hacking attempts

hacking attempts

[Littlefield, tyler]

Hello list,
I just had someone bomb the hell out of my system on a udp port, moving from ip of 22 to 249.
My logwatch was huge.
Is there a way I can block things like this?
I'm not sure how to set up iptables, and don't really have a whole lot of time to go through a huge 300000 page tutorial.
Thanks,
Tyler Littlefield
Unlimited horizons head coder.
check out our website:
tysplace.homelinux.net
msn: compgeek134@hotmail.com
aim: st8amnd2005
skype: st8amnd127

Re: hacking attempts

[Lorenzo Taylor]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I particularly like a firewall script called FireHOL.  By default it
blocks everything and you just open what you want.  And the scripting
language that builds the firewall rules is about the easiest to
understand of anything I've ever seen.  It's available at

http://firehol.sourceforge.net, and some distros also have packages
prebuilt for it.  The homepage gives you lots of examples of usage for
different configurations.

HTH,
Lorenzo
- -- 
I've always found anomalies to be very relaxing. It's a curse.
- --Jadzia Dax: Star Trek Deep Space Nine (The Assignment)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFzf/EG9IpekrhBfIRAsjQAKCBZ5nORMkpls4pELm6Hf+l3w4QrQCgzLGf
KP9NfwN9y2FshJybEJI2BQc=
=6I27
-----END PGP SIGNATURE-----

Re: hacking attempts

[Littlefield, tyler]

awesome, will grab it.
Thanks,
Tyler Littlefield
Unlimited horizons head coder.
check out our website:
tysplace.homelinux.net
msn: compgeek134@hotmail.com
aim: st8amnd2005
skype: st8amnd127
----- Original Message ----- 
From: Lorenzo Taylor <lorenzo@taylor.homelinux.net>
To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca>
Sent: Saturday, February 10, 2007 10:24 AM
Subject: Re: hacking attempts


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I particularly like a firewall script called FireHOL.  By default it
> blocks everything and you just open what you want.  And the scripting
> language that builds the firewall rules is about the easiest to
> understand of anything I've ever seen.  It's available at
> 
> http://firehol.sourceforge.net, and some distros also have packages
> prebuilt for it.  The homepage gives you lots of examples of usage for
> different configurations.
> 
> HTH,
> Lorenzo
> - -- 
> I've always found anomalies to be very relaxing. It's a curse.
> - --Jadzia Dax: Star Trek Deep Space Nine (The Assignment)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> 
> iD8DBQFFzf/EG9IpekrhBfIRAsjQAKCBZ5nORMkpls4pELm6Hf+l3w4QrQCgzLGf
> KP9NfwN9y2FshJybEJI2BQc=
> =6I27
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: hacking attempts

[Littlefield, tyler]

ohkay, here's my firehol script...

version 5
interface eth0 internet src not "$UNROUTABLE_IPS"
router fwd
server ftp accept
server ssh accept
#server telnet not src 192.168.1.1/24 drop
server smtp accept
server http accept user apache
server pop3 accept
client all accept user "tyler root"
client ftp accept
client ssh accept
client telnet accept
client smtp accept
client pop3 accept
everything is getting dropped... any idea?
Also, I was wondering:
is there a way to do soemthing like client telnet src 192.168.1.1/24 accept,
and then do client telnet drop?
Thanks,
Tyler Littlefield
Unlimited horizons head coder.
check out our website:
tysplace.homelinux.net
msn: compgeek134@hotmail.com
aim: st8amnd2005
skype: st8amnd127
----- Original Message -----
From: Lorenzo Taylor <lorenzo@taylor.homelinux.net>
To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca>
Sent: Saturday, February 10, 2007 10:24 AM
Subject: Re: hacking attempts


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I particularly like a firewall script called FireHOL.  By default it
> blocks everything and you just open what you want.  And the scripting
> language that builds the firewall rules is about the easiest to
> understand of anything I've ever seen.  It's available at
>
> http://firehol.sourceforge.net, and some distros also have packages
> prebuilt for it.  The homepage gives you lots of examples of usage for
> different configurations.
>
> HTH,
> Lorenzo
> - --
> I've always found anomalies to be very relaxing. It's a curse.
> - --Jadzia Dax: Star Trek Deep Space Nine (The Assignment)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFFzf/EG9IpekrhBfIRAsjQAKCBZ5nORMkpls4pELm6Hf+l3w4QrQCgzLGf
> KP9NfwN9y2FshJybEJI2BQc=
> =6I27
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: hacking attempts

[Doug Sutherland]

Regarding hacking attempts, I suggest reading about iptables
and how to configure this. In a nutshell, you can do these few
things to block attempts.

