[gentoo-user] Re: How to hide a network interface from an application

[Grant Edwards]

On 2020-08-15, Sid Spry  wrote:
> On Fri, Aug 14, 2020, at 5:06 PM, Grant Edwards wrote:
>> [...]
>>
>> >   iptables -A OUTPUT -o  -m owner --uid-owner plex -j DROP
>> 
>> I can confirm, that did indeed work as desired.
>> 
>> Even with the kernel rebuild it was far less work than getting set up
>> to run a docker container (which also would have required a kernel
>> rebuild) or running the server in a separate network namespace.
>> 
>> [...]
>
> Are you able to see any perf impact from the generated but dropped
> packets?

I haven't tried, but I it's detectable. Plex only sends out a handful
of packets every 5-10 seconds.  It wouldn't really matter except that
the interface I want it to leave alone is attached to an internal
network I use to develop/test IoT and industrial Ethernet devices, and
I want to be able to run tests that are as predictable and repeatable
as possible.

It would probably be better to run Plex on a separate, small, silent,
low-power, headless server but I've already got enough machines to
maintain.

--
Grant

Re: [gentoo-user] Re: iptables wiki page questions

[tastytea]

On 2020-08-15 00:22- Grant Edwards 
wrote:

> On 2020-08-14, tastytea  wrote:
> 
> > rc-service runs the same service scripts that are in /etc/init.d/,
> > so it's the same. However the manpage of rc-service(8) mentions that
> > “Service scripts could be in different places on different
> > systems”, so the most compatible way would be to use rc-service.  
> 
> Oddly, the two usages are both within one example.  It appears that
> the author uses "/etc/init.d/iptables" for the "save" command and
> "rc-service iptables" for the "start" command.

In some places “rc-service iptables save”¹ is used, in some places
“/etc/init.d/iptables save”². I think it was 2 or more authors with
different preferences.

> Also interesting: the openrc wiki page doesn't mention rc-service at
> all and the examples all use "/etc/init.d/ ".
> [That's what I tend to use because it allows tab-completion.]

Gentoo installs completions for rc-service for both Zsh and Bash.

¹ 
² 

Re: [gentoo-user] Re: How to hide a network interface from an application

[Sid Spry]

On Fri, Aug 14, 2020, at 5:06 PM, Grant Edwards wrote:
> On 2020-08-14, Grant Edwards  wrote:
> 
> > I think this should work, but I need to rebuild my kernel with the
> > iptables "owner" extension enabled:
> >
> >   iptables -A OUTPUT -o  -m owner --uid-owner plex -j DROP
> 
> I can confirm, that did indeed work as desired.
> 
> Even with the kernel rebuild it was far less work than getting set up
> to run a docker container (which also would have required a kernel
> rebuild) or running the server in a separate network namespace.
> 

Are you able to see any perf impact from the generated but dropped packets?

[gentoo-user] Re: iptables wiki page questions

[Grant Edwards]

On 2020-08-14, tastytea  wrote:

> rc-service runs the same service scripts that are in /etc/init.d/, so
> it's the same. However the manpage of rc-service(8) mentions that
> “Service scripts could be in different places on different systems”, so
> the most compatible way would be to use rc-service.

Oddly, the two usages are both within one example.  It appears that
the author uses "/etc/init.d/iptables" for the "save" command and
"rc-service iptables" for the "start" command.

Also interesting: the openrc wiki page doesn't mention rc-service at
all and the examples all use "/etc/init.d/ ".
[That's what I tend to use because it allows tab-completion.]

--
Grant

Re: [gentoo-user] iptables wiki page questions

[Alexey Mishustin]

сб, 15 авг. 2020 г. в 01:34, tastytea :

> Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the
> dependency “net” is satisfied if only one net.* service is started.

