Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Stopping Outbound Connections and DDOS attacts from the server

Posted on 2006-07-24
6
Medium Priority
?
208 Views
Last Modified: 2010-04-20
We have a linux box that seems to have been comprimised. We need time to work on the box and get the thing backed up and reimaged. In the mean time, what is the best way to prevent DDOS attacts from coming from the box. Is their an IPTABLES Command that can help with this?

Thanks
0
Comment
Question by:safepointmedia
  • 4
6 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 2000 total points
ID: 17170491
Pull out the network connection?

With iptables:

My /etc/sysconfig/iptables
file - you'll need to create it if it doesn't exist.
-------8X-------------
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
-------8X-------------
Blocks most ports, except fort he obvious lines that allow ports 22 (ssh), 80 (http), 25 (smtp) and POP (110). Customise to taste, then:

/etc/init.d/iptables restart

Assuming you know which ports you need to allow/block - Effectively only allow specifics, and reject everything else.

(   (()
(`-' _\
 ''  ''


0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17170505
Obviously take note of the warning, and use:

redhat-config-securitylevel

if possible!

(   (()
(`-' _\
 ''  ''

0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17170547
Best I read the instructions - stop outbound connections!

http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

As an overview, you have an INPUT table, an OUTPUT table and a FORWARD table. You need to discover exactly what type of packets are being sent in order to block them.

tcpdump

may help you with this.

Key commands:

iptables -A   params  - to add a new rule to the chain
iptables -L                - to list the current rules
iptables -F                - to flush the rules so that yo ucan start again with building them.

(   (()
(`-' _\
 ''  ''
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:safepointmedia
ID: 17170706
Okay,

Here is something I don't quite get, I want to allow inbound ports:

22,25,80,443,110 and nothing else.

I don't want the machine to make any outbound connections at all. Is there a reason why a web server would need to make that if all the services we are serving up are internal and nothing is aquired from outside of the box?

With that said and if there is no reason for this box to make outbound connections, is there a blanket statement that says, "no outbound connections, no matter what it is?"

Thanks
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17170923
If your box can't reply to your request, then you have a problem. There may be issues with connections to mysql databases, or the smtp server - These require an outward connection. Also there are many processes that allow sockets to the ip address in ordert to function, that's why I'm being very careful as to what I advise. Ideally, if you stop the inbound connections, nothing external can control the trojan software on your system to control it.

However, some DDOS software will try and connect to somethign remote in order to collect instructions.

If this server is that important that you can't just unplug the cable, then we need to be exceptionally careful as to what we decide to do. I could decide to DROP all TCP connections which would stop you system from being of any use, but the DDOS may be using UDP to communicate and as a result the approach would be pointless.

Have you any idea what the problem is, or any idea of the malware concerned. Any idea what it is doing?

(   (()
(`-' _\
 ''  ''
0
 
LVL 4

Expert Comment

by:avatech
ID: 17171127
"We have a linux box that seems to have been comprimised"

If the box has been compromised, you shouldn't trust any executables on it -- there is nothing stopping the intruder from replacing known utilities with trojanized executables.  Best bet is to take it offline and remove it from the network.  Then sort through your data with a fine tooth comb.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month10 days, 13 hours left to enroll

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question