Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hello guys I come to you after failing to find an answer either by googling or trying "home made workarrounds" For more than a year i have been using the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    28

    Debian - Iptables (and other server services): my rules "change by the


    Hello guys

    I come to you after failing to find an answer either by googling or trying "home made workarrounds"

    For more than a year i have been using the following hardware as a home server:

    atlon64 3500+
    2gb ddr400
    hdd 160gb
    hdd 1tb (for my home pcs backup)
    onboard LAN: internet (right now i have ADSL, with a huawei MT882 in bridge mode, my server "dials")
    4 gigabit ethernet cards: bridged, acting as a gigabit switch (rigt now i only use 2 of them for pcs, one for a wifi router, the other one is free)

    The server runs Debian 5.0.* with: apache, iptables, dnsmasq (dns and dhcp), vnc, phpmyadmin, mysql, torrentflux, jdownloader, SQUID, SANE (new addition, problems started way before it), and probably more stuff.

    It also shares an Epson printer/scanner, but i failed to properly share the scanner, so i use it through VNC (phpSANE more or less worked, but not fully).

    My problem is that for some reason, at random times, my iptables rules are changed/flushed, and replaced by this:

    Code:
    alpha:~# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  loopback/8           anywhere
    ACCEPT     all  --  anywhere             255.255.255.255
    ACCEPT     all  --  anywhere             255.255.255.255
    ACCEPT     all  --  192.168.1.0/24       anywhere
    ACCEPT     all  --  10.0.0.0/24          anywhere
    ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
    ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
    DROP       all  --  192.168.1.0/24       anywhere
    DROP       all  --  10.0.0.0/24          anywhere
    ACCEPT     all  --  anywhere             255.255.255.255
    ACCEPT     all  --  anywhere             host89.190-139-215.telecom.net.ar
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  192.168.1.0/24       192.168.1.0/24
    ACCEPT     all  --  10.0.0.0/24          192.168.1.0/24
    ACCEPT     all  --  192.168.1.0/24       10.0.0.0/24
    ACCEPT     all  --  192.168.1.0/24       anywhere
    ACCEPT     all  --  10.0.0.0/24          anywhere
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB                                                                           LISHED
    DROP       all  --  anywhere             192.168.1.0/24
    DROP       all  --  anywhere             10.0.0.0/24
    DROP       all  --  anywhere             anywhere
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             255.255.255.255
    ACCEPT     all  --  anywhere             255.255.255.255
    ACCEPT     all  --  anywhere             192.168.1.0/24
    ACCEPT     all  --  anywhere             10.0.0.0/24
    ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
    ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
    LOG        all  --  anywhere             192.168.1.0/24      LOG level warning
    DROP       all  --  anywhere             192.168.1.0/24
    LOG        all  --  anywhere             10.0.0.0/24         LOG level warning
    DROP       all  --  anywhere             10.0.0.0/24
    ACCEPT     all  --  anywhere             255.255.255.255
    ACCEPT     all  --  host89.190-139-215.telecom.net.ar  anywhere
    DROP       all  --  anywhere             anywhere
    The server keeps working, and i only notice if i try to ssh/vnc/something from outside to my custom ports for those protocols, and i fail, then i try on the stock ones, and it works... (i left the default ports on each configuration, but redirected them using iptables).
    Another chance for noticing, is when my brother is unable to host a warcraft3 game, and asks me to reload the iptables rules (he now knows what he has to ask :P )

    I have no idea whats going on

    i even aded a cronjob in crontab (for the root user) to reload the rules every 30 minutes, then 15, then 5 (i also made it log something, so i was sure it was working), but it worked for a while (on each periodicity), and then stoped working too, so now im back at manual reloading.

    All my pcs have their own firewall too, just in case.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Are you sure this system has not been compromised?
    How are your rules defined, with a script or a file that is loaded?
    Can your save the correct rules and the incorrect rules and then compare them?
    Check both passwd and shadow files for unknown users. Pay attention to any user listed that has a login shell set.

    Here is a web site on how to Securing Debain Services.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Apr 2008
    Posts
    28
    Quote Originally Posted by Lazydog View Post
    Are you sure this system has not been compromised?
    How are your rules defined, with a script or a file that is loaded?
    Can your save the correct rules and the incorrect rules and then compare them?
    Check both passwd and shadow files for unknown users. Pay attention to any user listed that has a login shell set.

