oh$hit. I think my server was pwn3d...

[miamicanes]

A few days ago, I signed up for a hosted server w/Ubuntu 6.10 on it. Yesterday, ssh stopped working for no obvious reason. Today, I noticed a few things that worry me:

* I theoretically have incoming and outgoing access to port 25 blocked using the "Linux Firewall" panel in Webmin, but I can still do telnet xxxxx 25 from another computer running Windows ('xxxx' is the hostname) and get a connection. In contrast, trying to do the same thing to ports 20-24 returns an immediate message that the connection was refused. Allegedly, neither Qmail nor Sendmail are running.

* the 'auth' log shows a bunch of logins and su's at a point in time when I was asleep. The CRON ones I can rationalize... but the other ones are worrying me quite a bit. Here's a sample:

Code:

Mar 22 06:23:01 SP0421c CRON[3825]: (pam_unix) session opened for user mail by (uid=0)
Mar 22 06:23:01 SP0421c CRON[3825]: (pam_unix) session closed for user mail
Mar 22 06:25:01 SP0421c CRON[3827]: (pam_unix) session opened for user root by (uid=0)
Mar 22 06:25:01 SP0421c su[3885]: Successful su for nobody by root
Mar 22 06:25:01 SP0421c su[3885]: + ??? root:nobody
Mar 22 06:25:01 SP0421c su[3885]: (pam_unix) session opened for user nobody by (uid=0)
Mar 22 06:25:01 SP0421c su[3885]: (pam_unix) session closed for user nobody
Mar 22 06:25:01 SP0421c su[3889]: Successful su for nobody by root
Mar 22 06:25:01 SP0421c su[3889]: + ??? root:nobody
Mar 22 06:25:01 SP0421c su[3889]: (pam_unix) session opened for user nobody by (uid=0)
Mar 22 06:25:01 SP0421c su[3889]: (pam_unix) session closed for user nobody
Mar 22 06:25:01 SP0421c su[3891]: Successful su for nobody by root
Mar 22 06:25:01 SP0421c su[3891]: + ??? root:nobody
Mar 22 06:25:01 SP0421c su[3891]: (pam_unix) session opened for user nobody by (uid=0)
Mar 22 06:25:07 SP0421c su[3891]: (pam_unix) session closed for user nobody
Mar 22 06:25:12 SP0421c CRON[3827]: (pam_unix) session closed for user root
Mar 22 06:38:01 SP0421c CRON[4033]: (pam_unix) session opened for user mail by (uid=0)
Mar 22 06:38:01 SP0421c CRON[4033]: (pam_unix) session closed for user mail
Mar 22 06:39:01 SP0421c CRON[4035]: (pam_unix) session opened for user root by (uid=0)
Mar 22 06:39:01 SP0421c CRON[4037]: (pam_unix) session opened for user root by (uid=0)
Mar 22 06:39:01 SP0421c CRON[4035]: (pam_unix) session closed for user root

Is it appropriate to panic yet?

[likwid]

Although it seems a bit fishy that could be apache... I wouldn't use ubuntu as a server if I was you. But if I was you then you'd be me and I'd be... ? what?

[anomie]

I don't see that there is necessarily a problem with what you have posted.

Yesterday, ssh stopped working for no obvious reason.

You should figure out why and get that fixed.

I theoretically have incoming and outgoing access to port 25 blocked using the "Linux Firewall" panel in Webmin, but I can still do telnet xxxxx 25 from another computer running Windows ('xxxx' is the hostname) and get a connection.

That may be a serious problem. You could post your iptables rules here for someone to review.
# iptables -nvl (put the results of that in code tags)

the 'auth' log shows a bunch of logins and su's at a point in time when I was asleep.

Those could be normal administrative tasks cron is doing for you. Check to see what is specified in root's crontab at 6:25 a.m.

Is it appropriate to panic yet?

Probably not. Lock down your iptables configuration and keep your software up to date. Shut off telnet (why are you running it?). You should also look into regularly scheduling rkhunter checks and use a HIDS like AIDE. That way you won't be guessing -- you'll (probably) know when there is real trouble.

[miamicanes]

Assuming I haven't been rootkitted, is there an easy way to block all incoming and outgoing network traffic besides ports 22, 80, 443, and 10000? I'm afraid to blindly experiment because I know how easy it is to accidentally lock myself out of the server (since I don't have physical access to it).

From the authlog, it looks like there have been ongoing dictionary attacks (trying to ssh with alphabetically-sequenced usernames) since almost the moment it went online for the first time

[anomie]

That brings up many other questions. You need to properly lock down the services you're running, starting with sshd. You might want to search this forum for some tips. For starters, who is admin-ing this box? Just you? If so, port 22 should be open only to you and you should be using only pubkey authentication.

