[SLE] Detecting hacker usaged of a modem box?
Greetings! Out of all the recent articles about DOS attacks on some of the big websites, the one thing that stick out to me was the fact that a lot of unsuspecting computers on the internet were used to launch the attacks, and the sysad of those computers may never know it. I have a SuSE Linux 6.3 box with ipchains enabled to route network traffic through a PPP connection to the internet that's on between 8:30am to 1:30am. (This is to avoid being charged by my ISP for having a 24/7 connection.) I'm using a rather simple three-line configuration file to make this stuff happen. I don't have a firewall or anything else to make it difficult for hackers. I have a few questions about this configuration... 1. Does my current configuration prevents someone from using my as a launch pad for DOS attacks? 2. How can I tell if my system is being used in this way? I'm looking into the possibility of setting up a firewall (more for the learning potential rather than a specific security threat) and/or adding some additional rules to ipchains. Any help is greatly appreciated! Thanks! Christopher Reimer -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
"Christopher D. Reimer" wrote:
Greetings!
Out of all the recent articles about DOS attacks on some of the big websites, the one thing that stick out to me was the fact that a lot of unsuspecting computers on the internet were used to launch the attacks, and the sysad of those computers may never know it. I have a SuSE Linux 6.3 box with ipchains enabled to route network traffic through a PPP connection to the internet that's on between 8:30am to 1:30am. (This is to avoid being charged by my ISP for having a 24/7 connection.) I'm using a rather simple three-line configuration file to make this stuff happen. I don't have a firewall or anything else to make it difficult for hackers. I have a few questions about this configuration...
1. Does my current configuration prevents someone from using my as a launch pad for DOS attacks?
No, it doesn't. You'd probably be a prime candidate - almost 24/7, with no firewall. Although I suppose, since it is a modem connection, people may not bother...
2. How can I tell if my system is being used in this way?
You can have a look at the number of packets passing through each of your chains with 'ipchains -v' IIRC. If you have logging enabled for certain packets, they will be logged in /var/log/messages.
I'm looking into the possibility of setting up a firewall (more for the learning potential rather than a specific security threat) and/or adding some additional rules to ipchains. Any help is greatly appreciated!
Well, for a start, get an old computer and install a cut down version of SuSE on it, with only networking and no X. Or you could get an LRP image and use that. Shut off all (most) services on that box, replacing telnet with ssh, if you need to access it over the network. Then you could use the SuSE firewall script from http://www.suse.de/~mha/ or 'roll your own' ipchains rules - this could be the best option if you're in it for the learning experience. Well, that was just a very brief overview, and I've probably missed out a few security related points, but it is just a rough outline. Now if you have any questions, just ask away. Have fun, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hi, On Fri, 11 Feb 2000, Chris Reeves wrote:
Then you could use the SuSE firewall script from http://www.suse.de/~mha/ or 'roll your own' ipchains rules - this could be the best option if you're in it for the learning experience.
A small correction: It's http://www.suse.de/~marc/ :) "mha" is Michael Hasenstein's Homepage. Bye, LenZ -- ------------------------------------------------------------------ Lenz Grimmer SuSE GmbH mailto:grimmer@suse.de Schanzaeckerstr. 10 http://www.suse.de/~grimmer 90443 Nuernberg, Germany -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Lenz Grimmer wrote:
Then you could use the SuSE firewall script from http://www.suse.de/~mha/ or 'roll your own' ipchains rules - this could be the best option if you're in it for the learning experience.
A small correction: It's http://www.suse.de/~marc/ :)
"mha" is Michael Hasenstein's Homepage.
Oops, sorry. Thanks, Lenz, for pointing that out. I suppose I should have checked first... Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Christopher D. Reimer said:
Greetings!
Out of all the recent articles about DOS attacks on some of the big websites, the one thing that stick out to me was the fact that a lot of unsuspecting computers on the internet were used to launch the attacks, and the sysad of those computers may never know it. I have a SuSE Linux 6.3 box with ipchains enabled to route network traffic through a PPP connection to the internet that's on between 8:30am to 1:30am. (This is to avoid being charged by my ISP for having a 24/7 connection.) I'm using a rather simple three-line configuration file to make this stuff happen. I don't have a firewall or anything else to make it difficult for hackers. I have a few questions about this configuration...
