[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)
Dave Anselmi
anselmi at americanisp.net
Mon Jan 28 20:39:54 MST 2002
Sean LeBlanc wrote:
> Well, I've been noticing weird things on my firewall box since Friday. I
> wasn't able to SSH in several times, had to turn it on from the console,
> only to discover hours later or next day it's not working again. So this
> morning I'm eating my bagel and coffee before work and I decide to try SSH
> again. It's not on. So I start getting suspicious (finally) and decide to
> snoop about for any foul play - sure enough, I've been cracked.
That's cool! Well, not for you, but that I now know someone who has been and
mostly that you were able to find hard evidence of it. (Not the "I keep getting
this blue screen, could I have a virus?" whining.)
[...]
> I also scribbled down the IP numbers from where some of the logins took
> place. Is there anything I can do in retaliation?
Retaliation is pointless IMHO. Most likely you'd blast some site that's a
victim like you. Now a honeypot is a different story. Take a look at that, and
the deception toolkit (sorry, no URLs handy at the moment).
[...]
> Prior to attack, I was running some services which I know I shouldn't have
> been , at least not without denying packets from outside - bind, smbd, nmbd,
> identd. I still have no idea what he did to crack machine, and that really
> bothers me. What I'd like to do is get ipchains rules together that block
> all incoming packets except for ssh and except for stuff returning from
> machines behind firewall. Getting cut off from home machine while at work is
> a real PITA w/o the added worry of what this induhvidual intentions are...
Running NAT (source only, no destination) is a good way to protect machines
behind your router (wherever you do the NAT). You can use DNAT to let in SSH,
but it would be good to limit the source addresses you allow (there are several
places you can do that). Linux firewalling is good enough and easy enough that
you can run iptables on every machine. But running a bunch of services isn't a
good idea on a firewall, as you see.
Here's a link to what Rusty has to say. It gets you most of what you want as
far as only letting outbound connections through:
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html
HTH. Good luck with the cleanup.
Dave
More information about the clue-tech
mailing list