If I remember correctly, it happened sometimes that iptables loaded
after net.eth0 service even with rc_depend_strict="YES" in
/etc/rc.conf (iptables in default runlevel), and I changed one line in
/etc/init.d/net.eth0:
-after net.lo ...
+after net.lo ... iptables
I think it does not harm :)

...The option, important for saving iptables state, is:
SAVE_ON_STOP="yes" in /etc/conf.d/iptables.
It's so by default, AFAIK.

-- 
Best regards,
Alex

Re: [gentoo-user] iptables wiki page questions

[tastytea]

On 2020-08-14 22:17- Grant Edwards 
wrote:

> […]
> ### "rc-service iptables" vs. "/etc/init.d/iptables"

rc-service runs the same service scripts that are in /etc/init.d/, so
it's the same. However the manpage of rc-service(8) mentions that
“Service scripts could be in different places on different systems”, so
the most compatible way would be to use rc-service.

> […]
> At the top of the page, rules are loaded by adding 'iptables' to the
> runlevel 'default', while at the bottom of the page, the 'boot'
> runlevel is used instead.
> 
> Is there some significance to these differences?

I would use the same runlevel I use for net.*. iptables will always be
started before net.*, see depend() in /etc/init.d/iptables.
Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the
dependency “net” is satisfied if only one net.* service is started. In
this case you may want to but iptables in ‘boot’ and net.* in ‘default’.

Kind regards, tastytea



pgpDTA3FWczc0.pgp
Description: Digitale Signatur von OpenPGP

[gentoo-user] iptables wiki page questions

[Grant Edwards]

I read through the iptables wiki page this afternoon to refresh my
memory on how you save rules so they get load on startup.

  https://wiki.gentoo.org/wiki/Iptables

There are some inconsitencies which I'm curious about.

### "rc-service iptables" vs. "/etc/init.d/iptables"

Most of the page's examples use "rc-server iptables " but in a
few spots it is "/etc/init.d/iptables ".

### boot vs. default runlevel

At the top of the page, rules are loaded by adding 'iptables' to the
runlevel 'default', while at the bottom of the page, the 'boot'
runlevel is used instead.

Is there some significance to these differences?

--
Grant

[gentoo-user] Re: How to hide a network interface from an application

[Grant Edwards]

On 2020-08-14, Grant Edwards  wrote:

> I think this should work, but I need to rebuild my kernel with the
> iptables "owner" extension enabled:
>
>   iptables -A OUTPUT -o  -m owner --uid-owner plex -j DROP

I can confirm, that did indeed work as desired.

Even with the kernel rebuild it was far less work than getting set up
to run a docker container (which also would have required a kernel
rebuild) or running the server in a separate network namespace.

--
Grant

Re: [gentoo-user] Re: How to hide a network interface from an application

[Alexey Mishustin]

пт, 14 авг. 2020 г. в 23:03, Grant Edwards :

> [For posterity's sake, with -A Output it's -o  rather than
> -i ]

Ah, you are right! I am sorry, my iptables rule with 'noinet' doesn't
include an interface, I added it when typing the message and looked at
my rules with an interface from the INPUT section.

> My original post also said I was trying to hide an
> interface, when all I really needed was to prevent sending of packets
> on that interface.

Yes, it seems to be enough. I found out that 'noinet' rule when I got
annoyed by an application (written by Windows programmers as well)
that was continuously checking updates at each launch... No inet - no
check :)

> I think this should work, but I need to rebuild my kernel with the
> iptables "owner" extension enabled:

Clear!

-- 
Best regards,
Alex

[gentoo-user] Re: How to hide a network interface from an application

[Grant Edwards]

On 2020-08-14, Alexey Mishustin  wrote:

> Isn't this classic option suitable?
>
> groupadd noinet
> usermod -a -G noinet 
> iptables -A OUTPUT -i  -m owner --gid-owner noinet -j DROP
>and calling not
> Plex
>but
> sg noinet Plex
>(or whatever name the binary has)

Thanks for the suggestion!

