Whirlpool

This is a bit of a long story.

I've never been someone to proclaim that I know network security. I've even said my home network is fairly wide open. I do run a server at home that has a few websites that I use to teach myself things. I have sshd going so I can log in from anywhere both inside and outside the LAN. And use it for mail.

Other then that. Nothing more.

My mother died on the 28th of Jan this year. While I was off organising her funeral, I discovered later that there was a user sitting on my server. Logged in via FTP to be exact.

I never had ftp services running. I'm not sure how they go there. But their IP traces back to Japan. Not even an hour later, after booting them off, sending their ISP an email stating that their customer was taking part in illegal activity, I got an email from my ISP via Paramount Pictures stating that I had downloaded copyright content.

I contacted my ISP first to see if the email was legit. Could have been spam. They confirmed it was true and that I should stop downloading that stuff. If anything, I download Top Gear episodes once a week. I have emailed Paramount Pictures in relation to my issue, but haven't heard back from them yet.

I have been watching my firewall ($ sudo ipfw list) and the same IP from before it constantly "Denied" access. Though it's still trying to hit my server pretty hard.

This morning, my ssh connection dropped off and now I can't connect and my websites aren't loading either. This could just be my ISP being broken. I won't know till I get home, as I cbf calling them and their status on their site is never accurate.

But in the meantime, I wanted to ask anyone here, and I know there are a few savvy people that have helped out immensely in the past that know how to secure a firewall properly. I've read some tutorials and set up my firewall accordingly. But I'm not 100% convinced myself.

If anything, this issue with Paramount has just made me more aware that I should get my arse into gear and make sure my network is as secure as it can possibly get. I've been learning different aspects of networks for a while. Security was something I unfortunately left till last.

Since there was never anything on my connect worth taking, I didn't think it was a big enough risk. Stupid me... in hindsight.

So here I am, in a crash course on protecting my network.

What are some suggestions? Sites that will illustrate security issues as well as give examples of what a firewall configuration should be like. What to block and what to allow?

Any suggestions on what I can do in the current situation? What can I do to stop this "hacking"?

Cheers
pipsqeek

sorry to hear about your mother...

with your server, this sounds extremely similar to whats happening with me...

i currently have a linux gateway doing the same thing, but forward ftp ports to a windows server i have running filezilla server.

at least 5 times a day, there a jap IP's constantly trying to login using admin or administrator (my guess, brute force attacking to get the admin account details - lucky admin and administrator dont exist ;) ) this will keep happening until my gateway auto bans their IP or i see it and ban it myself.

my suggestion is to maybe block FTP ports 20 and 21 if your not running an FTPd, block them with your firewall or iptables eve.

with regards to getting that e-mail, if you really want to take screens of that jap IP connected, because i once knew someone many years ago who got taken to court over copyright infringements, but the charges against them where dropped after it was uncovered that they had been hacked and where being used to traffic warez (haha - lucky)

Hmmm...You need to address one issue at a time.

(1) It sounds like this attacker is a persistent SOB. Constantly hitting you.

Personally, I would take the server off line, and look at any logs. (But then again, if they took your machine, the logs would be compromised as well, as they would try to hide themselves).

Which distro are you using?

I guess you have a number of options...Block the usual ports or change port number of FTP, SSH, etc. Use SELinux? (quite tedious to set up properly). Download a distro called "Backtrack", run some penetration tests and reconfigure based on that.

Can be found here.
www.remote-exploit.org/backtrack.html

Also consider "Bastille Linux"...This is a script that guides beginners into hardening their boxes.

If your box has been compromised, I would wipe it out, reinstall/re-do from scratch, and test it before I put it back online.

Could you reconfigure your firewall such that it doesn't block, but reject. (as in it doesn't let the other party know that they've been blocked...It just drops them). Technically, that's impolite in terms of "netiquette"...So I don't know how you feel about that.

Maybe set up a tarpit?
www.securityfocus.com/infocus/1723

Preventing SSH Dictionary Attacks With DenyHosts
www.howtoforge.com/preve...s_with_denyhosts

Chapter 12. Strategies for Keeping a Secure Server
tldp.org/LDP/lame/LAME/l...sy/security.html

Secure Your Linux Server
www.linuxdevcenter.com/p...your-server.html
(old article that mentions ipchains...But we use iptables nowadays.)

