Hello Tom, I appreciate you pointing out the error of my ways. And you are absolutely correct.
However, lack of resources prevent me from doing this in a production environment in a timely manner. Therefore I need an immediate solution in the meantime, and it would be great to have someone willing to help me out. As I am not a firewall expert, I have difficulties in setting up the outbound connections perfectly. That is also why I'm not comfortable with simply doing a REJECT all outbound traffic except the few ports. It's something I need to work towards but again what I'm trying to do here is a quick temporary solution. I have setup a REJECT for outbound traffic to those ports as follows: REJECT loc net tcp 6,8,17,1025,1433,1434,1435 REJECT loc net tcp 2798,2967,2968,5761,5900 However I understand I need to also block outbound for those ports as being sources as well. How would I go about doing that? I REALLY appreciate some help with this. I understand I need to do a lot of other stuff but that will take some time, and I need to immediately find a temporary solution, even knowing it's not the best (or even a catch-all). Thank you Ricardo On Mon, 2008-09-08 at 16:31 -0700, Tom Eastep wrote: > Ricardo Kleemann wrote: > > Hi, > > > > I run an older version of shorewall (1.4.2) and need some helping > > setting up some rules. > > > > I received an abusenet notification that one of my servers is being used > > to hack elsewhere. I don't know if anyone here is familiar with > > Linux.Backdoor.Small.o, any help would be greatly appreciated. > > > > The suggestion I received is to block outbound traffic: > > > outbound traffic either source or destination using ports: 6, 8, 17, > > > 1025, 1433, 1434, 1435, 2798, 2967, 2968, 5761, & 5900 > > > > Certainly, first I'd like to determine which application is leaving the > > open door, I'm guessing it's my apache. But in any case I need to close > > down the backdoor by blocking at shorewall as well. > > The fact that you are still running Shorewall 1.4.2 suggests to me that you > don't keep up with security patch releases very closely. It follows that it > is no surprised that one of your systems has been compromised. > > It is a fact that your internet-exposed servers are the weakest point in > your network and the most likely place for a compromise to occur. > > It is also a fact that you should isolate your internet-exposed servers in > their own LAN and that the firewall policy from that LAN to ANYWHERE should > be REJECT. So the problem is not to add 100s (1000s) of rules to block the > bad stuff but rather to add a few ACCEPT rules for the traffic that must be > allowed. That is the only way to approach this problem. > > And *keep up with software releases*. > > -Tom > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
