Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall troubles

Status
Not open for further replies.
ilpadrino

ilpadrino

MIS
Joined
Feb 14, 2001
Messages
416
Location
US
Hi. I have a RH 7.0 firewall that does 3 simple things using ipchains and ipmasqadm. It forwards email to our exhcange server on the private lan, and it acts as a gateway between the private lan and the internet. It also runs squid for proxy.

I have been notified by a couple companies that we are port-scanning their network. Of course I am not intentionally doing this. But I am a linux newbie and was wondering if the linux server is doing something I don't want it to by default.

I have disabled all incoming ports such as ftp and telnet so that the machine cannot be comprimised at all from the internet.

Is their any process that could be running that other companies may mistaken to be some sort of portscan? Any suggestions?

Thanks, Joe.
 
Sort by date Sort by votes
Hi,

the gateway itself will probably NOT do anything that makes others think they are scanned by you.

It might be, that your system has been hacked and someone missuses your box for port-scanning-activites. Or there might be someone from the internal lan practicing..

Check the activities (logfiles) reported to you with your local user's activities, if your box has been hacked it is neccessary to bring it offline, reboot from a rescue-disk/cd and check your system, e.g. startup-scripts, inetd-configuration, .rhosts-files, unusual files or directories like ".. " (dot-dot-space) and many more things to check. "tripwire" is your friend, if you used it before..;)

good luck,
mbr
 
Upvote 0 Downvote
mbr,

i don't know what you mean by tripwire, but what logfiles for local users' activities are you referring to? where do i find those?
 
Upvote 0 Downvote
Hi.

I agree with Mbr here, i think the machine has probably been routed.

The tips:

* What are you doing using RH as a firewall :O !!! Get OpenBSD and set that up.

* Tripwire is a daemon that should be ran ideally as soon as the box boots up for the first time after a fresh install. What it does, is record the "state" of important files and directories such as those used for configs of different programs and user files. It then encrpyts this and monitors to see if the said files have been altered and alerts you if they have.

* Before replying on a linux box to fend off your network from attack, wouldn't it be useful to scour the net and read a book or two about the OS? :)

Hope this helps

Someone!

 
Upvote 0 Downvote
A few comments:

RH will work fine as a firewall, assuming you have some security know-how. OpenBSD is famous for its "secure by default" stance, and so it would be easier for a newbie to set up a secure OpenBSD system (you generally have to make it insecure). It takes me several hours to build a rh system so that I feel it is safe to be on the network, and I've had quite a bit of practice at it.

Tripwire isn't a daemon, its just a normal program. It uses a few key elements to track files such as modification date and time, but more importanly it creates cryptographic hashes of these files and stores the hash for later comparison. If you don't run tripwire on a known-good OS (basically, right after install, before it hits the network) or you don't keep tripwire and its databases off site (its fairly simple for an attacker to modify tripwire or the database to give a false negative) then its about worthless.

For an example of what one of these hashes look like, run the program 'md5sum'. It is very difficult to create a file that will produce the same md5 hash as the original (read: nigh impossible).

If you're going off some of the basic security papers out there, you may be missing a huge part of the picture. Remember, inetd is not the only place that services get started, so if all you did was tweak with inetd.conf, you've got a lot of holes still waiting to be exploited. Always portscan yourself, or at least run netstat to see what ports are open on your system.

Be sure to keep up to date on patches, rpm makes this fairly easy. Just grab all the latest rpms from updates.redhat.com and run 'rpm -Fvh *'. You should compare the md5sum and gpg signature on the file with the one in the rh advisory before you do this, of course... everyone does that, right? Yeah, sure.

At this point, I would consider that system to be compromised. As such, the best thing to do would be to reinstall it, unless you can confirm with absolute certainty that it is still secure. When you do the reinstall, do not bring the system back on to the network until you have confirmed that there are no services running at all, and you have installed the latest patches for those programs you are running. Don't rely on commenting out inetd.conf, also run 'ntsysv' and see what is checked. Most of the items in the list can be turned off without any problems. If you have any questions about what should be running, then feel free to ask here or on any other linux board you feel comfortable on (linuxnewbie.org has been a big help to a lot of people... of course, sensei got fired, or something, so who knows what's going on).
 
