Ricardo Kleemann wrote:
Hi,I run an older version of shorewall (1.4.2) and need some helping setting up some rules. I received an abusenet notification that one of my servers is being used to hack elsewhere. I don't know if anyone here is familiar with Linux.Backdoor.Small.o, any help would be greatly appreciated. The suggestion I received is to block outbound traffic:> outbound traffic either source or destination using ports: 6, 8, 17, > 1025, 1433, 1434, 1435, 2798, 2967, 2968, 5761, & 5900Certainly, first I'd like to determine which application is leaving the open door, I'm guessing it's my apache. But in any case I need to close down the backdoor by blocking at shorewall as well.
The fact that you are still running Shorewall 1.4.2 suggests to me that you don't keep up with security patch releases very closely. It follows that it is no surprised that one of your systems has been compromised.
It is a fact that your internet-exposed servers are the weakest point in your network and the most likely place for a compromise to occur.
It is also a fact that you should isolate your internet-exposed servers in their own LAN and that the firewall policy from that LAN to ANYWHERE should be REJECT. So the problem is not to add 100s (1000s) of rules to block the bad stuff but rather to add a few ACCEPT rules for the traffic that must be allowed. That is the only way to approach this problem.
And *keep up with software releases*. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