    Here is a web site on how to Securing Debain Services.
    if my "non fixed ip" home server is compromisded, im an unlucky person :P

    My rules are set from a file (iptables-restore < file)

    I will take a look at what you sugested and your link.

    ps: my automatic reload of iptables with crontab was failing cause a script called by that needed iptables comands to be called like this:

    /sbin/iptables

    instead of just

    iptables

    so that was my failure :P

    i have now set a cronjob that compares the current rules with the ones after the system has booted, and if they differ, writes a log, and restores them. (correctly now)

    I have not seen my rules changed after setting my new script up :/

    ps: i can of course compare the rules, the ones i posted are the ones that get loaded by some unknown entity or something, and i have my own on a file.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by cocchiararo View Post
    if my "non fixed ip" home server is compromisded, im an unlucky person :P
    Please don't have a false sense of security just because you don't have a static IP Address. 99% of home systems are DHCP and most, if not all, intruders know this. As such the smart ones after compromising your system place a script that check the IP Address and if it changes phones home the new IP Address. Thus allowing them access to the system even after an IP change.

    My rules are set from a file (iptables-restore < file)
    In the future post this file as it is easier to follow.

    I will take a look at what you sugested and your link.
    Great. Because you are saying that the rules are changing on their own I am suspecting the system has been broken into.

    ps: my automatic reload of iptables with crontab was failing cause a script called by that needed iptables comands to be called like this:

    /sbin/iptables

    instead of just

    iptables

    so that was my failure :P

    i have now set a cronjob that compares the current rules with the ones after the system has booted, and if they differ, writes a log, and restores them. (correctly now)

    I have not seen my rules changed after setting my new script up :/

    ps: i can of course compare the rules, the ones i posted are the ones that get loaded by some unknown entity or something, and i have my own on a file.
    I don't know what you are doing to see if the rules change but I would test this out by manually changing the rules to ensure your method of comparing the rules is working.

    It sounds to me that since you have this cron job running you believe everything is fixed were I believe you should not run this cron job and fix what is broken.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Apr 2008
    Posts
    28
    Quote Originally Posted by Lazydog View Post
    Please don't have a false sense of security just because you don't have a static IP Address. 99% of home systems are DHCP and most, if not all, intruders know this. As such the smart ones after compromising your system place a script that check the IP Address and if it changes phones home the new IP Address. Thus allowing them access to the system even after an IP change.

    In the future post this file as it is easier to follow.

    Great. Because you are saying that the rules are changing on their own I am suspecting the system has been broken into.

    I don't know what you are doing to see if the rules change but I would test this out by manually changing the rules to ensure your method of comparing the rules is working.

    It sounds to me that since you have this cron job running you believe everything is fixed were I believe you should not run this cron job and fix what is broken.
    I did not mean I was safe, but that I was unlucky, our would have been

    The changed rules are always the same, the ines I posted. Do you see anything strange with them?

    I do not feel safe or that I solved the problem with the cronjob, and as I said, its for logging, so that I could know when this happens.

    My method is:

    I dump my ipttables rules after they are loaded on boot (i checked, and they are correct)
    A cronjob that runs every 10 minutes, dumps iptables rules tio a different file, compares the original with the current one, and if they are different logs the time, the rules, and reloads mine.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Without knowing what you have setup as original it is hard to tell what is wrong with the above rules.

    While looking at this output is OK, I prefer the file format. Is there anyway you can get this output in file form, the one like iptables-save does? Is your firewall based strickly on ip addresses? I don't see any ports listed in what you posted.

    What are these lines:
    Code:
    Chain INPUT (policy DROP)
    ACCEPT     all  --  anywhere             host89.190-139-215.telecom.net.ar
    
    Chain OUTPUT (policy DROP)
    ACCEPT     all  --  host89.190-139-215.telecom.net.ar  anywhere
    And why is it needed? My point being you are asking me to look at your rules and tell you what is wrong but without me knowing what you are trying to do I cannot do as you ask.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Apr 2008
    Posts
    28
    Quote Originally Posted by Lazydog View Post
    Without knowing what you have setup as original it is hard to tell what is wrong with the above rules.

