On Wed, Oct 17, 2012, at 09:37, Mr Dash Four wrote:
> 1. Deploy SELinux in Enforcing mode (if you don't use it already) and
> then place a rule with the AUDIT target matching any packet which goes
> to destination port 3333, protocol udp. That way, you will be able to
> trace the process, thread and user credentials used to create that
> packet.
Good advice, thanks.
I've been tempted to set up SELinux over the years. With Debian it's
just 'bolt-on', as oppsed to Fedora where it's built in. I am not going
to use Fedora because they are going to M$' proprietary boot system, so
I am staying with Debian for the foreseeable future.
I used to have a daemon set up that monitored for probes, and when one
was detected it automatically sent out a safe-finger. One time I caught
a guy red-handed, and he had actually set up and filled out ident! I
got his name, address, phone, email, etc, all nice and neat, so reported
him to his ISP of course. That was years ago, and I can't remember any
longer how I did that. Now I would set up nmap, openvas, and armitage
scans of his machines on trigger. If that doesn't set off alarm bells
for him, he's just a kiddie.
If this was a penetration of my machine, I am shocked and astounded,
with the attention I put in security.
> If you are fairly certain that your Konqueror browser is to blame, or
> you picked up a rogue plug-in, then if you are allowed, try to
> deactivate the various plugins you have in use in this browser - one by
> one - and see whether you get a repeat of the "volley". If not, and you
> are certain what causes it, then just remove the plugin and be done
> with it.
I am in the process right now of converting all my machines over to XFCE
(the new default WM for Debian 7), and so am ditching Konqueror,
KOrganizer, and KMail after 14 years of using them exclusively. KDE4
has just been busted for too long, and there has been absolutely no
progress, and it is behind the times. That is enough.
So I am moving to XFCE and Iceweasel, and in the process have just set
up Squid as my proxy (after a 3 year hiatus), in 'anonymizer_paranoid'
mode, so it will spoof my source IPs, and to make me appear as a
Googlebot. In Iceweasel so far I have Add-Ons
HTTPS Finder - select the https site, whenever possible.
https://addons.mozilla.org/en-US/firefox/addon/https-finder/
Session Manager, to restore old sessions.
http://www.makeuseof.com/tag/firefoxs-session-manager/
AdBlock Edge - Does not update automatically or phones home
https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/
Element Hiding Helper - for those pesky text ads
https://addons.mozilla.org/en-US/firefox/addon/elemhidehelper/
The only ways he could have possibly penetrated my machine are:
- Vuln in SSH daemon (unlikely)
- Java or Javascript in Konqueror
- Vuln in Flash or PDF
- Email attachment (unlikely, I am careful)
Most likely it was java, javascript. or Flash, so maybe there is some
kind of scanning filter that would chain with Squid. (Kaspersky?) I'll
be looking around for that maybe soon.
The port 3333 attempts came in repeated waves Sunday and Monday, but
have stopped now. It's enough though to make me very concerned. I must
wipe the affected system, and be concerned about the others. And
seriously consider SELinux. I need to learn it sooner or later.
> On a personal note, for this kind of thing I always use Tor, combined
> with Privoxy, both installed separately on one of my dmz machines. They
> are accessed over ssh tunnel from my desktop machines to filter out the
> stuff from "rogue" html page elements I do not need.
I tried Tor for a while, but it is terribly slow, at least here in the
Pacific Northwest. I wanted to set myself up as a Node, but I have vuln
questions that I tried and tried to get answered but was ignored. It is
just too slow for normal use, not even considering the lightning action
I get now with Squid.
I have Squid set up on my HTPC, listening to localhost only. Then on my
other machines I set up a reverse SSH tunnel to the HTPC, to make the
daemon show up on them as localhost:3128. So when my laptop browser
(for example) asks for a webpage, it reaches into its own bellybutton
and comes out with the proxy service on the remote machine, through the
SSH tunnel. All browser accesses for the LAN are made through
192.168.11.4, which is spoofing its address in headers as 192.168.1.2.
(which has nothing to to with my LAN, for reasons of my own)
I tried setting it up as the system proxy on each, but many things broke
and I don't have time to bit-twiddle. Just have browser proxies set up
manually.
--
http://www.fastmail.fm - mmm... Fastmail...
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