Maybe buy a book or two?

Linux Server Security, Second Edition
www.oreilly.com/catalog/linuxss2

Linux Security Cookbook
www.oreilly.com/catalog/linuxsckbk

Network Security Hacks: 100 Industrial-Strength Tips & Tools
www.oreilly.com/catalog/netsechacks

Network Security Assessment
www.oreilly.com/catalog/networksa

(2) Regarding that Paramount Pictures issue.

Did you ask what file it was that they're accusing you of?

The only thing I can think of is using MoBlock (which is the Linux equivalent to PeerGuardian)...There's another called LinBlock (Perl script).

The key issue to address is you lack of knowledge...That's what is costing you. Beef that up, and things should improve.

I don't know how you want to do things or how your network is laid out, so I've suggested a bunch of things you can do.

The only thing I can personally add is that there isn't really a crash course in security. You have to read about it yourself. I would lean to a book as my reference point, and then expand on it using Google.com (That's how I would approach the overall issue).

Remember, you have to strike a balance between security and usability/ease of use. Example: SELinux is a great idea. You can limit what anyone can do to your system if it ever gets compromised. (You can even lock out root, if you wish). The problem is, its a pain in the butt to properly set up and become well experienced with! There are a few good books on it, if you have the time.

My condolences about your mother.

All good points, stmok, but...

Example: SELinux is a great idea.

SELinux is really just a defence against bugs in software -- and all software has bugs, of course. It doesn't do squat to help you against badly configured firewalls, dictionary attacks against services, and so on. It can limit the possible damage from subverting software, but attackers generally aim for the easier vulnerabilities, like weak passwords.

I realise you meant this in your post... just making it clear that SELinux is not the final solution to security! :-)

Thanks for the replies so far. I've got some great starting points thanks to you.

Well, it seems that Paramount aren't too fussed as long as the files are gone. To be honest, I couldn't find the files to begin with. I got the email from them stating that they were warning me to remove the file. Regardless of who put it there, I should be responsible for my computer, network and internet connection and how it's used.

Pity they never got the points about me not being home 99% of the time, better things to do, someone else from my given IP compromising my network.

So if anything, it was just a warning from them. But that hacker IP is still trying to attack me. SOB.

I've done a $ sudo ipfw add drop src-ip xx.xxx.xx.xxx

x being their IP. ;)

pipsqeek

pipsqeek writes...

So if anything, it was just a warning from them. But that hacker IP is still trying to attack me. SOB.

I have my server tucked away behind an IPcop firewall. The IPcop has snort and guardian on it. Guardian looks at the snort logs and blocks any traffic that causes it to alert. I then wrote a simple snort rule that triggers if it sees an FTP logon failure more than 3 times per 15 minutes from the same IP.

It works a treat for me, and has blocked many hacker attempts. I set this up after noticing my FTP logs were huge in size. They were full of "password failed" messages from a brute-force attack that had been going for about a week. (Funny thing, they were trying to log on as admin too!)

See www.ipcop.org for IPcop
See mh-lantech.css-hamburg.d...oad.php?view.162 for Guardian

Add this line to /etc/snort/local.rules:
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"Potential FTP Brute-Force attempt"; flow:from_server,established; content:"530 Login or password incorrect"; threshold: type threshold, track by_dst, count 3, seconds 900; priority: 1; classtype:attempted-user; sid:2000001;)
[EDIT: The above should be on one line]

pipsqeek writes...

Regardless of who put it there, I should be responsible for my computer, network and internet connection and how it's used.

i hate how companies can say that... how is it your fault if a hacker compromises your pc's with an exploit that hasn't been discovered publically yet, then takes full control of your system without you knowing?

but that snort script is gonna come in handy for me now :)

Hi pipsqeek,
Sorry to hear about your Mum - & getting used as a relay.

I'm sure the above posts & links cover lots of it already but some more 2c worth!

If you don't want to serve anything to the outside world (much easier to secure), you should make your network seem like a black hole with an SPI based dedicated firewall device. It should be set to drop rather than deny packets so a visitor doesn't get any response at all.

Many $150 off-the-shelf routers that say SPI firewall, etc will be a good start.