    While looking at this output is OK, I prefer the file format. Is there anyway you can get this output in file form, the one like iptables-save does? Is your firewall based strickly on ip addresses? I don't see any ports listed in what you posted.

    What are these lines:
    Code:
    Chain INPUT (policy DROP)
    ACCEPT     all  --  anywhere             host89.190-139-215.telecom.net.ar
    
    Chain OUTPUT (policy DROP)
    ACCEPT     all  --  host89.190-139-215.telecom.net.ar  anywhere
    And why is it needed? My point being you are asking me to look at your rules and tell you what is wrong but without me knowing what you are trying to do I cannot do as you ask.
    I'm attaching my rules saved with iptables-save.

    I can't do the same with the "changed ones" cause they haven't changed again (is there any known apache vulnerability that could allow an attacker to do something with iptables/my system ? i had a few files hosted with apache, now password protected. The files where meant to be public, now they are not :P )

    If you look at both rulesets, you'll see that the ones i posted here, in the first post, are way different than mines.

    They more or less look like something that ipmasq might make, but i don't have that running.

    Also, my own rules might be easier to understand with my comments, but they were in spanish, so you are better off now :P

    I have no idea what those rules you ask me about, they, along with the rest, are not mine.

    Have in mind tho, that my ADSL (modem in modem/pppoe mode, brideg, not in router mode), is called "Arnet" and belongs to "Telecom Argentina".

    Finally, i didn't want you to tell me if there was something wrong, but to ask if something looked suspicious :P

    ps: feel free to bash me for any idiotic rule i might have :P
    ps2: i renamed the file to .txt to be able to upload it.
    ps3: passwords and shadow files seem ok.
    Attached Files Attached Files

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    OK, if those rules are not yours then I will assume your system has been compromised. Why else would they have been placed there and in that case the best thing to do would be to flush and reload the system. As for your questions about Apache I don't know you are going to have to search on that.

    Your firewall rules are not setup for Connection Tracking so that should be fixed. Also all the rules with 255.255.255.255/32 are they really necessary?

    I am going to change the way the firewall rules are setup and post them back to you within the next couple of days. Take a look at them and let me know what you think.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #9
    Just Joined!
    Join Date
    Apr 2008
    Posts
    28
    Quote Originally Posted by Lazydog View Post
    OK, if those rules are not yours then I will assume your system has been compromised. Why else would they have been placed there and in that case the best thing to do would be to flush and reload the system. As for your questions about Apache I don't know you are going to have to search on that.

    Your firewall rules are not setup for Connection Tracking so that should be fixed. Also all the rules with 255.255.255.255/32 are they really necessary?

    I am going to change the way the firewall rules are setup and post them back to you within the next couple of days. Take a look at them and let me know what you think.
    Thank you for your help.

    Sorry for not stating clearly that the rules i posted were not a modification of mine, but a complete new set.

    That set, allows my homeserver to remain "home serving", but removes tons of things i need :P

    the following rules were for DNS functionality:

    Code:
    #DNS 
    #-A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
    #-A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -p udp -m udp --dport 53 -j ACCEPT 
    #-A INPUT -i br0 -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
    # dnsmasq DHCP
    -A INPUT -s 0.0.0.0 -d 255.255.255.255 -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
    #-A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
    The 255.255.255.255 one was a rule DNSMASQ had, and i took it from it. In theory, the first 3 commented rules should work for DNS stuff. But unluckily, it did not work on my home server (it does in a server my job has, i did not set that up tho).

    DNSMASQ rule was like the commented one, i modified it a little, it was "too allowing" for my taste.

    If my sistem is/was really compromised, either it was a manual thing a hacker was doing and he got bored, or i am lucky now, or something, my iptables rules have been untouched for a few days now.

    I will accept your knowledge nonetheless XD

    ps: the mangle rules, i don't understand, they were recomended to me, my friend said:

    #The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
    #This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.

  10. #10
    Just Joined!
    Join Date
    Apr 2008
    Posts
    28
    Today my rules changed "by themselves" again between 15 and 19 hours.

    im checking logs (Various) to see if there was something weird.

    i think i lost internet connectivity for a while too, but my internet connection goes out way too often, next week im changing providers.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •