* hacking attempts
@ Littlefield, tyler
` Lorenzo Taylor
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Littlefield, tyler @ UTC (permalink / raw)
To: Speakup is a screen review system for Linux.
Hello list,
I just had someone bomb the hell out of my system on a udp port, moving from ip of 22 to 249.
My logwatch was huge.
Is there a way I can block things like this?
I'm not sure how to set up iptables, and don't really have a whole lot of time to go through a huge 300000 page tutorial.
Thanks,
Tyler Littlefield
Unlimited horizons head coder.
check out our website:
tysplace.homelinux.net
msn: compgeek134@hotmail.com
aim: st8amnd2005
skype: st8amnd127
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: hacking attempts hacking attempts Littlefield, tyler @ ` Lorenzo Taylor ` Littlefield, tyler ` Littlefield, tyler ` Doug Sutherland ` Ralph W. Reid 2 siblings, 2 replies; 12+ messages in thread From: Lorenzo Taylor @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I particularly like a firewall script called FireHOL. By default it blocks everything and you just open what you want. And the scripting language that builds the firewall rules is about the easiest to understand of anything I've ever seen. It's available at http://firehol.sourceforge.net, and some distros also have packages prebuilt for it. The homepage gives you lots of examples of usage for different configurations. HTH, Lorenzo - -- I've always found anomalies to be very relaxing. It's a curse. - --Jadzia Dax: Star Trek Deep Space Nine (The Assignment) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFzf/EG9IpekrhBfIRAsjQAKCBZ5nORMkpls4pELm6Hf+l3w4QrQCgzLGf KP9NfwN9y2FshJybEJI2BQc= =6I27 -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts ` Lorenzo Taylor @ ` Littlefield, tyler ` Littlefield, tyler 1 sibling, 0 replies; 12+ messages in thread From: Littlefield, tyler @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. awesome, will grab it. Thanks, Tyler Littlefield Unlimited horizons head coder. check out our website: tysplace.homelinux.net msn: compgeek134@hotmail.com aim: st8amnd2005 skype: st8amnd127 ----- Original Message ----- From: Lorenzo Taylor <lorenzo@taylor.homelinux.net> To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca> Sent: Saturday, February 10, 2007 10:24 AM Subject: Re: hacking attempts > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I particularly like a firewall script called FireHOL. By default it > blocks everything and you just open what you want. And the scripting > language that builds the firewall rules is about the easiest to > understand of anything I've ever seen. It's available at > > http://firehol.sourceforge.net, and some distros also have packages > prebuilt for it. The homepage gives you lots of examples of usage for > different configurations. > > HTH, > Lorenzo > - -- > I've always found anomalies to be very relaxing. It's a curse. > - --Jadzia Dax: Star Trek Deep Space Nine (The Assignment) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFFzf/EG9IpekrhBfIRAsjQAKCBZ5nORMkpls4pELm6Hf+l3w4QrQCgzLGf > KP9NfwN9y2FshJybEJI2BQc= > =6I27 > -----END PGP SIGNATURE----- > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts ` Lorenzo Taylor ` Littlefield, tyler @ ` Littlefield, tyler 1 sibling, 0 replies; 12+ messages in thread From: Littlefield, tyler @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. ohkay, here's my firehol script... version 5 interface eth0 internet src not "$UNROUTABLE_IPS" router fwd server ftp accept server ssh accept #server telnet not src 192.168.1.1/24 drop server smtp accept server http accept user apache server pop3 accept client all accept user "tyler root" client ftp accept client ssh accept client telnet accept client smtp accept client pop3 accept everything is getting dropped... any idea? Also, I was wondering: is there a way to do soemthing like client telnet src 192.168.1.1/24 accept, and then do client telnet drop? Thanks, Tyler Littlefield Unlimited horizons head coder. check out our website: tysplace.homelinux.net msn: compgeek134@hotmail.com aim: st8amnd2005 skype: st8amnd127 ----- Original Message ----- From: Lorenzo Taylor <lorenzo@taylor.homelinux.net> To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca> Sent: Saturday, February 10, 2007 10:24 AM Subject: Re: hacking attempts > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I particularly like a firewall script called FireHOL. By default it > blocks everything and you just open what you want. And the scripting > language that builds the firewall rules is about the easiest to > understand of anything I've ever seen. It's available at > > http://firehol.sourceforge.net, and some distros also have packages > prebuilt for it. The homepage gives you lots of examples of usage for > different configurations. > > HTH, > Lorenzo > - -- > I've always found anomalies to be very relaxing. It's a curse. > - --Jadzia Dax: Star Trek Deep Space Nine (The Assignment) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFFzf/EG9IpekrhBfIRAsjQAKCBZ5nORMkpls4pELm6Hf+l3w4QrQCgzLGf > KP9NfwN9y2FshJybEJI2BQc= > =6I27 > -----END PGP SIGNATURE----- > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts hacking attempts Littlefield, tyler ` Lorenzo Taylor @ ` Doug Sutherland ` Ralph W. Reid 2 siblings, 0 replies; 12+ messages in thread From: Doug Sutherland @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. Regarding hacking attempts, I suggest reading about iptables and how to configure this. In