Set a known state for iptables: set a default rule to drop all
input packets, output packets, and forward packets.

Set a rule to allow local only connections.
Set a rule to allow outgoing connections.
Set a rule to permit answers on already established connections.

This way, by default everything is blocked except you connecting
outwards, returned answers from established connections (like
ftp using two ports etc), and local only allow.

Everything else is dropped.
You will need to add specific rules if you want to expose certain
interfaces like ftp and ssh etc for outside connection.

There are also some things you can by writing to /proc/sys
to gain extra protection, like the following:

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don¹t send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
echo 0 > /proc/sys/net/ipv4/tcp_ecn

Check out this useful example from linuxfromscratch
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/firewall.html

And look for the docs for iptables and tutorials on how it work.
None of this is distro specific except how the scripts get fired
and where they reside etc.


Littlefield, tyler wrote:
 > I'm not sure how to set up iptables, and don't really have a whole lot
 > of time to go through a huge 300000 page tutorial.

Re: hacking attempts

[Ralph W. Reid]

If all of the attempts were from the same IP, you can block traffic
from an IP address with something like:

iptables --append INPUT -p udb -s <IP_ADDR> -j DROP

replacing <IP_ADDR> with the offending IP address.  This idea might be
overly simple for what you really should do for some firewalling--you
might have to start learning iptables after all.  What exactly do you
mean by the IP range of 22 to 249 anyway--was this part of the IP
address from where the scan originated?

If the udp port in question is not to be used from outside your system
in any case, a simple block of that port could look something like:

iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j DROP

where <PORTNUM> is the number of the port you wish to block, and eth0
represents ethernet port 0 (change as your system requires).
Depending on the requirements for your system, this might be too
simple of an approach as well--you will have to decide.

Also, that kind of scan seems to be highly unsophisticated, so it
might have been run by a 'kiddie script'.  Since the individual who
ran it does not appear to be very experienced at scanning systems,
contacting the systems administrator of the company where the scan
came from might be in order--samples of your system logs could give
the powers that be at that ISP/company a clue as to the individual or
system which originated the scan, and they can then take appropriate
action as needed.

HTH, and have a great day.

On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote:
> Hello list,
> I just had someone bomb the hell out of my system on a udp port, moving from ip of 22 to 249.
> My logwatch was huge.
> Is there a way I can block things like this?
> I'm not sure how to set up iptables, and don't really have a whole lot of time to go through a huge 300000 page tutorial.
> Thanks,
> Tyler Littlefield
> Unlimited horizons head coder.
> check out our website:
> tysplace.homelinux.net
> msn: compgeek134@hotmail.com
> aim: st8amnd2005
> skype: st8amnd127

-- 
Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
rreid@sunset.net  http://personalweb.sunset.net/~rreid
...passing through The City of Internet at the speed of light...
COSECANT (x) = COTAN (x) / TAN (x)

Re: hacking attempts

[Littlefield, tyler]

it was spoofed.
Thanks,
Tyler Littlefield
Unlimited horizons head coder.
check out our website:
tysplace.homelinux.net
msn: compgeek134@hotmail.com
aim: st8amnd2005
skype: st8amnd127
----- Original Message -----
From: Ralph W. Reid <rreid@sunset.net>
To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca>
Sent: Sunday, February 11, 2007 9:10 AM
Subject: Re: hacking attempts


