Solved

Stopping Outbound Connections and DDOS attacts from the server

Posted on 2006-07-24
6
184 Views
Last Modified: 2010-04-20
We have a linux box that seems to have been comprimised. We need time to work on the box and get the thing backed up and reimaged. In the mean time, what is the best way to prevent DDOS attacts from coming from the box. Is their an IPTABLES Command that can help with this?

Thanks
0
Comment
Question by:safepointmedia
  • 4
6 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
Comment Utility
Pull out the network connection?

With iptables:

My /etc/sysconfig/iptables
file - you'll need to create it if it doesn't exist.
-------8X-------------
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
-------8X-------------
Blocks most ports, except fort he obvious lines that allow ports 22 (ssh), 80 (http), 25 (smtp) and POP (110). Customise to taste, then:

/etc/init.d/iptables restart

Assuming you know which ports you need to allow/block - Effectively only allow specifics, and reject everything else.

(   (()
(`-' _\
 ''  ''


0
 
LVL 22

Expert Comment

by:pjedmond
Comment Utility
Obviously take note of the warning, and use:

redhat-config-securitylevel

if possible!

(   (()
(`-' _\
 ''  ''

0
 
LVL 22

Expert Comment

by:pjedmond
Comment Utility
Best I read the instructions - stop outbound connections!

http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

As an overview, you have an INPUT table, an OUTPUT table and a FORWARD table. You need to discover exactly what type of packets are being sent in order to block them.

tcpdump

may help you with this.

Key commands:

iptables -A   params  - to add a new rule to the chain
iptables -L                - to list the current rules
iptables -F                - to flush the rules so that yo ucan start again with building them.

(   (()
(`-' _\
 ''  ''
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:safepointmedia
Comment Utility
Okay,

Here is something I don't quite get, I want to allow inbound ports:

22,25,80,443,110 and nothing else.

I don't want the machine to make any outbound connections at all. Is there a reason why a web server would need to make that if all the services we are serving up are internal and nothing is aquired from outside of the box?

With that said and if there is no reason for this box to make outbound connections, is there a blanket statement that says, "no outbound connections, no matter what it is?"

Thanks
0
 
LVL 22

Expert Comment

by:pjedmond
Comment Utility
If your box can't reply to your request, then you have a problem. There may be issues with connections to mysql databases, or the smtp server - These require an outward connection. Also there are many processes that allow sockets to the ip address in ordert to function, that's why I'm being very careful as to what I advise. Ideally, if you stop the inbound connections, nothing external can control the trojan software on your system to control it.

However, some DDOS software will try and connect to somethign remote in order to collect instructions.

If this server is that important that you can't just unplug the cable, then we need to be exceptionally careful as to what we decide to do. I could decide to DROP all TCP connections which would stop you system from being of any use, but the DDOS may be using UDP to communicate and as a result the approach would be pointless.

Have you any idea what the problem is, or any idea of the malware concerned. Any idea what it is doing?

(   (()
(`-' _\
 ''  ''
0
 
LVL 4

Expert Comment

by:avatech
Comment Utility
"We have a linux box that seems to have been comprimised"

If the box has been compromised, you shouldn't trust any executables on it -- there is nothing stopping the intruder from replacing known utilities with trojanized executables.  Best bet is to take it offline and remove it from the network.  Then sort through your data with a fine tooth comb.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now