a nutshell, you can do these few things to block attempts. Set a known state for iptables: set a default rule to drop all input packets, output packets, and forward packets. Set a rule to allow local only connections. Set a rule to allow outgoing connections. Set a rule to permit answers on already established connections. This way, by default everything is blocked except you connecting outwards, returned answers from established connections (like ftp using two ports etc), and local only allow. Everything else is dropped. You will need to add specific rules if you want to expose certain interfaces like ftp and ssh etc for outside connection. There are also some things you can by writing to /proc/sys to gain extra protection, like the following: # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface, where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable Explicit Congestion Notification echo 0 > /proc/sys/net/ipv4/tcp_ecn Check out this useful example from linuxfromscratch http://www.linuxfromscratch.org/blfs/view/stable/postlfs/firewall.html And look for the docs for iptables and tutorials on how it work. None of this is distro specific except how the scripts get fired and where they reside etc. Littlefield, tyler wrote: > I'm not sure how to set up iptables, and don't really have a whole lot > of time to go through a huge 300000 page tutorial. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts hacking attempts Littlefield, tyler ` Lorenzo Taylor ` Doug Sutherland @ ` Ralph W. Reid ` Littlefield, tyler ` Gregory Nowak 2 siblings, 2 replies; 12+ messages in thread From: Ralph W. Reid @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. If all of the attempts were from the same IP, you can block traffic from an IP address with something like: iptables --append INPUT -p udb -s <IP_ADDR> -j DROP replacing <IP_ADDR> with the offending IP address. This idea might be overly simple for what you really should do for some firewalling--you might have to start learning iptables after all. What exactly do you mean by the IP range of 22 to 249 anyway--was this part of the IP address from where the scan originated? If the udp port in question is not to be used from outside your system in any case, a simple block of that port could look something like: iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j DROP where <PORTNUM> is the number of the port you wish to block, and eth0 represents ethernet port 0 (change as your system requires). Depending on the requirements for your system, this might be too simple of an approach as well--you will have to decide. Also, that kind of scan seems to be highly unsophisticated, so it might have been run by a 'kiddie script'. Since the individual who ran it does not appear to be very experienced at scanning systems, contacting the systems administrator of the company where the scan came from might be in order--samples of your system logs could give the powers that be at that ISP/company a clue as to the individual or system which originated the scan, and they can then take appropriate action as needed. HTH, and have a great day. On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote: > Hello list, > I just had someone bomb the hell out of my system on a udp port, moving from ip of 22 to 249. > My logwatch was huge. > Is there a way I can block things like this? > I'm not sure how to set up iptables, and don't really have a whole lot of time to go through a huge 300000 page tutorial. > Thanks, > Tyler Littlefield > Unlimited horizons head coder. > check out our website: > tysplace.homelinux.net > msn: compgeek134@hotmail.com > aim: st8amnd2005 > skype: st8amnd127 -- Ralph. N6BNO. Wisdom comes from central processing, not from I/O. rreid@sunset.net http://personalweb.sunset.net/~rreid ...passing through The City of Internet at the speed of light... COSECANT (x) = COTAN (x) / TAN (x) ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts ` Ralph W. Reid @ ` Littlefield, tyler ` Ralph W. Reid ` Gregory Nowak 1 sibling, 1 reply; 12+ messages in thread From: Littlefield, tyler @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. it was spoofed. Thanks, Tyler Littlefield Unlimited horizons head coder. check out our website: tysplace.homelinux.net msn: compgeek134@hotmail.com aim: st8amnd2005 skype: st8amnd127 ----- Original Message ----- From: Ralph W. Reid <rreid@sunset.net> To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca> Sent: Sunday, February 11, 2007 9:10 AM Subject: Re: hacking attempts > If all of the attempts were from the same IP, you can block traffic > from an IP address with something like: > > iptables --append INPUT -p udb -s <IP_ADDR> -j DROP > > replacing <IP_ADDR> with the offending IP address. This idea might be > overly simple for what you really should do for some firewalling--you > might have to start learning iptables after all. What exactly do you > mean by the IP range of 22 to 249 anyway--was this part of the IP > address from where the scan originated? > > If the udp port in question is not to be used from outside your system > in any case, a simple block of that port could look something like: > > iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j DROP > > where <PORTNUM> is the number of the port you wish to block, and eth0 > represents ethernet port 0 (change as your system requires). > Depending on the requirements for your system, this might be too > simple of an approach as well--you will have to decide. > > Also, that kind