[For posterity's sake, with -A Output it's -o  rather than
-i ]

Yes, I think that should work.  I had forgotten (or never knew?) that
iptables rules could trigger on the uid or gid of the process that
sent the packet.  The Plex media server already runs in its own
user/group -- something I should have mentioned in my original post,
since it means that "from a user" instead of "from an application"
would also work. My original post also said I was trying to hide an
interface, when all I really needed was to prevent sending of packets
on that interface.

I think this should work, but I need to rebuild my kernel with the
iptables "owner" extension enabled:

  iptables -A OUTPUT -o  -m owner --uid-owner plex -j DROP

I was just about to start experimenting with ipvlan and network
namespaces, but an iptables rule triggering on uid looks much much
easier.

--
Grant

Re: [gentoo-user] A new Linux back door

[Spackman, Chris]

On 2020/08/14 at 07:27am, Dale wrote:

> Peter Humphrey wrote:
> > I saw this today:
> >
> > https://linux.slashdot.org/story/20/08/13/174237/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers?
> > utm_source=slashdot_medium=twitter
> >
> > Has anyone any more info?

> It seems to affect only older kernels, before 3.7.  So if you are
> above that, which I would think most Gentoo users would at least be in
> the 4 range or higher, then you should be OK. I checked and the oldest
> kernel version is 4.4 here.  That's for gentoo-sources.  Of course,
> one could download the original kernel sources I guess. 

I think the 3.7 version is just because that was when kernel module
signing was introduced?

According to Ars:

  The advisory also urged that, at a minimum, servers run Linux kernel
  version 3.7 or later so that organizations can use improved
  code-signing protections, which use cryptographic certificates to
  ensure that an app, driver, or module comes from a known and trusted
  source and hasn’t been tampered with by anyone else.

  Additionally, system owners are advised to configure systems to load
  only modules with a valid digital signature making it more difficult
  for an actor to introduce a malicious kernel module into the system,”
  the advisory stated.

https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/

So, it sounds like you are not immune if you have 3.7+, just that you do
have some additional tools you could use to protect yourself. I use
Gentoo just at home for personal use, and it never even occurred to me
to use digital sigs for kernel modules.

I found this: https://wiki.gentoo.org/wiki/Signed_kernel_module_support
but haven't had time to try it yet. Does anyone have experience with
digitally signing kernel modules on Gentoo?

-- 
Chris Spackman (he/him) ch...@osugisakae.com

ESL Coordinator The Graham Family of Schools
ESL Instructor  Columbus State Community College
Japan Exchange and Teaching Program   Wajima, Ishikawa 1995-1998
Linux user since 1998 Linux User #137532

Re: [gentoo-user] A new Linux back door

[Dale]

Peter Humphrey wrote:
> I saw this today:
>
> https://linux.slashdot.org/story/20/08/13/174237/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers?
> utm_source=slashdot_medium=twitter
>
> Has anyone any more info?
>


It seems to affect only older kernels, before 3.7.  So if you are above
that, which I would think most Gentoo users would at least be in the 4
range or higher, then you should be OK. I checked and the oldest kernel
version is 4.4 here.  That's for gentoo-sources.  Of course, one could
download the original kernel sources I guess. 

That said, I've read that some old servers that are rarely if ever
shutdown, may be running kernels that old or even older.  I'd think they
would be old systems but if they are servers with fast internet
connections, those would be a good target.  One would hope tho that they
are admin'ed by people who can notice the hack and correct it or have
other means to prevent it in the first place.

How does one know if they are hacked tho?  Is there a tool to run?  I'm
not worried about myself since I'd be a really bad target for it but
others might want to know. 

Dale

:-)  :-) 

[gentoo-user] A new Linux back door

[Peter Humphrey]

I saw this today:

https://linux.slashdot.org/story/20/08/13/174237/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers?
utm_source=slashdot_medium=twitter

Has anyone any more info?

-- 
Regards,
Peter.