> If all of the attempts were from the same IP, you can block traffic
> from an IP address with something like:
>
> iptables --append INPUT -p udb -s <IP_ADDR> -j DROP
>
> replacing <IP_ADDR> with the offending IP address.  This idea might be
> overly simple for what you really should do for some firewalling--you
> might have to start learning iptables after all.  What exactly do you
> mean by the IP range of 22 to 249 anyway--was this part of the IP
> address from where the scan originated?
>
> If the udp port in question is not to be used from outside your system
> in any case, a simple block of that port could look something like:
>
> iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j
DROP
>
> where <PORTNUM> is the number of the port you wish to block, and eth0
> represents ethernet port 0 (change as your system requires).
> Depending on the requirements for your system, this might be too
> simple of an approach as well--you will have to decide.
>
> Also, that kind of scan seems to be highly unsophisticated, so it
> might have been run by a 'kiddie script'.  Since the individual who
> ran it does not appear to be very experienced at scanning systems,
> contacting the systems administrator of the company where the scan
> came from might be in order--samples of your system logs could give
> the powers that be at that ISP/company a clue as to the individual or
> system which originated the scan, and they can then take appropriate
> action as needed.
>
> HTH, and have a great day.
>
> On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote:
> > Hello list,
> > I just had someone bomb the hell out of my system on a udp port, moving
from ip of 22 to 249.
> > My logwatch was huge.
> > Is there a way I can block things like this?
> > I'm not sure how to set up iptables, and don't really have a whole lot
of time to go through a huge 300000 page tutorial.
> > Thanks,
> > Tyler Littlefield
> > Unlimited horizons head coder.
> > check out our website:
> > tysplace.homelinux.net
> > msn: compgeek134@hotmail.com
> > aim: st8amnd2005
> > skype: st8amnd127
>
> --
> Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
> rreid@sunset.net  http://personalweb.sunset.net/~rreid
> ...passing through The City of Internet at the speed of light...
> COSECANT (x) = COTAN (x) / TAN (x)
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: hacking attempts

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Blocking the ip would not be very useful, since most ips are dynamic
these days.

Greg


On Sun, Feb 11, 2007 at 08:10:00AM -0800, Ralph W. Reid wrote:
> If all of the attempts were from the same IP, you can block traffic
> from an IP address with something like:
> 
> iptables --append INPUT -p udb -s <IP_ADDR> -j DROP
> 
> replacing <IP_ADDR> with the offending IP address.  This idea might be
> overly simple for what you really should do for some firewalling--you
> might have to start learning iptables after all.  What exactly do you
> mean by the IP range of 22 to 249 anyway--was this part of the IP
> address from where the scan originated?
> 
> If the udp port in question is not to be used from outside your system
> in any case, a simple block of that port could look something like:
> 
> iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j DROP
> 
> where <PORTNUM> is the number of the port you wish to block, and eth0
> represents ethernet port 0 (change as your system requires).
> Depending on the requirements for your system, this might be too
> simple of an approach as well--you will have to decide.
> 
> Also, that kind of scan seems to be highly unsophisticated, so it
> might have been run by a 'kiddie script'.  Since the individual who
> ran it does not appear to be very experienced at scanning systems,
> contacting the systems administrator of the company where the scan
> came from might be in order--samples of your system logs could give
> the powers that be at that ISP/company a clue as to the individual or
> system which originated the scan, and they can then take appropriate
> action as needed.
> 
> HTH, and have a great day.
> 

- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFz1LA7s9z/XlyUyARAjlAAKDAwxb3HzHw/WxAXCkw1sb7b4LEEACghsFC
Ln/fzlfhywzvH99sv8cWSj0=
=cnbD
-----END PGP SIGNATURE-----

Re: hacking attempts

[Ralph W. Reid]

Well then, perhaps a limit on the number of connection attempts per
minute may have helped in this particular case.  Here is an example of
an iptables command which can limit one type of connection to 30 per
minute:

iptables --append INPUT -p icmp --icmp-type echo-request -j ACCEPT --match limit --limit 30/minute

Others here have provided other useful suggestions (setting kernel
parameters in /proc/sys, shutting down and even removing unused
programs and servers, etc.).  Installing a separate system to do
nothing but firewalling between your main system and the outside world
can be helpful, but this is not always very practical.  Also, if you
are running any IPv6 stuff, you should take similar steps to protect
your IPv6 operations (ip6tables, /proc/sys/net/ipv6/*, etc.).  I know
you mentioned that you do not have time to plow through massive man
pages, but unfortunately system security management can take up some
time--especially when just getting started.

The more hardware and operating systems involved in a network, the
more complicated the mess becomes--complete careers have been built
around system security and system security management.  Linux is not
the most vulnerable system by far, but any system which is connected
to the outside world in any way is at some level of risk.  A source of
information I have sometimes found useful is
www.securityfocus.com--there is a lot of information on the web site
and in their email lists.

HTH a little anyway, and have a great day.

