Solved

Stopping Outbound Connections and DDOS attacts from the server

Posted on 2006-07-24
6
193 Views
Last Modified: 2010-04-20
We have a linux box that seems to have been comprimised. We need time to work on the box and get the thing backed up and reimaged. In the mean time, what is the best way to prevent DDOS attacts from coming from the box. Is their an IPTABLES Command that can help with this?

Thanks
0
Comment
Question by:safepointmedia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
ID: 17170491
Pull out the network connection?

With iptables:

My /etc/sysconfig/iptables
file - you'll need to create it if it doesn't exist.
-------8X-------------
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
-------8X-------------
Blocks most ports, except fort he obvious lines that allow ports 22 (ssh), 80 (http), 25 (smtp) and POP (110). Customise to taste, then:

/etc/init.d/iptables restart

Assuming you know which ports you need to allow/block - Effectively only allow specifics, and reject everything else.

(   (()
(`-' _\
 ''  ''


0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17170505
Obviously take note of the warning, and use:

redhat-config-securitylevel

if possible!

(   (()
(`-' _\
 ''  ''

0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17170547
Best I read the instructions - stop outbound connections!

http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

As an overview, you have an INPUT table, an OUTPUT table and a FORWARD table. You need to discover exactly what type of packets are being sent in order to block them.

tcpdump

may help you with this.

Key commands:

iptables -A   params  - to add a new rule to the chain
iptables -L                - to list the current rules
iptables -F                - to flush the rules so that yo ucan start again with building them.

(   (()
(`-' _\
 ''  ''
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:safepointmedia
ID: 17170706
Okay,

Here is something I don't quite get, I want to allow inbound ports:

22,25,80,443,110 and nothing else.

I don't want the machine to make any outbound connections at all. Is there a reason why a web server would need to make that if all the services we are serving up are internal and nothing is aquired from outside of the box?

With that said and if there is no reason for this box to make outbound connections, is there a blanket statement that says, "no outbound connections, no matter what it is?"

Thanks
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17170923
If your box can't reply to your request, then you have a problem. There may be issues with connections to mysql databases, or the smtp server - These require an outward connection. Also there are many processes that allow sockets to the ip address in ordert to function, that's why I'm being very careful as to what I advise. Ideally, if you stop the inbound connections, nothing external can control the trojan software on your system to control it.

However, some DDOS software will try and connect to somethign remote in order to collect instructions.

If this server is that important that you can't just unplug the cable, then we need to be exceptionally careful as to what we decide to do. I could decide to DROP all TCP connections which would stop you system from being of any use, but the DDOS may be using UDP to communicate and as a result the approach would be pointless.

Have you any idea what the problem is, or any idea of the malware concerned. Any idea what it is doing?

(   (()
(`-' _\
 ''  ''
0
 
LVL 4

Expert Comment

by:avatech
ID: 17171127
"We have a linux box that seems to have been comprimised"

If the box has been compromised, you shouldn't trust any executables on it -- there is nothing stopping the intruder from replacing known utilities with trojanized executables.  Best bet is to take it offline and remove it from the network.  Then sort through your data with a fine tooth comb.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wifi not working on Raspberry Pi 3? 2 109
The better OS Architecture 13 87
When trying to install php-fpm on CentOS 7 - GPG error 2 91
Time Sync Best Practice 13 46
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question