[olug] Building a Hellacious Firewall

Jon thechunk at thechunk.dhs.org
Wed Jun 27 12:10:01 UTC 2001

Thanks for expanding on Telnet and ftp.  Insecure connection on a public cable is what i was refering too.  I am fairly positive that is how someone gained root access to my gateway at one point in time.  Both telnet and ftp are useful if your not authenticating with them on a public network like the internet.  I have just started using sftp with ssh version 2.  It is pretty neat stuff.  They even have windows clients that can connect using them and will give you an explorer view.  I don't know if there are many security risks to anonymous ftp but if you just want to make files available to anyone it isn't hard to setup.  On the windows note cygwin ships swith openssl and opensssh now.  It is quite impressive.  scp works pretty good but I end up taring everything into one file to make the transfer easier.  

When my gateway got hacked I noticed my network going down.  My wifes computer with its own internet ip ( not behind my gateway that got hacked ) was affected as well.  I had noticed that the default output format for ps had changed.  I ran a top and a process that wasn't showing in ps was taking 100% of my cpu.  I beleive someone gained root access and installed a root kit.  I have no idea what it was doing but it really made me feel stupid for allowing it to happen and not figuring it out sooner ( I noticed the ps changes several months beforehand ).  Just thought I would share my experiences of being hacked and what I had to work with.  I beleive some of the newer root kits will overwrite top as well.  This means it might be pretty hard to find offending processes.  Anyone else have any experience cleaning up behind a script kiddie?

-Jon W

On Wed, Jun 27, 2001 at 06:30:12AM -0500, Jason Ferguson wrote:
> Jon,
> For once, I think someone needs to point out... telnet and ftp are not 
> inherently evil. They are simply tools. I once made a point to my class 
> about programs like NMAP using chainsaws as an example. They can be used 
> to make firewood, or in one old 70s horror movie, they can be used to 
> make chili.  Its just a tool, its the owner that has the ultimate 
> decision on its use (and consequences of its use).
> Now, I do happen to agree: allowing telnet access into your network from 
> the outside is asking for trouble: passwords and any data coming across 
> the connection are fair game for anyone with a sniffer along the route. 
> But I have used telnet on my internal network before (blocking it from 
> the outside, some spoofing protection) for communications with Windows 
> machines that I didnt want to go through the trouble of setting up SSH 
> clients on.
> FTP: well, its still one of two standards for creating a file dump, the 
> other being HTTP.  But this time I fully agree, if someone is crazy 
> enough to set up a FTP server, make sure its not you. I find web servers 
> are actually easier to configure than FTP servers (more people working 
> on Apache than on WU-FTP?). And on my internal network, I'll use Samba 
> to set up shares accessible by my network.
> But my original question remains: WHAT do we 
> block/allow/reject/mark/mangle/mutilate to have my so-called 
> "Hellacious" firewall?  Another problem area I came up with: ports 
> 666X-6670 are often used for irc communication. This is why you dont IRC 
> as root... if someone comes in through those systems with an exploit, 
> they'll have root access. Again, DROP/REJECT any traffic not coming from 
> a known irc server.
> Any other ideas? Remember, the idea of firewalls: stop the kiddies, and 
> delay the pros long enough for them to find a less protected computer.
> Jason
> Jon wrote:
> >This was really a good read for me.  I agree with what you are saying.  I don't know if there are many inexperienced linux users on this list but thought I would share my minor insights into running a secure server.
> >1. no telnet / ftp
> >2. see number 1
> >3. openssh with certificates so I can get connections without prompts.
> >4. edit my /etc/inetd.conf and remove all services I don't use.
> >
> >I have only read one issue of 2600 but found the information to be invaluable.  It is really good to see how many mistakes people make.  There was an article describing how to take someones email and searching the net for any uses of it.  At first thought this seems futile but they point out that if someone is active in usenet than with the awesome cataloging of message lists you can get some hits possibly.  It then pointed out that if someone ever posted live information to a usenet list you could get system info such as os and maybe even a config file or too if the admin got frustrated.  Anyway just some thoughts.
> >
> >-Jon W
> >
> >On Tue, Jun 26, 2001 at 04:33:23PM -0500, Jason Ferguson wrote:
> >
> >>Okay, iptables isnt tough:
> >>
> >>iptables -A INPUT --source (addy-of-bad-guy) -J LOG
> >>iptables -A INPUT --source (same-addy) -J DROP
> >>
> >>Or something like that.
> >>
> >>However, we talk so much about the HOW to firewall, with ipchains or 
> >>iptables, that we miss what I feel is even more important... WHAT to 
> >>firewall.
> >>
> >>Now, for example... Ive heard it said that AUTH (usually port 113, check 
> >>your /etc/services) is a security risk to run: it lets people gather 
> >>info about your computer. However, try connecting to IRC without it... 
> >>you wont get far. Solution: deny AUTH requests from anyone besides the 
> >>IRC servers. Just LOG all of your requests for awhile to get the IP 
> >>address of the servers, then modify your rules. Same goes for any one 
> >>the other services; firewalls can block access to your services except 
> >>for select IP addresses. This could allow something as bad as TELNET on 
> >>your internal network without being angerous to the outside (gotta be 
> >>careful of spoofing, of course).
> >>
> >>I prefer to build my firewall script myself, rather than use some 
> >>generator program. This is because if you just use a generator, do you 
> >>REALLY know what you're blocking and/or allowing? Probably not.
> >>
> >>
> >>IPTABLES brings new stuff to the table. I personally dont know how to 
> >>use things like MARK. So, to get to the point of this email (finally), 
> >>can some of the old pros here share some of their experience in the art 
> >>of building firewalls rather than the science?
> >>
> >>Jason
> >>
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> >>For additional commands, e-mail: olug-help at bstc.net
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> >For additional commands, e-mail: olug-help at bstc.net
> >
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net

To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list