Text 6680, 351 rader
Skriven 2034-08-01 16:03:02 av Paul Rogers (1:105/360.0)
     Kommentar till en text av Wayne Chirnside
Ärende: Hijacked
================
 WC> Any suggestions?
 WC> I figure I'm rooted or have a trojan but am well over
 WC> my head here.

Yep.  Got Knoppix on a CD?  Got a DOS fubar floppy that's always
been write-protected?  And best of all, have you got a
diagnostic from the drive mfr that will write 0's to every
sector of the drive--ON guaranteed clean bootable media?

FIRST, PULL THE PLUG!  Take that puppy off the net until you
have it all cleaned up, and its chastity belt cinched-up tight!
(See http://www.xprt.net/~pgrogers/Headline.html for
entertaining reading on that subject.)

You've got to sterilize that puppy and start over.  If you're
VERY careful you might be able to boot knoppix and copy off any
text files you have to keep, but nothing executable.  Presume
everything that CAN be infected HAS BEEN infected.  Take no
prisoners!

I'd use the diagnostic to write 0's on eevry sector.  Then I'd
partition/format it for a DOS drive, then forget that, wipe out
those partitions, and repartition for Linux, making sure the
layout isn't the same as the original.  Then reinstall your
distro from CD/DVD.

I hope you're running a separate router/firewall.  (See
http://www.xprt.net/~pgrogers/Firewall.html for suggestions.)
Even so, run an iptables firewall on your workstation.  Enable
netfilter & state tracking (including ftp) in your kernel.  Make
sure rc.d saves your iptables on shutdown & restores them on
boot BEFORE bringing up the network interfaces.  (My
init.d/iptables slams the doors if it cannot read the file.)
This works for me:

#!/bin/bash
# firewall.sh - Configurable per-host firewall for workstations.
# Parts James Stephens (jns@ias.edu)
# PGR was here 
# PGR Attitude: protect us from the big, bad world, and protect our
# LAN from rogue processes.
######################################################################
function on {
  echo "Firewall: enabling filtering"
  NAMESERVER_1=000.000.000.000
  NAMESERVER_2=000.000.000.000
  LOOPBACK="127.0.0.0/8"
  CLASS_A="10.0.0.0/8"
  CLASS_B="172.16.0.0/12"
  CLASS_C="192.168.0.0/16"
  CLASS_D_MULTICAST="224.0.0.0/4"
  CLASS_E_RESERVED_NET="240.0.0.0/5"
  P_PORTS="0:1023"
  UP_PORTS="1024:65535"
  TR_SRC_PORTS="32769:65535"
  TR_DEST_PORTS="33434:33523"

  #PGR source our variables, i.e. IP address
  . /etc/sysconfig/rc
  . /etc/sysconfig/network
  . $network_devices/ifconfig.eth0/ipv4
  LOCAL_NET=$BASEIP.0/24

  # Set up a default DROP policy for the built-in chains. If we modify and
  # re-run the script mid-session then (because we have a default DROP
  # policy), what happens is that there is a small time period when
  # packets are denied until the new rules are back in place. There is no
  # period, however small, when packets we don't want are allowed.
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP
  # These lines are here in case rules are already in place and the script
  # is ever rerun on the fly. We want to remove all rules and
  # pre-exisiting user defined chains and zero the counters before we
  # implement new rules.
  iptables -F
  iptables -X
  iptables -Z

  ## LOOPBACK
  # Allow unlimited traffic on the loopback interface.
  iptables -A INPUT  -i lo -s $LOOPBACK -j ACCEPT
  iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT
  # Everything else comes from an external interface.  This firewall is
  # for a network workstation, so in the default case that's one ethernet
  # interface, eth0.

  ## PACKET CHECKING
  ##=============================================
  ## SYN-FLOODING PROTECTION
  # This rule maximises the rate of incoming connections. In order to do
  # this we divert tcp packets with the SYN bit set off to a
  # user-defined chain. Up to limit-burst connections can arrive in
  # 1/limit seconds ..... in this case 4 connections in one second.
  # After this, one of the burst is regained every second and
  # connections are allowed again. The default limit is 3/hour. The
  # default limit burst is 5.
  iptables -N syn-flood
  iptables -A INPUT -p tcp --syn -j syn-flood
  iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
  iptables -A syn-flood -j DROP