As for blindly experimenting with your fw, never fear. I have addressed this in another post that you can read here: http://www.linuxquestions.org/questi...d.php?t=534443 (alternate forum alert)

[miamicanes]

Code:

> iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2770  346K LOG        all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
 2770  346K ACCEPT     all  --  !eth0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x10/0x10 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 dpts:1024:65535 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 reject-with icmp-port-unreachable 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10000 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:' 
    0     0 LOG        all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 

Chain OUTPUT (policy ACCEPT 254 packets, 81319 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  254 81319 LOG        all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:' 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 reject-with icmp-port-unreachable

The reason I installed Telnet was sheer panic over the possibility of losing my only way of getting a console should webmin fail next.

If it sheds any light on my sudden SSH problems, I did notice that the first few times I logged in via ssh, it forced me to interactively enter the password as a secondary authentication mode (in the past, I just had to permanently save the key, enter the password once, and SecureCRT was happy thereafter).

Would uninstalling SSH using apt via webmin, then reinstalling it, likely help? Or would it likely just make things worse?

[anomie]

Ok.. so you're accepting all incoming traffic except for tcp requests to port 25.

[anomie]

I missed the comments under your iptables output earlier. What happens when you try to ssh in now?

[miamicanes]

SecureCRT reports that the connection was refused.

^^^ Scratch that. I'm not sure why it happened, but something apparently added or changed the line
GSSAPINoMICAuthentication yes. When I tried starting sshd manually, it reported that it was an invalid option. I commented it out, and now sshd seems to be working.

OK, so since THAT immediate crisis seems to be resolved... how can I achieve the following:

* block all traffic unless a rule further down specifically allows it
* block inbound and outbound connections on port 25 (SMTP) REGARDLESS of what rules further down might say.
* allow incoming data FROM my DSL IP address (let's call it 'a.b.c.d') and TO my DSL IP address on any port
* allow incoming data FROM any of the 255 potential IP addresses in the C-like block 'e.f.g.*', and TO any IP address in that block, on any port (the potential DHCP addresses of a computer at my office)
* allow incoming http and ssl requests (ports 80 and 443) from any computer anywhere in the world, and allow responses to any computer on the world (I can't restrict outgoing ports without breaking NAT, right? Because NAT sends http responses that ask for the response to be sent on arbitrary ports?)

In case you're wondering why I'm so paranoid about port 25, the last time I ran my own server ~2 years ago, I noticed my home router was crashing all the time. The router (D-Link) was a piece of junk, but even a new Linksys router still had massive slowdowns. Why? Spammers realized I had a SMTP server running on port 25, and hammered at it ENDLESSLY trying to send outbound mail. They weren't quite smart enough to realize I was using SASL and give up... they just kept banging on it, over and over, trying to send mail, and at times almost completely saturating my inbound bandwidth. I had to disable SMTP logging, because writing and rolling the SMTP log was actually bogging down the system. AT one point, I actually had more than a hundred different IP addresses attempting to send mail over a ONE MINUTE span of time. Admittedly the server was only 500MHz... but it was CRAZY. The bastards beat it down to the point of barely running just by hammering on it constantly.

[anomie]

* block all traffic unless a rule further down specifically allows it

You may need to change your thinking upside down on this -- iptables/netfilter follows the "top-down, first match wins" approach. So you generally have allow rules, followed by a catch-all deny by default rule.

* block inbound and outbound connections on port 25 (SMTP) REGARDLESS of what rules further down might say.

You already have a rule in place that blocks inbound tcp traffic to port 25. Also, it's pretty likely that sendmail (or whatever you're using) is only listening on the loopback interface. At least that should be the default for a good distro. You can confirm this with:
netstat -atn | grep ':25\>'

* allow incoming data FROM my DSL IP address (let's call it 'a.b.c.d') and TO my DSL IP address on any port

In its simplest form:

Code:

# iptables -A INPUT -s a.b.c.d -j ACCEPT

* allow incoming data FROM any of the 255 potential IP addresses in the C-like block 'e.f.g.*', and TO any IP address in that block, on any port (the potential DHCP addresses of a computer at my office)

I don't follow this one. Is this box providing nat to your office?

* allow incoming http and ssl requests (ports 80 and 443) from any computer anywhere in the world

You're already doing that.

and allow responses to any computer on the world (I can't restrict outgoing ports without breaking NAT, right? Because NAT sends http responses that ask for the response to be sent on arbitrary ports?)

I don't know the answer.

What's missing is a default deny policy on your INPUT chain. This will do the trick:

Code:

# iptables -P INPUT DROP

Warning: Be sure you or someone has physical access to the box (or use the strategy I pointed you to earlier) before setting up your default policy. You don't want to get locked out by mistake.

One more thing - here is a resource where you can help yourself:
http://www.netfilter.org/documentati...entation-howto

Also see the manpages for iptables(8 ).