edit sysctl.conf to prevent SYN-flood attack etc.

8. When i am not using laptop i turn off wlan in bios.

9 Turn off bluetooth in bios.

10. Set up counter and use commands:
"systemctl stop networking" and "nft list ruleset" to check if packets still going when internet is down.

Sounds like you put a lot of effort to organize yourself. Sounds terrific, however now i dont even understand everything you say, no worries though. I'd examined your links (not a book) nand got something for myself.

Turning off blutetooth can be done with service. Check : `sudo sysv-rc-conf` and cross it off.
Systemctl wont work for me unfortunately.
 
Old 04-01-2021, 11:16 AM   #12
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
found it

Last edited by hkjz; 04-01-2021 at 11:57 AM.
 
Old 04-06-2021, 12:59 PM   #13
hkjz
Member
 
Registered: Apr 2019
Distribution: MX
Posts: 165

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by OlgaM View Post

divide network on small subnets. I use network mask 255.255.255.252 ( mask on one host)
Any good hints on that beside using guest network?

Quote:
Originally Posted by OlgaM View Post

Edit sysctl.conf to prevent SYN-flood attack etc.
i came out with such a code

Code:
#!/bin/sh

echo " "
echo " == START == "
echo " * working out 'sysctl'"

SYSCTL=/usr/sbin/sysctl

echo " "
echo " * 9 saved rules "

${SYSCTL} -w net.ipv4.tcp_syncookies=1
${SYSCTL} -w net.ipv4.tcp_max_syn_backlog=3072
${SYSCTL} -w net.ipv4.tcp_synack_retries=0
${SYSCTL} -w net.ipv4.tcp_syn_retries=0
${SYSCTL} -w net.ipv4.conf.all.send_redirects=0
${SYSCTL} -w net.ipv4.conf.all.accept_redirects=0
${SYSCTL} -w net.ipv4.conf.all.forwarding=0
${SYSCTL} -w net.ipv4.icmp_echo_ignore_broadcasts=1
${SYSCTL} -w net.ipv4.icmp_echo_ignore_all=1

echo " "
echo " == FINISH == "
This way you have to use the file on crontab or other startup source.
other option is to use this commnads straight on /etc/sysctl.conf

I share this, maybe other would make use of it as well
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Installation and Usage of Maltrail detection system on Ubuntu 18.04 LXer Syndicated Linux News 0 10-05-2018 12:12 PM
I've found tcpdump tagged as 'Installed' in PPM, why I can't find a tcpdump command ? illidan.modeler Puppy 1 09-07-2013 07:50 AM
[SOLVED] any idea why this arp request keeps showing up in tcpdump logs? psycroptic Linux - Networking 2 08-10-2013 11:39 AM
[SOLVED] Where can I find Request Tracker tables? samanka80 Linux - General 1 07-03-2013 01:52 AM
LXer: Tables of Contents, Indexes and Other Special Tables in Scribus LXer Syndicated Linux News 0 05-13-2011 05:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration