We run a Linux box with diald and masquerading as our home gateway system. At some point someone got ahold of our ISP password and was using it. They either got the password by crasking into the ISP or our Linux box. To be safe we installed a firewall on our Linux box. On average it rejects 2 to 10 packets per day. Most of them are attempted connects to port 31337 (IRC). Below is a copy of the firewall script we use. Brian Beuning Wes Morriston wrote: > On a several occasions, somebody has managed to break into my networked > SuSE Linux box and do some damage. On two occasions, the damage has > made it impossible for me to log in to my own site. > > Yesterday, for example, I found the following entries in /etc/passwd. > > slage::0:0::/root:/bin/bash > Slage::999:999::/tmp:/bin/bash > > I certainly didn't put these lines in my /etc/passwd file. In > /var/log/warn and in /var/log/messages I find a lot of stuff like this. > > Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on > `ttyp0' from `192.116.194.173' > Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on > `ttyp0' from `192.116.194.173' > Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on > `ttyp0' from `192.116.194.173' > Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on > `ttyp0' from `192.116.194.173' > Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on > `ttyp0' from `192.116.194.173' > Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on > `ttyp1' from `192.117.189.128' > Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on > `ttyp0' from `192.117.189.128' > > I don't know how this person managed to add lines to my /etc/passwd > file. By the time s/he was done, I couldn't log into my own system > under *any* legitimate name and passwd, and had to boot from a floppy > and reinstall a bunch of stuff. Is that some sort of security device > kicking in? If so, what is the best way of undoing the damage? > > Can anyone advise me about the best method of preventing this sort of > thing? > > Thanks. > > Wes > > - > To unsubscribe from this list: send the line "unsubscribe linux-ppp" in > the body of a message to [EMAIL PROTECTED]
# This firewall is for a home gateway system with just a couple # of clients. We want to allow anything from the clients out to # the internet but not allow unsolicited internet traffic into # our network. The protocols we use are: # www # ftp # DNS name resolution (for local caching only) # NNTP (net news) # NTP (time) # POP3 (for incoming e-mail) # SMTP (for outgoing e-mail only) # We have a DNS server running but it is caching only. echo Start IP Firewall NET=192.168.0.0/16 ISP= # Flush any existing rules ipfwadm -I -f ipfwadm -O -f ipfwadm -F -f # Turn on Masquerading ipfwadm -F -p deny ipfwadm -F -a accept -m -P tcp -S $NET -D 0.0.0.0/0 ipfwadm -F -a accept -m -P udp -S $NET -D 0.0.0.0/0 # Extending MASQ Timeouts ipfwadm -M -s 7200 10 120 # The default is to deny all. Below we will open it up again for TCP # after we have blocked unsolicited packets. ipfwadm -I -p deny # Unlimited traffic within the local net. ipfwadm -I -a accept -W lo ipfwadm -I -a accept -W eth0 # Reject local LAN addresses not originating on local LAN # This rule suggested by Brian McCauley <[EMAIL PROTECTED]> ipfwadm -I -a deny -S $NET -o ipfwadm -I -a deny -S 127.0.0.0/8 -o # Rules for TCP traffic. # Allow ftp traffic through the SYN filter below. # All the sites we need to access support PASSIVE mode, # so we do not need this. It is a pretty big security # hole anyway. # ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D 0.0.0.0/0 1024:65535 # Allow Identd requests - mainly to keep messages out of the logs ipfwadm -I -a accept -P tcp -W ppp0 -D 0.0.0.0/0 113 # Deny packets that originate (SYN=1,ACK=0) out in the internet. # The -y flag only works for TCP, so make that explicit. ipfwadm -I -a deny -P tcp -y -W ppp0 -o # Accept all other TCP tracffic. ipfwadm -I -a accept -P tcp # Rules for UDP traffic # The -S arguments on the UDP filters are dubious since someone # sending bogus packets can set the source to whatever they want. # Of course, they would not receive a reply, but they may not want one. # The main reason this might help is if my ISP rejects IP traffic # coming into the ISP with a source address of the ISP internal # network. # Allow DNS responses # My ISP's name servers are 207.69.188.185, 186, and 187 # The file /etc/named.boot includes the lines # forwarders 207.69.188.185 207.69.188.186 207.69.188.187 # options forward-only # This keeps my named daemon from talking to any sites except my ISP # We do not restrict destination to allow nslookup some flexibility. ipfwadm -I -a accept -P udp -W ppp0 -S 207.69.188.0/24 domain -D 0.0.0.0/0 domain # Allow Network Time Protocol (NTP) responces # The file /etc/chrony.conf has the line: # server 207.69.200.3 ipfwadm -I -a accept -P udp -W ppp0 -S 207.69.200.3/0 ntp -D 0.0.0.0/0 ntp # Log rejected UDP packets ipfwadm -I -a deny -P udp -o # Limited ICMP traffic. # The ICMP Message Types: # 0 Echo Reply # 3 Destination Unreachable # 4 Source Quench # 5 Redirect # 8 Echo Request # 11 Time Exceeded for a Datagram # 12 Parameter Problem on a Datagram # 13 Timestamp Request # 14 Timestamp Reply # 15 Information Request (obsolete) # 16 Information Replay (obsolete) # 17 Address Mask Request # 18 Address Mask Reply ipfwadm -I -a accept -P icmp -S 0.0.0.0/0 0 3 11 12 14 18 # Log rejected ICMP packets ipfwadm -I -a deny -P icmp -o # Turn on dynamic address fix-up so diald works better echo 5 > /proc/sys/net/ipv4/ip_dynaddr # Load modules /sbin/modprobe ip_masq_ftp.o /sbin/modprobe ppp.o