1. Does my current configuration prevents someone from using my as a launch pad for DOS attacks?
I don't think so. Apparently the traffic is being generated by a program that has been installed by the vandal(s) to connect to servers and make bogus requests at the their command. Obviously, if your PPP connection isn't up then this program wouldn't be able to listen for the control commands or make its requests, but if you're connected then there's nothing stopping it.
2. How can I tell if my system is being used in this way?
I don't know. Is your link slow? If you're using a modem, are the tx/rx lights flashing when you're not doing anything? Maybe check the output of lsof -li for suspicious processes/connections? (also see below)
I'm looking into the possibility of setting up a firewall (more for the learning potential rather than a specific security threat) and/or adding some additional rules to ipchains. Any help is greatly appreciated!
Thanks!
Ipchains is a useful tool. I was messing around with it a couple weeks ago on my box, trying to figure out why my DSL modem light was flashing in the middle of the night when I wasn't doing anything[*]. Since I didn't want to disturb the rest of my setup I added a "logger" chain like so: ipchains -N logger ipchains -A logger -j RETURN -l ... and then routed everything coming in from my "external" NIC connected to my DSL modem to it.. ipchains -I input -i eth1 -j logger This logged _every_ packet that came in so at this point my log began to expand rapidly with all sorts of junk. :) To cut down on the volume I started adding rules at the head of the list to RETURN before hitting the logging rule at the end. A couple good ones to start with are: ipchains -I logger -p tcp ! -y -j RETURN ipchains -I logger -s 0/0 53 -d 0/0 1024: -p udp -j RETURN The first one stops logging for any packet using the tcp protocol that isn't trying to create a new connection, and the second stops logging for udp packets coming back with DNS lookups. By adding similar rules for other connections as I recognised them I eventually slowed the flood to a trickle, and learned a few things in the process. Now, I was more interested in stuff coming in than going out, but you could do the same sort of thing on your "output" chain if you wanted to see what kind of stuff you're sending out. BTW, a good list of "well known" port numbers is available at: http://www.freesoft.org/CIE/RFC/1700/4.htm -John *As it turned out my brother had connected his laptop to the LAN to check usenet, but had forgotten to quit his newsreader when he went to bed. It was checking every so often for new messages, and that traffic was blinking the modem light. It was an interesting exercise trying to track that down. At least now I'll always remember that port 119 is the nntp port. -John -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hi.
At 22:23 on 10 Feb 00, Christopher D. Reimer begun to yabber about "[SLE] Detecting hacker usaged of a "
From: "Christopher D. Reimer"
1. Does my current configuration prevents someone from using my as a launch pad for DOS attacks?
Your system does not look as if it would be a very juicy system to compromise.. In the recent DDoS attacks on large web sites, many high capacity hosts were used to launch the attack. Unless an amplifier was being used (which was not the case with the recent attacks) then your link speed would be too small to do significant damage..
2. How can I tell if my system is being used in this way?
There is a great run down of the programs that were used in the recent attacks on http://www.cert.org/ in the section about Denial of Service attacks.. I am sorry that i can not remember the exact URL. Cya Matthew Matthew King: Network Engineer, Cable & Wireless Optus. My ICQ#: 2342475 Message me! Cellular Phone: +61 415 257 516 041 525 7516 (Inside .au) Home e-mail: nerd@zip.com.au Work e-mail: Matthew.King@cwo.net.au Homepage: http://www.zip.com.au/~nerd/ -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d+ s: a--- C++++ UL++++ P+ L+++ E---- W++ N++ o++ K w O- M- V- PS+ PE Y+ PGP- t+ 5++++ X++ R+ tv++ b+++ DI+++++ D++ G+++ e* h* r++ y+ ------END GEEK CODE BLOCK------ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (5)
-
chris.reeves@iname.com
-
creimer@rahul.net
-
grimmer@suse.de
-
jmgrant@primenet.com
-
nerd@zip.com.au