of scan seems to be highly unsophisticated, so it > might have been run by a 'kiddie script'. Since the individual who > ran it does not appear to be very experienced at scanning systems, > contacting the systems administrator of the company where the scan > came from might be in order--samples of your system logs could give > the powers that be at that ISP/company a clue as to the individual or > system which originated the scan, and they can then take appropriate > action as needed. > > HTH, and have a great day. > > On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote: > > Hello list, > > I just had someone bomb the hell out of my system on a udp port, moving from ip of 22 to 249. > > My logwatch was huge. > > Is there a way I can block things like this? > > I'm not sure how to set up iptables, and don't really have a whole lot of time to go through a huge 300000 page tutorial. > > Thanks, > > Tyler Littlefield > > Unlimited horizons head coder. > > check out our website: > > tysplace.homelinux.net > > msn: compgeek134@hotmail.com > > aim: st8amnd2005 > > skype: st8amnd127 > > -- > Ralph. N6BNO. Wisdom comes from central processing, not from I/O. > rreid@sunset.net http://personalweb.sunset.net/~rreid > ...passing through The City of Internet at the speed of light... > COSECANT (x) = COTAN (x) / TAN (x) > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts ` Littlefield, tyler @ ` Ralph W. Reid 0 siblings, 0 replies; 12+ messages in thread From: Ralph W. Reid @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. Well then, perhaps a limit on the number of connection attempts per minute may have helped in this particular case. Here is an example of an iptables command which can limit one type of connection to 30 per minute: iptables --append INPUT -p icmp --icmp-type echo-request -j ACCEPT --match limit --limit 30/minute Others here have provided other useful suggestions (setting kernel parameters in /proc/sys, shutting down and even removing unused programs and servers, etc.). Installing a separate system to do nothing but firewalling between your main system and the outside world can be helpful, but this is not always very practical. Also, if you are running any IPv6 stuff, you should take similar steps to protect your IPv6 operations (ip6tables, /proc/sys/net/ipv6/*, etc.). I know you mentioned that you do not have time to plow through massive man pages, but unfortunately system security management can take up some time--especially when just getting started. The more hardware and operating systems involved in a network, the more complicated the mess becomes--complete careers have been built around system security and system security management. Linux is not the most vulnerable system by far, but any system which is connected to the outside world in any way is at some level of risk. A source of information I have sometimes found useful is www.securityfocus.com--there is a lot of information on the web site and in their email lists. HTH a little anyway, and have a great day. On Sun, Feb 11, 2007 at 09:32:28AM -0700, Littlefield, tyler wrote: > it was spoofed. > Thanks, > Tyler Littlefield > Unlimited horizons head coder. > check out our website: > tysplace.homelinux.net > msn: compgeek134@hotmail.com > aim: st8amnd2005 > skype: st8amnd127 > ----- Original Message ----- > From: Ralph W. Reid <rreid@sunset.net> > To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca> > Sent: Sunday, February 11, 2007 9:10 AM > Subject: Re: hacking attempts > > > > If all of the attempts were from the same IP, you can block traffic > > from an IP address with something like: > > > > iptables --append INPUT -p udb -s <IP_ADDR> -j DROP > > > > replacing <IP_ADDR> with the offending IP address. This idea might be > > overly simple for what you really should do for some firewalling--you > > might have to start learning iptables after all. What exactly do you > > mean by the IP range of 22 to 249 anyway--was this part of the IP > > address from where the scan originated? > > > > If the udp port in question is not to be used from outside your system > > in any case, a simple block of that port could look something like: > > > > iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j > DROP > > > > where <PORTNUM> is the number of the port you wish to block, and eth0 > > represents ethernet port 0 (change as your system requires). > > Depending on the requirements for your system, this might be too > > simple of an approach as well--you will have to decide. > > > > Also, that kind of scan seems to be highly unsophisticated, so it > > might have been run by a 'kiddie script'. Since the individual who > > ran it does not appear to be very experienced at scanning systems, > > contacting the systems administrator of the company where the scan > > came from might be in order--samples of your system logs could give > > the powers that be at that ISP/company a clue as to the individual or > > system which originated the scan, and they can then take appropriate > > action as needed. > > > > HTH, and have a great day. > > > > On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote: > > > Hello list, > > > I just had someone bomb the hell out of my system on a udp port, moving > from ip of 22 to 249. > > > My logwatch was huge. > > > Is there a way I can block things like this? > > > I'm not sure how to set up iptables, and don't really have a whole lot > of time to go through a huge 300000 page tutorial. > > > Thanks, > > > Tyler