safepointmedia
asked on
Stopping Outbound Connections and DDOS attacts from the server
We have a linux box that seems to have been comprimised. We need time to work on the box and get the thing backed up and reimaged. In the mean time, what is the best way to prevent DDOS attacts from coming from the box. Is their an IPTABLES Command that can help with this?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Best I read the instructions - stop outbound connections!
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html
As an overview, you have an INPUT table, an OUTPUT table and a FORWARD table. You need to discover exactly what type of packets are being sent in order to block them.
tcpdump
may help you with this.
Key commands:
iptables -A params - to add a new rule to the chain
iptables -L - to list the current rules
iptables -F - to flush the rules so that yo ucan start again with building them.
( (()
(`-' _\
'' ''
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html
As an overview, you have an INPUT table, an OUTPUT table and a FORWARD table. You need to discover exactly what type of packets are being sent in order to block them.
tcpdump
may help you with this.
Key commands:
iptables -A params - to add a new rule to the chain
iptables -L - to list the current rules
iptables -F - to flush the rules so that yo ucan start again with building them.
( (()
(`-' _\
'' ''
ASKER
Okay,
Here is something I don't quite get, I want to allow inbound ports:
22,25,80,443,110 and nothing else.
I don't want the machine to make any outbound connections at all. Is there a reason why a web server would need to make that if all the services we are serving up are internal and nothing is aquired from outside of the box?
With that said and if there is no reason for this box to make outbound connections, is there a blanket statement that says, "no outbound connections, no matter what it is?"
Thanks
Here is something I don't quite get, I want to allow inbound ports:
22,25,80,443,110 and nothing else.
I don't want the machine to make any outbound connections at all. Is there a reason why a web server would need to make that if all the services we are serving up are internal and nothing is aquired from outside of the box?
With that said and if there is no reason for this box to make outbound connections, is there a blanket statement that says, "no outbound connections, no matter what it is?"
Thanks
If your box can't reply to your request, then you have a problem. There may be issues with connections to mysql databases, or the smtp server - These require an outward connection. Also there are many processes that allow sockets to the ip address in ordert to function, that's why I'm being very careful as to what I advise. Ideally, if you stop the inbound connections, nothing external can control the trojan software on your system to control it.
However, some DDOS software will try and connect to somethign remote in order to collect instructions.
If this server is that important that you can't just unplug the cable, then we need to be exceptionally careful as to what we decide to do. I could decide to DROP all TCP connections which would stop you system from being of any use, but the DDOS may be using UDP to communicate and as a result the approach would be pointless.
Have you any idea what the problem is, or any idea of the malware concerned. Any idea what it is doing?
( (()
(`-' _\
'' ''
However, some DDOS software will try and connect to somethign remote in order to collect instructions.
If this server is that important that you can't just unplug the cable, then we need to be exceptionally careful as to what we decide to do. I could decide to DROP all TCP connections which would stop you system from being of any use, but the DDOS may be using UDP to communicate and as a result the approach would be pointless.
Have you any idea what the problem is, or any idea of the malware concerned. Any idea what it is doing?
( (()
(`-' _\
'' ''
"We have a linux box that seems to have been comprimised"
If the box has been compromised, you shouldn't trust any executables on it -- there is nothing stopping the intruder from replacing known utilities with trojanized executables. Best bet is to take it offline and remove it from the network. Then sort through your data with a fine tooth comb.
If the box has been compromised, you shouldn't trust any executables on it -- there is nothing stopping the intruder from replacing known utilities with trojanized executables. Best bet is to take it offline and remove it from the network. Then sort through your data with a fine tooth comb.
redhat-config-securityleve
if possible!
( (()
(`-' _\
'' ''