Your server (& firewall especially) should have all unused services stopped & disabled at boot time too. Use a distro build intended to be a server as it's likely to be a much better start. Eg CentOS Server version or ClarkConnect, SME Server, etc.

Build a firewall with an old PC or grab a sec hand Compaq EN P3 or similar from eBay - have it boot from CDROM or read only drive so if you suspect it's hacked, just reboot. Check out pfsense or IPCop - BSD based & tough.

Programs like SSLExplorer seem a much more secure way to access your files from outside.

Auto account locking for 30mins on 3 bad attempts slows them down too.

Use long (min 8 char) non-dictionary upper+lower+numbers+specials passwords too.

Scan yourself (with browser set to direct connection not via ISP's proxy) at
www.grc.com > shields up. Make sure you pass! (unless running a server)

I have to serve my mail for my business. and my websites for my own business use. I also work. so I ssh into the box almost all day long. which I normally use for monitoring logs, network activity, etc, in between work.

I use the web stuff to host test sites, and my own blog. I will make a site for a client before placing it live on a real host with a real URL, show it to them, they see it working, I make changed if needed and then publish it for them. They pay me, the end. :)

Funny thing is. FTP was working, yet I never had port 21 (or 22) forwarded to my machine, or open at all for that matter. So i really don't know how that happened. Unless they ssh'd in, enabled ftpd and did all their work.

On a good note. I've checked my ipfw.log file and all attacks have stopped completely.

I'm not going to open any ports I need just yet. I'll wait a bit more and test it out next week.

pipsqeek

Redpacketboy writes...

Build a firewall with an old PC or grab a sec hand Compaq EN P3 or similar from eBay

Funny you say this... guess what my IPcop box is and where I got it?! The only catch is the SFF version of the Compaq EN must have a keyboard plugged in to boot. I solved it by pulling one apart, wrapping it in insulation tape, plugging it in and hiding it behind the box.

Picked it up for $60 including freight from Melbourne to Brisbane. Oh, it's the 1GHz P3 version - the good one. It also runs DansGuardian (aka cop-plus) which needs some hoursepower.

Foonly writes...

All good points, stmok, but...

SELinux is really just a defence against bugs in software -- and all software has bugs, of course. It doesn't do squat to help you against badly configured firewalls, dictionary attacks against services, and so on. It can limit the possible damage from subverting software, but attackers generally aim for the easier vulnerabilities, like weak passwords.

I realise you meant this in your post... just making it clear that SELinux is not the final solution to security! :-)

That's correct. Security is multi-faceted.

Because he mentioned being compromised, you can use Mandatory Access Controls to limit what an attacker can do, as your very last line of defence. Clearly, its not the be-all solution. (I never intended to suggest that!)

You could combine it with PaX, Stack Smash Protection, and PIE (position independent executable).

The way I see it.

Defence Layer 1 (Outer layer)
* Firewall
* IDS/IPS
* Proxy
* Mail scanning, etc.

Defence Layer 2
* PaX with PIE
* SSP
* Exec Shield
* W^X (on OpenBSD)

Defence Layer 3 (Last line of defence)
* Mandatory Access Control
(eg: SELinux, LIDS, grsecurity, RSBAC)

...Maybe slap in TrueCrypt for sensitive or confidential data?

All this technology still does NOT replace knowledge and experience...ie: Your brain.

There are distros which have some of these technologies implemented.

Such as Trustix, EnGarde Secure Linux, Fedora/Red Hat/CentOS (has Exec Shield and SELinux), Adamantix, Openwall GNU/Linux (or Owl), Devil-Linux, and so on.

More stuff...

Securing Linux with Mandatory Access Controls
security.linux.com/artic...05/02/11/2017218

Hardened Gentoo
www.gentoo.org/proj/en/hardened

Network Security Toolkit
www.networksecuritytoolk...g/nst/index.html

ADIOS Project
os.cqu.edu.au/adios
(Good for learning?)

Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment
www.howtoforge.com/ubunt...firewall_gateway

Bastille Hardening program
www.bastille-linux.org

Either way, I suggest you look at your network and see if its acceptable to just have the basics of security. (keep it simple at the start...Firewall, IDS, Bastille Linux, other security tweaks). If needed, you can add the above mentioned security technologies at a later time.

I suppose you should get a high-powered PC with plenty of RAM and use VMware Server (free) to set up a virtual network to learn and study security practices and techniques. (At least then, its a network you can control without interfering with your business).

Also, be weary of the weaknesses of the various technologies and implementations.

For example: In regards to using a "reactive firewall" (as in using an IDS to adapt the firewall to incoming threats)...Here's a comment from an OpenBSD discussion:

The real problem with technology like this, is the fact that IPv4 makes source
spoofing so easy. With so many scanning/DoS tools utilizing decoy source
addresses or just flat out spoofed source addresses in the case of DoS tools,
a network exposes itself from being the actual _cause_ of a DoS. If, for
example, someone uses nmap to scan your host/network and source spoofs the
address of say your upstream gateway, a.root-servers.net, your local loopback
or any similar hosts, you begin to see the danger here when your firewall or
other reactive technology starts blocking hosts automatically. Worse yet,
what if they source spoof the address of any one of your anti-spam sendmail
databases, large blocks of customer IP addresses or something similarly
dangerous?

In this case, we exploit the weakness (false positives) of an IDS solution. I suppose to counter that, we would write a "smarter" behaviour code and improve/lower the false positive issue.

Another example is PaX not being able to protect you in every case of buffer overflow bugs, while Exec Shield has a weakness compared to PaX when a non-NX capable CPU is used.

They're just examples of why you need to be familiar with the security tools you're using. No single security technology is foolproof.

Security is actually about making it difficult for the attacking party. You make it so hard that they won't bother with you and move onto someone else. (Remember, there are PLENTY of Windows boxes run by clueless desktop users...Heck, form your own bot army!)

Security is also a compromise between "how high you want it" vs "convenience". Since you're learning, keep it simple and strengthen your knowledge of the fundamentals. Don't get too elaborate unless you really need those extra features.

I'm only mentioning all these technologies because I believe people should be aware of the options available to them. Its up to them to chose what best fits their requirements.

pipsqeek writes...

Paramount Pictures stating that I had downloaded copyright content.

But their IP traces back to Japan.

Sony is going broke... they are in cahoots with the RIAA/MPAA/BSA

Intellectual Property isn't worth the paper it's written on.

They are trying to 0wn everyone.

The behaviour of these large IP cartels is exactly the same behaviour I have seen at the micro economic level when someones business is going broke...

Sorry it doesn't help you with security, but just know that everyone is getting their PC p4wn3d by these arseholes at the moment. There are good things that will comes of it: better security!!!! People will notice these attacks, and improve software/networks... hopefully...

pipsqeek writes...

I have emailed Paramount Pictures in relation to my issue, but haven't heard back from them yet.

Never communicate directly with these people. Direct all communications through a lawyer. If you don't want to pay a lawyer, then don't talk to these large corporations... these corporations are full of legalese arsehole bitches whos only pleasure in life is to making people suffer... DO NOT COMMUNICATE WITH THEM. KEEP YOU MOUTH SHUT. MAKE NO COMMENT.

I have been watching my firewall ($ sudo ipfw list) and the same IP from before it constantly "Denied" access. Though it's still trying to hit my server pretty hard.

Remote bot/script attack.

Since there was never anything on my connect worth taking, I didn't think it was a big enough risk.

Your CPU/Storage/Bandwidth is worth taking. Botnets are built on, and thrive on, such things. With the rise of linux into the common household we are seeing an increase in these botnet as they loose their easy prey (microsoft). I've been noticing some funny things with my router lately, and I believe (potentially) that the software in it may be compromised... potentially...

en.wikipedia.org/wiki/Botnet

pipsqeek writes...

Any suggestions on what I can do in the current situation? What can I do to stop this "hacking"?

Don't have open services to the world and you won't get hacked in the first place. Keep your software/firmware up to date. Currently? Well, it sounds like you are undergoing a mild DOS attack as the botnet tries to take back its host... botnets compete against each other for individual computers and it may simply think that another botnet has beaten it, so it just runs through its scan of your computer again looking for vulnerabilities... eventually it will/may give up and lower the ranking of your IP in its "hackable" IP list.

pipsqeek writes...

