Stopping Outbound Connections and DDOS attacts from the server

We have a linux box that seems to have been comprimised. We need time to work on the box and get the thing backed up and reimaged. In the mean time, what is the best way to prevent DDOS attacts from coming from the box. Is their an IPTABLES Command that can help with this?

Thanks
safepointmediaAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
pjedmondConnect With a Mentor Commented:
Pull out the network connection?

With iptables:

My /etc/sysconfig/iptables
file - you'll need to create it if it doesn't exist.
-------8X-------------
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
-------8X-------------
Blocks most ports, except fort he obvious lines that allow ports 22 (ssh), 80 (http), 25 (smtp) and POP (110). Customise to taste, then:

/etc/init.d/iptables restart

Assuming you know which ports you need to allow/block - Effectively only allow specifics, and reject everything else.

(   (()
(`-' _\
 ''  ''


0
 
pjedmondCommented:
Obviously take note of the warning, and use:

redhat-config-securitylevel

if possible!

(   (()
(`-' _\
 ''  ''

0
 
pjedmondCommented:
Best I read the instructions - stop outbound connections!

http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

As an overview, you have an INPUT table, an OUTPUT table and a FORWARD table. You need to discover exactly what type of packets are being sent in order to block them.

tcpdump

may help you with this.

Key commands:

iptables -A   params  - to add a new rule to the chain
iptables -L                - to list the current rules
iptables -F                - to flush the rules so that yo ucan start again with building them.

(   (()
(`-' _\
 ''  ''
0
A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

 
safepointmediaAuthor Commented:
Okay,

Here is something I don't quite get, I want to allow inbound ports:

22,25,80,443,110 and nothing else.

I don't want the machine to make any outbound connections at all. Is there a reason why a web server would need to make that if all the services we are serving up are internal and nothing is aquired from outside of the box?

With that said and if there is no reason for this box to make outbound connections, is there a blanket statement that says, "no outbound connections, no matter what it is?"

Thanks
0
 
pjedmondCommented:
If your box can't reply to your request, then you have a problem. There may be issues with connections to mysql databases, or the smtp server - These require an outward connection. Also there are many processes that allow sockets to the ip address in ordert to function, that's why I'm being very careful as to what I advise. Ideally, if you stop the inbound connections, nothing external can control the trojan software on your system to control it.

However, some DDOS software will try and connect to somethign remote in order to collect instructions.

If this server is that important that you can't just unplug the cable, then we need to be exceptionally careful as to what we decide to do. I could decide to DROP all TCP connections which would stop you system from being of any use, but the DDOS may be using UDP to communicate and as a result the approach would be pointless.

Have you any idea what the problem is, or any idea of the malware concerned. Any idea what it is doing?

(   (()
(`-' _\
 ''  ''
0
 
avatechCommented:
"We have a linux box that seems to have been comprimised"

If the box has been compromised, you shouldn't trust any executables on it -- there is nothing stopping the intruder from replacing known utilities with trojanized executables.  Best bet is to take it offline and remove it from the network.  Then sort through your data with a fine tooth comb.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.