Upvote 0 Downvote
On the subject of misconceptions, I'm gonna plug myself here. Here's an article I wrote called "TCP Wrappers Misconceptions" that goes a little into the sort of ideas that new admins have about security, and that are absolutely wrong.


If anyone has comments on the article, please email me (link is on the page). Hopefully this was somewhat on topic (I think it is, or else I wouldn't have thought to post it).
 
Upvote 0 Downvote
Hi,

to repeat the famous word of a famous expert: "Security is not a product, it's a process" (Bruce Schneier)

I mean, it's not a question of just using another Box/OS/tool, it's you who has to care about, learn and act accordingly, not only learning the hard way by reacting to an event like this.

It's not a good idea to put in another box and feel save because of the builtin-security(TM).

For now, you can't trust your gateway (and the boxes behind), probably beeing no time for doing indepth research on security before reinstalling it. The good news is, that there is plenty of information and support on the net, while the bad news is, that it takes your time anyway.

Some resources:

There has been a great Book "Securing RedHat-Linux (6.2)" for download at but it seems that they don't offer the actual Version 2 which covers RedHat7 for free any more, the $49.50 now will surely be a good investment (i'm not payed for this..;)

ciao, mbr
 
Upvote 0 Downvote
To jump on the bandwagon here, MOST operating systems can be used as a firewall successfully. It is not the OS that is insecure generally, but the way it has been configured.

Using RH and ipchains can be very secure, but only if implemented by someone who knows what they are doing.

To check this, I would suggest Joe goes to (probably) /var/log/httpd and checks out if there are any access_log files in there. (if not, try to find them) Open these and you may be able to tell what is going on.

Hope this is of help.
 
Upvote 0 Downvote
Thanks for the responses, but not the arrogance.
 
Upvote 0 Downvote
ilpadrino,

A port scan is not the kind of thing a traditionally
configured linux box does by default;-)
However it is very posible that someone on your lan is scanning people. This is not so bad. Much better than having been cracked.
If in the worst case, you have been compromised, then you
need to find out how.
Then reinstall. Thats about all you can do, it happens.
There is no secure machine except one without a power supply.

Bye.
 
Upvote 0 Downvote
Hi ilpadrino,

i don't see the arrogance -
if that was for me, i have to say i'm sorry.

eCommunication is great media, but still lacks some important features..

ciao, mbr
 
Upvote 0 Downvote
ilpadrino,

Get onto your firewall and do a

ps a l x w

Look for a ./pscan entry as we had that one. If you have that entry you have been compromised. If in doubt, paste the results in here...

Zel - recently had to become a Linux expert for exactly these reasons...
 
Upvote 0 Downvote
No mbr, your responses helped me the most. Especially the downloadable book. I was blown away by all the things I can do to secure the install before I even setup the firewall. I'm still reading that book now to learn more.

However, I did do a lot of research before I started this project. I looked for books at the bookstore, but could find none. What I basically learned was how to setup the masquerading and port forwarding, but not how to secure it.

This was supposed to be a temporary machine to protect the network before we made a major trasition, at which point we would remove the machine. It's not an excuse, but I was pretty rushed to get a solution on old hardware we had laying around.

Thanks again.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nyck
  • Locked
  • Question Question
RHEL6.3 firewall issue
Replies
3
Views
458
nyck
nyck
fzx5v0
  • Locked
  • Question Question
IPTables outgoing firewall rules
Replies
1
Views
345
minicompbx
minicompbx
Argonto
  • Locked
  • Question Question
Accessing Website behind firewall through another website on the same network
Replies
1
Views
283
normntwrk
normntwrk
bazil2
  • Locked
  • Question Question
Configuring a firewall to accept SFTP incoming
Replies
3
Views
273
ChrisHirst
ChrisHirst
DrB0b
  • Locked
  • Question Question
Creating a "Hardware" firewall w/ Debian 6.0.3
Replies
3
Views
272
Noway2
Noway2

Part and Inventory Search

Sponsor

Back
Top