So here I am, in a crash course on protecting my network.

Your DSL router with NAT and no port forwarding enabled is reasonably good... just keep the firmware up to date.

Disable javascript in your web browser...

Yeah, thats about it as far as securing a network goes... I'd love to hear some more people view on this one.

SELinux is just process regulation, which is analogous to file system permissions.

My understanding of SELinux is that it doesn't stop you being hacked but it hopefully stops that hack from escalating to full root access. A classic example is given in Bill McCarthy's book on SELinux. From memory, he highlights a case where an apache exploit could be escalated to root access by an exploit for ptrace which was setuid. SELinux would wall apache off from ptrace an halt the escalation of privileges.

To the OP.

Security starts before you even install, in particular join the right mailing list for your distribution so you know when there are security updates. Also don't just rely on a firewall as suggested by others there are lots of security settings to tweak. After your firewall look at things such as tcpwrappers as well.

This is a great topic, but one that has no sure 100% safe solution. The only thing you can do is make is so damn difficult to get in that potential hacks look for an easier target.

I myself have a router with a built in firewall which is also running NAT.
Behind that is a BSD box running multiple NICS and a PF firewall.
So to get to the important parts of my network you must get through two dissimilar firewalls.
Of course much better than using two firewalls of the same kind.

Nothing is allowed to come in and all packets are logged so I can watch them with tcpdump.
I temporarily open up ports in the morning from home that I will need from a remote site but then close it when not needed. eg sshd, yeah it can be a bit of a pain but it's safer.

I use cron to run a script that reads and dumps all denied connections to a format easily read using a web browser. I also skim through it all just in case they were really good ;)

Maybe you should limit the IP address that sshd will accept connections from? Or use certificate based authentication? And change the port it listens on. Also make sure you firewall cannot be scanned easily so people cannot just look for opened ports but rather have to know where they are.

Do not keep anything valuable on that particular computer, if somehow someone does get in they do not get anything important to you.

Having said all that security and usability go together, you can make thing totally secure but then they become less usable....

From what I've been reading up on so far, I feel it's better for me to "drop" any requests as opposed to deny or reject. As the latter two send acknowledgements back. I'd rather they get nothing in return.

Now, what I'm finding is that my ipfw.log is getting pretty big. I thought I'd move the log file into a directory I can save and look at later. And create a new ipfw.log file. But since I've created it, this morning. The log file is completely empty when I do a $ cat /private/var/log/ipfw.log

Have I broken the log?

Cheers
pipsqeek

How do the permissions on the log file compare to the other log file?

The new file:

$ ls -la /private/var/log/ipfw.log
-rw-r----- 1 root admin 1 Feb 7 09:51 /private/var/log/ipfw.log

The old file that I moved :

$ ls -la ~/log_archive/ipfw.log
-rw-r----- 1 root admin 1429058 Feb 7 09:54 /Users/admin/log_archive/ipfw.log

pipsqeek writes...

From what I've been reading up on so far, I feel it's better for me to "drop" any requests as opposed to deny or reject. As the latter two send acknowledgements back.

Dead right! "Don't even give the nosey parkers the time of day," I say. And, I mean that literally... when Guardian sees something in the Snort log it does not like, it drops all packets from the IP, including NTP requests (I run a server in au.pool.ntp.org). It gets a little trigger happy and occasionally shoots an innocent bystander or three, but I'd sooner that than get hacked. (You find Guardian on the Snort web site.)

I'd also suggest you read up on psad. It seems to work well too. I am building a new server in the next few weeks and am considering taking it for a serious test drive.

The current server is a Mac mini PPC running OS X Server. Though I've set up most of it all through the CLI, never touching the GUI.

Though, the license I am using for the install is a spare OS X Server license from a friend of mine that has two X-Serves and only has one running Server, the other runs OS X Client, for his reasons that it's too late in the evening for me to ramble on about.

I want to give his license back, even though he is okay with me using it for longer. So I have installed Ubuntu Server on a nice G4 tower I had laying about. I have installed a 160GB and 320GB HDD in it, and stuck Ubuntu on the 160GBer.

I've yet to start configuring it to replace my server.

I run into small brick walls in settings things up in CLI on linux, but I'm mainly doing it to learn more.

pipsqeek