Littlefield > > > Unlimited horizons head coder. > > > check out our website: > > > tysplace.homelinux.net > > > msn: compgeek134@hotmail.com > > > aim: st8amnd2005 > > > skype: st8amnd127 -- Ralph. N6BNO. Wisdom comes from central processing, not from I/O. rreid@sunset.net http://personalweb.sunset.net/~rreid ...passing through The City of Internet at the speed of light... COSECANT (x) = COTAN (x) / TAN (x) ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts ` Ralph W. Reid ` Littlefield, tyler @ ` Gregory Nowak 1 sibling, 0 replies; 12+ messages in thread From: Gregory Nowak @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Blocking the ip would not be very useful, since most ips are dynamic these days. Greg On Sun, Feb 11, 2007 at 08:10:00AM -0800, Ralph W. Reid wrote: > If all of the attempts were from the same IP, you can block traffic > from an IP address with something like: > > iptables --append INPUT -p udb -s <IP_ADDR> -j DROP > > replacing <IP_ADDR> with the offending IP address. This idea might be > overly simple for what you really should do for some firewalling--you > might have to start learning iptables after all. What exactly do you > mean by the IP range of 22 to 249 anyway--was this part of the IP > address from where the scan originated? > > If the udp port in question is not to be used from outside your system > in any case, a simple block of that port could look something like: > > iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j DROP > > where <PORTNUM> is the number of the port you wish to block, and eth0 > represents ethernet port 0 (change as your system requires). > Depending on the requirements for your system, this might be too > simple of an approach as well--you will have to decide. > > Also, that kind of scan seems to be highly unsophisticated, so it > might have been run by a 'kiddie script'. Since the individual who > ran it does not appear to be very experienced at scanning systems, > contacting the systems administrator of the company where the scan > came from might be in order--samples of your system logs could give > the powers that be at that ISP/company a clue as to the individual or > system which originated the scan, and they can then take appropriate > action as needed. > > HTH, and have a great day. > - -- web site: http://www.romuald.net.eu.org gpg public key: http://www.romuald.net.eu.org/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) - -- Free domains: http://www.eu.org/ or mail dns-manager@EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFz1LA7s9z/XlyUyARAjlAAKDAwxb3HzHw/WxAXCkw1sb7b4LEEACghsFC Ln/fzlfhywzvH99sv8cWSj0= =cnbD -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* re: hacking attempts @ Jude DaShiell ` Doug Sutherland 0 siblings, 1 reply; 12+ messages in thread From: Jude DaShiell @ UTC (permalink / raw) To: speakup The firewall-piercing-HOWTO is not long but very educational for anyone who thinks firewalls are all that's needed to slow down hackers. Since I have no need to log into this machine from the outside, I edited /etc/ssh/sshd_config and commented out line 5 that starts out with Port and then saved my work. I also downloaded the lcap package nd after having edited sshd_config I also did a chattr +i /etc/ssh/sshd_config. That won't stop hackers but may add a few seconds delay for them. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts Jude DaShiell @ ` Doug Sutherland ` Janina Sajka 0 siblings, 1 reply; 12+ messages in thread From: Doug Sutherland @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. I totally agree that firewalls are not a panacea, and also that its more important to not open ports that you don't have to. I don't run any kind of services like ssh or ftp, I don't even run inetd or anything like it. There are no ports open! The only open ports are outgoing and related answers incoming. One thing that linux distros have traditionally had backwards is turning everything on by default, including all kinds of port access. The first thing I do whenever installing is make sure no services are running that open ports, and that only what I need is running, period. Having said that, a basic firewall is still important for its drop packets functionality. You do not want any info that you are even there, that you exist. You want to drop packets therefore you should have a simple basic firewall in place. Start by dropping everything, then allow only what you need. -- Doug ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: hacking attempts ` Doug Sutherland @ ` Janina Sajka 0 siblings, 0 replies; 12+ messages in thread From: Janina Sajka @ UTC (permalink / raw) To: Speakup is a screen review system for Linux. Doug Sutherland writes: > One thing that linux distros have traditionally had backwards > is turning everything on by default, including all kinds of > port access. That used to be true for all *nix systems. It has noticably changed over the past few years. I believe the only port on by default in today's Fedora install is port 22. For attacks on port 22 there is a lovely monitoring application called denyhosts that will shortly curtail scripted attacks on 22. Janina ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
hacking attempts Littlefield, tyler
` Lorenzo Taylor
` Littlefield, tyler
` Littlefield, tyler
` Doug Sutherland
` Ralph W. Reid
` Littlefield, tyler
` Ralph W. Reid
` Gregory Nowak
Jude DaShiell
` Doug Sutherland
` Janina Sajka
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).