[olug] Building a Hellacious Firewall

David Walker linux_user at grax.com
Wed Jun 27 21:06:23 UTC 2001

In my friend's case we were lucky.  They came in through the printer daemon
(lpd I think) that Redhat 6.2 installs by default.  Every file that they
overwrote had the ownership as root.lpd so I was able to track down every
file they put on there using the command
  find / -group lpd

Going from memory (this was several months ago).
They changed one of the existing system accounts to user id 0 and put a
password for it in /etc/shadow so they could log in with root privileges
using that account.  They replaced ps.  I don't remember about top.  They
added a command that looked like a game program.  That command harvested
ftp, email, and telnet passwords and emailed them to an email address
@mail.com.  It seemed to be using something like tcpdump to examine all
tcpip traffic.

According to the notes on grc.com there are some programs now, at least on
windows PCs, that connect out to an irc server and wait for commands from
their script kiddie.

We ended up reformatting anyway since the machine was just a firewall and we
could just start over.

I recommend running nmap from a computer outside your network periodically
and investigating any open ports that looks suspicious.

Redhat has a command chkconfig you can use to see what services they've
installed by default.  (on other systems check folders rc.1 through rc.5).
When you first install you should check out what they are starting and turn
off any that shouldn't be on.  On your firewall you'll want to remove
sendmail, lpd, portmap.  Investigate any service that is on that you don't
know what it is.  If you don't need it, turn it off.
If you need it on your firewall but only internally than try to configure it
to listen only on the internal adapter and block it's ports on the external

Block all internal (rfc 1918) IPs on the external ethernet adapter.  No one
outside your network with an internal IP that is trying to connect to you is
a good guy.  I've monitored a scan with a source address of on
the Cox network.  Since the router should drop those addresses I believe it
is coming from someone in my neighborhood.

Block all incoming ports from 1 to 1023
If you must have SSH listening externally put it on a really high numbered
port like 55000 or something.  This way if some blatant bug is discovered in
SSH and someone concocts a script to scan and infect they will skip your

If you log attempts to connect to blocked ports you can learn a lot about
what the script kiddies are scanning for and you can determine if you
inadvertantly blocked yourself.

My goal with my firewall was to let nothing in except SSH and to let
out except for mail sent to servers other than my own.  I'm rethinking that
now in light of the fact that a trojan horse on my PC can make outgoing
connections to give the script kiddie access to my internal network but I
think it's a good start.

-----Original Message-----
From: Jon [mailto:thechunk at thechunk.dhs.org]
Sent: Wednesday, June 27, 2001 7:10 AM
To: olug at bstc.net
Subject: Re: [olug] Building a Hellacious Firewall

Thanks for expanding on Telnet and ftp.  Insecure connection on a public
cable is what i was refering too.  I am fairly positive that is how someone
gained root access to my gateway at one point in time.  Both telnet and ftp
are useful if your not authenticating with them on a public network like the
internet.  I have just started using sftp with ssh version 2.  It is pretty
neat stuff.  They even have windows clients that can connect using them and
will give you an explorer view.  I don't know if there are many security
risks to anonymous ftp but if you just want to make files available to
anyone it isn't hard to setup.  On the windows note cygwin ships swith
openssl and opensssh now.  It is quite impressive.  scp works pretty good
but I end up taring everything into one file to make the transfer easier.

When my gateway got hacked I noticed my network going down.  My wifes
computer with its own internet ip ( not behind my gateway that got hacked )
was affected as well.  I had noticed that the default output format for ps
had changed.  I ran a top and a process that wasn't showing in ps was taking
100% of my cpu.  I beleive someone gained root access and installed a root
kit.  I have no idea what it was doing but it really made me feel stupid for
allowing it to happen and not figuring it out sooner ( I noticed the ps
changes several months beforehand ).  Just thought I would share my
experiences of being hacked and what I had to work with.  I beleive some of
the newer root kits will overwrite top as well.  This means it might be
pretty hard to find offending processes.  Anyone else have any experience
cleaning up behind a script kiddie?

