OK. I plan to wipe/reinstall this weekend and will try and get SELinux
set up.
My main concern though is an unforeseen threat. This time it's port
3333, but next time it might be 2738, or God knows what, so I can't
manually target anything. Tom recommends fwlogwatch, but the 'current'
version in Debian Testing is non-functional, and I haven't had time to
figure out how to set up and troubleshoot the latest source. Point is I
need some kind of IDS or alarm monitor, which can either alert me
real-time, or if there's a high degree of reliability to take automated
measures. I've tried to set up Prelude, but do not have the days to
figure out and troubleshoot all the things that are wrong with it.
I just can't believe there aren't more 'canned' or more refined
solutions by now. We all still have to do everything ad hoc.
On Fri, Oct 19, 2012, at 08:22, Mr Dash Four wrote:
<div>Of course my intent and my purpose would be to trace these
outgoing
attempts to a process number or name in my machine, at the most basic,
so I could know whether this is a cron job or daemon, much less how I
got it. This seems like the very first and most basic step to take in
a
case like this, but it seems I am doing New Science. It seems my only
option at this point is to wipe and completely reinstall the OS.
As I already pointed out, you can get all this information by:
1. Activating SELinux in "Enforce" mode - you just have to install
your
kernel with SELinux-related options activated. If you use "standard"
kernel (i.e. the one which comes with your distro) at least in Fedora's
case SELinux hooks are there.
2. Install the auditd daemon package and activate it at startup
(otherwise all of your security-related alerts will be logged in your
syslog and you may not be able to "decipher" them).
3. Create a rule - either in Shorewall's "rules" file (use the "NEW"
section), or do it manually using the raw or mangle tables - which uses
the AUDIT target (Shorewall provides 3 such "macros" - A_ACCEPT,
A_REJECT and A_DROP) that matches the source/destination ports and
protocol you are interested to inspect, like so:
A_DROP $FW net udp 3333
For that to work though, both your kernel and iptables need the AUDIT
target/match present - that comes as "standard" with recent kernels
(3.x+ if I remember correctly).
4. (Optional) Install selinux tools package to include "ausearch" so
that you would be able to "decipher" your AUDIT logs. If you don't do
that, you will get raw values (still readable and you can understand at
least most of it).
5. Check your syslog (if you don't have auditd daemon running) or
/var/log/audit/audit.log to see whether there are any matches. The
lines
you should be looking for should have "NETFILTER_PKT" as the message
type (if you use ausearch you can specify that as a filter parameter as
I indicated in one of my previous replies to you).
The end!
The above should enable you to see, at the very least, who/what creates
that packet by inspecting the AUDIT log properties - executable path,
uid, pid,tid, ppid etc, *and* drop the said packet (if you used
A_DROP).
If you want to dig a bit deeper and inspect the packet contents (useful
if you are going after that asshole in WA) then you have to use ulogd2
and activate some of its many plugins available so that you can log the
packet contents as well. This is a bit more advanced stuff, so it is
not
everyones cup of tea.
How I
got infected is a mystery, as is how to prevent it from happening
again,
other than learning everything about SELinux.<br><br> </div>
You don't have to "learn everything about SElinux" - just follow the
steps above and read what I've sent you previously, that's all.
<div>There has got to be a better way. <br><br> </div>
If you want to find out what process/thread created the packet and get
the user credentials used, this is the only reliable way I know of.
Netfilter sometimes gives you that information, but this is obscure and
incomplete to say the least.
-----------------------------------------------------------------------
-------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
[1]http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
[2][email protected]
[3]https://lists.sourceforge.net/lists/listinfo/shorewall-users
References
1. http://p.sf.net/sfu/appdyn_sfd2d_oct
2. mailto:[email protected]
3. https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
http://www.fastmail.fm - Access all of your messages and folders
wherever you are
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