  ## Make sure NEW tcp connections are SYN packets
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

  ## FRAGMENTS
  # Sending lots of non-first fragments was what allowed Jolt2 to
  # effectively "drown" Firewall-1. Fragments can be overlapped, and the
  # subsequent interpretation of such fragments is very OS-dependent. Do
  # not trust any fragments. Log fragments just to see if we get any, and
  # deny them too.
  iptables -A INPUT -f -j LOG --log-level notice  --log-prefix "firewall
(FRAG): "
  iptables -A INPUT -f -j DROP
  ## SPOOFING
  # Most of this anti-spoofing stuff is theoretically not really necessary
  # with the flags we have set in the kernel but you never know there
  # isn't a bug somewhere in your IP stack.
  # Refuse spoofed packets pretending to be from your IP address.
  iptables -A INPUT -s $IP -j DROP
  # Refuse packets claiming to be from a Class A private network.
  iptables -A INPUT -s $CLASS_A -j DROP
  # Refuse packets claiming to be from a Class B private network.
  iptables -A INPUT -s $CLASS_B -j DROP
  # Refuse packets claiming to be from a Class C private network.
  #iptables -A INPUT -s $CLASS_C -j DROP
  #PGR Can't do that, our LAN is a private network
  # Refuse Class D multicast addresses. Multicast is illegal as a source
address.
  iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
  # Refuse Class E reserved IP addresses.
  iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
  # Refuse packets claiming to be to the loopback interface. Refusing
  # packets claiming to be to the loopback interface protects against
  # source quench, whereby a machine can be told to slow itself down by an
  # icmp source quench to the loopback.
  iptables -A INPUT  -d $LOOPBACK -j DROP
  # Refuse broadcast address packets.
  iptables -A INPUT -d $BROADCAST -j DROP
  ##PGR Limit furtive port scanners
  iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/second -j DROP
  ## ===========================================

  ## Standard services

  ## DNS
  # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
  # bytes (possible, but unusual), and on certain platforms like AIX (I am
  # told), so you might have to add a copy of this rule for tcp if you
  # need it.
  # Allow UDP packets in for DNS client from nameservers.
  iptables -A INPUT -p udp -s $NAMESERVER_1 --sport domain -m state --state
ESTABLISHED -j ACCEPT
  iptables -A INPUT -p udp -s $NAMESERVER_2 --sport domain -m state --state
ESTABLISHED -j ACCEPT
  #PGR allow DNS from local LAN too.
  iptables -A INPUT -p udp -s $LOCAL_NET    --sport domain -m state --state
ESTABLISHED -j ACCEPT
  # Allow UDP packets to DNS servers from client.
  iptables -A OUTPUT -p udp -d $NAMESERVER_1 --dport domain -m state --state
NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p udp -d $NAMESERVER_2 --dport domain -m state --state
NEW,ESTABLISHED -j ACCEPT
  #PGR allow DNS to local LAN too.
  iptables -A OUTPUT -p udp -d $LOCAL_NET    --dport domain -m state --state
NEW,ESTABLISHED -j ACCEPT

  ## SSH clients
  # Allow ssh outbound.
  iptables -A INPUT  -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j
ACCEPT

  ## WWW clients
  # Allow www outbound.
  iptables -A INPUT  -p tcp --sport www -m state --state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport www -m state --state NEW,ESTABLISHED -j
ACCEPT
  iptables -A INPUT  -p tcp --sport https -m state --state ESTABLISHED -j
ACCEPT
  iptables -A OUTPUT -p tcp --dport https -m state --state NEW,ESTABLISHED -j
ACCEPT

  ## TELNET clients
  # Allow telnet outbound.
  iptables -A INPUT  -p tcp --sport telnet -m state --state ESTABLISHED -j
ACCEPT
  iptables -A OUTPUT -p tcp --dport telnet -m state --state NEW,ESTABLISHED -j
ACCEPT

  ## FTP clients
  # Allow ftp outbound.
  iptables -A INPUT  -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j
ACCEPT
  # Now for the connection tracking part of ftp.  
  # 1) Active ftp. 
  # This involves a connection INbound from port 20 on the remote machine,
  # to a local port passed over the ftp channel via a PORT command. The
  # ip_conntrack_ftp module recognizes the connection as RELATED to the
  # original outgoing connection to port 21 so we don't need NEW as a
  # state match.
  iptables -A INPUT  -p tcp --sport ftp-data -m state --state
ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport ftp-data -m state --state ESTABLISHED -j
ACCEPT
  # 2) Passive ftp.
  # This involves a connection outbound from a port >1023 on the local
  # machine, to a port >1023 on the remote machine previously passed over
  # the ftp channel via a PORT command. The ip_conntrack_ftp module
  # recognizes the connection as RELATED to the original outgoing
  # connection to port 21 so we don't need NEW as a state match.
  iptables -A INPUT  -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state
--state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state
--state ESTABLISHED,RELATED -j ACCEPT