-Jon W

On Wed, Jun 27, 2001 at 06:30:12AM -0500, Jason Ferguson wrote:
> Jon,
> For once, I think someone needs to point out... telnet and ftp are not
> inherently evil. They are simply tools. I once made a point to my class
> about programs like NMAP using chainsaws as an example. They can be used
> to make firewood, or in one old 70s horror movie, they can be used to
> make chili.  Its just a tool, its the owner that has the ultimate
> decision on its use (and consequences of its use).
> Now, I do happen to agree: allowing telnet access into your network from
> the outside is asking for trouble: passwords and any data coming across
> the connection are fair game for anyone with a sniffer along the route.
> But I have used telnet on my internal network before (blocking it from
> the outside, some spoofing protection) for communications with Windows
> machines that I didnt want to go through the trouble of setting up SSH
> clients on.
> FTP: well, its still one of two standards for creating a file dump, the
> other being HTTP.  But this time I fully agree, if someone is crazy
> enough to set up a FTP server, make sure its not you. I find web servers
> are actually easier to configure than FTP servers (more people working
> on Apache than on WU-FTP?). And on my internal network, I'll use Samba
> to set up shares accessible by my network.
> But my original question remains: WHAT do we
> block/allow/reject/mark/mangle/mutilate to have my so-called
> "Hellacious" firewall?  Another problem area I came up with: ports
> 666X-6670 are often used for irc communication. This is why you dont IRC
> as root... if someone comes in through those systems with an exploit,
> they'll have root access. Again, DROP/REJECT any traffic not coming from
> a known irc server.
> Any other ideas? Remember, the idea of firewalls: stop the kiddies, and
> delay the pros long enough for them to find a less protected computer.
> Jason
> Jon wrote:
> >This was really a good read for me.  I agree with what you are saying.  I
don't know if there are many inexperienced linux users on this list but
thought I would share my minor insights into running a secure server.
> >1. no telnet / ftp
> >2. see number 1
> >3. openssh with certificates so I can get connections without prompts.
> >4. edit my /etc/inetd.conf and remove all services I don't use.
> >
> >I have only read one issue of 2600 but found the information to be
invaluable.  It is really good to see how many mistakes people make.  There
was an article describing how to take someones email and searching the net
for any uses of it.  At first thought this seems futile but they point out
that if someone is active in usenet than with the awesome cataloging of
message lists you can get some hits possibly.  It then pointed out that if
someone ever posted live information to a usenet list you could get system
info such as os and maybe even a config file or too if the admin got
frustrated.  Anyway just some thoughts.
> >
> >-Jon W
> >
> >On Tue, Jun 26, 2001 at 04:33:23PM -0500, Jason Ferguson wrote:
> >
> >>Okay, iptables isnt tough:
> >>
> >>iptables -A INPUT --source (addy-of-bad-guy) -J LOG
> >>iptables -A INPUT --source (same-addy) -J DROP
> >>
> >>Or something like that.
> >>
> >>However, we talk so much about the HOW to firewall, with ipchains or
> >>iptables, that we miss what I feel is even more important... WHAT to
> >>firewall.
> >>
> >>Now, for example... Ive heard it said that AUTH (usually port 113, check
> >>your /etc/services) is a security risk to run: it lets people gather
> >>info about your computer. However, try connecting to IRC without it...
> >>you wont get far. Solution: deny AUTH requests from anyone besides the
> >>IRC servers. Just LOG all of your requests for awhile to get the IP
> >>address of the servers, then modify your rules. Same goes for any one
> >>the other services; firewalls can block access to your services except
> >>for select IP addresses. This could allow something as bad as TELNET on
> >>your internal network without being angerous to the outside (gotta be
> >>careful of spoofing, of course).
> >>
> >>I prefer to build my firewall script myself, rather than use some
> >>generator program. This is because if you just use a generator, do you
> >>REALLY know what you're blocking and/or allowing? Probably not.
> >>
> >>
> >>IPTABLES brings new stuff to the table. I personally dont know how to
> >>use things like MARK. So, to get to the point of this email (finally),
> >>can some of the old pros here share some of their experience in the art
> >>of building firewalls rather than the science?
> >>
> >>Jason
> >>
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> >>For additional commands, e-mail: olug-help at bstc.net
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> >For additional commands, e-mail: olug-help at bstc.net
> >
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net

To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list