On Sun, Feb 11, 2007 at 09:32:28AM -0700, Littlefield, tyler wrote:
> it was spoofed.
> Thanks,
> Tyler Littlefield
> Unlimited horizons head coder.
> check out our website:
> tysplace.homelinux.net
> msn: compgeek134@hotmail.com
> aim: st8amnd2005
> skype: st8amnd127
> ----- Original Message -----
> From: Ralph W. Reid <rreid@sunset.net>
> To: Speakup is a screen review system for Linux. <speakup@braille.uwo.ca>
> Sent: Sunday, February 11, 2007 9:10 AM
> Subject: Re: hacking attempts
> 
> 
> > If all of the attempts were from the same IP, you can block traffic
> > from an IP address with something like:
> >
> > iptables --append INPUT -p udb -s <IP_ADDR> -j DROP
> >
> > replacing <IP_ADDR> with the offending IP address.  This idea might be
> > overly simple for what you really should do for some firewalling--you
> > might have to start learning iptables after all.  What exactly do you
> > mean by the IP range of 22 to 249 anyway--was this part of the IP
> > address from where the scan originated?
> >
> > If the udp port in question is not to be used from outside your system
> > in any case, a simple block of that port could look something like:
> >
> > iptables --append INPUT -p udp -i eth0 --destination-port <PORTNUM> -j
> DROP
> >
> > where <PORTNUM> is the number of the port you wish to block, and eth0
> > represents ethernet port 0 (change as your system requires).
> > Depending on the requirements for your system, this might be too
> > simple of an approach as well--you will have to decide.
> >
> > Also, that kind of scan seems to be highly unsophisticated, so it
> > might have been run by a 'kiddie script'.  Since the individual who
> > ran it does not appear to be very experienced at scanning systems,
> > contacting the systems administrator of the company where the scan
> > came from might be in order--samples of your system logs could give
> > the powers that be at that ISP/company a clue as to the individual or
> > system which originated the scan, and they can then take appropriate
> > action as needed.
> >
> > HTH, and have a great day.
> >
> > On Sat, Feb 10, 2007 at 10:09:00AM -0700, Littlefield, tyler wrote:
> > > Hello list,
> > > I just had someone bomb the hell out of my system on a udp port, moving
> from ip of 22 to 249.
> > > My logwatch was huge.
> > > Is there a way I can block things like this?
> > > I'm not sure how to set up iptables, and don't really have a whole lot
> of time to go through a huge 300000 page tutorial.
> > > Thanks,
> > > Tyler Littlefield
> > > Unlimited horizons head coder.
> > > check out our website:
> > > tysplace.homelinux.net
> > > msn: compgeek134@hotmail.com
> > > aim: st8amnd2005
> > > skype: st8amnd127


-- 
Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
rreid@sunset.net  http://personalweb.sunset.net/~rreid
...passing through The City of Internet at the speed of light...
COSECANT (x) = COTAN (x) / TAN (x)

Re: hacking attempts

[Janina Sajka]

Doug Sutherland writes:
> One thing that linux distros have traditionally had backwards
> is turning everything on by default, including all kinds of
> port access.


That used to be true for all *nix systems. It has noticably changed over
the past few years. I believe the only port on by default in today's
Fedora install is port 22. For attacks on port 22 there is a lovely
monitoring application called denyhosts that will shortly curtail
scripted attacks on 22.

Janina

Re: hacking attempts

[Doug Sutherland]

I totally agree that firewalls are not a panacea, and also that
its more important to not open ports that you don't have to.
I don't run any kind of services like ssh or ftp, I don't even
run inetd or anything like it. There are no ports open! The
only open ports are outgoing and related answers incoming.

One thing that linux distros have traditionally had backwards
is turning everything on by default, including all kinds of
port access. The first thing I do whenever installing is make
sure no services are running that open ports, and that only
what I need is running, period.

Having said that, a basic firewall is still important for its
drop packets functionality. You do not want any info that
you are even there, that you exist. You want to drop packets
therefore you should have a simple basic firewall in place.
Start by dropping everything, then allow only what you need.

  -- Doug

re: hacking attempts

[Jude DaShiell]

The firewall-piercing-HOWTO is not long but very educational for anyone 
who thinks firewalls are all that's needed to slow down hackers. Since I 
have no need to log into this machine from the outside, I edited 
/etc/ssh/sshd_config and commented out line 5 that starts out with Port 
and then saved my work.  I also downloaded the lcap package nd after 
having edited sshd_config I also did a chattr +i /etc/ssh/sshd_config. 
That won't stop hackers but may add a few seconds delay for them.