  ## SMTP clients
  # Allow smtp outbound.
  iptables -A INPUT  -p tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport smtp -m state --state NEW,ESTABLISHED -j
ACCEPT

  ## SAMBA/Windows clients to LAN server(s)
  ## SAMBA/Windows host's NETBIOS enquiries
  iptables -A INPUT  -p udp --dport netbios-ns  -s $LOCAL_NET -j ACCEPT
  iptables -A INPUT  -p udp --dport netbios-dgm -s $LOCAL_NET -j ACCEPT
  # Allow SMB outbound.
  iptables -A INPUT  -p tcp --dport netbios-ns  -s $LOCAL_NET -m state --state
ESTABLISHED -j ACCEPT
  iptables -A INPUT  -p tcp --dport netbios-dgm -s $LOCAL_NET -m state --state
ESTABLISHED -j ACCEPT
  iptables -A INPUT  -p tcp --dport netbios-ssn -s $LOCAL_NET -m state --state
ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport netbios-ns  -s $LOCAL_NET -m state --state
NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport netbios-dgm -s $LOCAL_NET -m state --state
NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport netbios-ssn -s $LOCAL_NET -m state --state
NEW,ESTABLISHED -j ACCEPT

  ## AUTH server
  iptables -A INPUT  -p tcp --sport auth -s $LOCAL_NET -m state --state
ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp --dport auth -d $LOCAL_NET -m state --state
NEW,ESTABLISHED -j ACCEPT
  # Reject ident probes with a tcp reset.
  # I need to do this for a broken mailhost that won't accept my mail if I
  # just drop its ident probe.
  iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset

  ## TRACEROUTE
  # Outgoing traceroute anywhere.
  # The reply to a traceroute is an icmp time-exceeded which is dealt with
  # by the next rule.
  iptables -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m
state --state NEW -j ACCEPT

  # ICMP 
  # We accept icmp in if it is "related" to other connections (e.g a time
  # exceeded (11) from a traceroute) or it is part of an "established"
  # connection (e.g. an echo reply (0) from an echo-request (8)).
  #PGR protect echo-requests against "The Ping of Death"
  iptables -A INPUT  -p icmp --icmp-type echo-request -m limit --limit 1/second
-j ACCEPT
  iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
  # We always allow icmp out.
  iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  ## =============================================

  ## FALL-THROUGH
  #PGR log/reject the rest
  iptables -A INPUT -j LOG --log-level notice -m limit --limit 40/minute
--log-prefix "firewall: "
  #PGR be nice to LAN processes
  iptables -A INPUT -s $LOCAL_NET -j REJECT
  iptables -A OUTPUT -j LOG --log-level notice -m limit --limit 40/minute
--log-prefix "firewall: "
  iptables -A OUTPUT -j REJECT
  #PGR default policy is DROP


  # list
  iptables -L -n >/var/log/iptables 
}
######################################################################
function off {
  # stop firewall
  echo "Firewall: disabling filtering (allowing all access)"
  echo "Are you sure?  Really sure?"
  iptables -F INPUT
  iptables -F OUTPUT
  iptables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
}
######################################################################
function stop {
  # stop all external connections
  echo "Firewall: stopping all external connections"
  iptables -F INPUT
  iptables -F OUTPUT
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP

  # allow anything over loopback
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

  iptables -A INPUT -j LOG --log-level notice -m limit --limit 40/minute
--log-prefix "firewall: "
  iptables -A OUTPUT -j LOG --log-level notice -m limit --limit 40/minute
--log-prefix "firewall: "
  #PGR be nice to local network processes
  iptables -A INPUT -s $LOCAL_NET -j REJECT
  iptables -A OUTPUT -j REJECT
}
######################################################################

case "$1" in
    start)
 on
    ;;
    stop)
 stop
    ;;
    off)
 off
    ;;
    *)
 echo "$0 {start|stop|off}"
 echo "Start establishes all filtering rules"
 echo "Off disables all filtering!"
 echo "Stop disables all non-loopback connections"
    ;;
esac

echo "$0: Done."


Paul Rogers, paulgrogers@yahoo.com                       -o)
http://www.angelfire.com/or/paulrogers                   /\\
Rogers' Second Law: Everything you do communicates.     _\_V

... We learn from history that we do not learn from history.
___ MultiMail/MS-DOS v0.35

---
 * Origin: The Bare Bones BBS (1:105/360)