[sf-lug] interlopers continued

[John Reilly]

Michael Paoli wrote:
> If the host is *not* root compromised, one may want to investigate
> the connections a bit more, to determine if they're legitimate,
> or case of authorized user exceeding their authority / violating policy
> (but short of root compromise) ... or maybe some (quasi-?)legitimate
> software with perhaps some undesired behavior(s).
>   
Good advice.  I'm still wondering how anyone jumped to the conclusion 
that the box is compromised when the only connections shown in the 
netstat originally sent were connections out from the host belmont to 3 
irc servers.  There was no ident or ssh, both of which were mentioned 
somewhere in these threads.  To me it just sounds like a user using irc 
without your knowledge.  Of course it is possible that the box has been 
rooted and binaries replaced so that you can't trust the output of 
netstat, but I'd definitely make sure its not a user before worrying.

You could block those irc connections and see who complains :)   From 
memory I believe this is what you want
iptables -A OUTPUT -p tcp -m tcp --dport 6660:6669 -j DROP

You could make up your own ruleset in iptables, and I definitely 
recommend it for learning, but for completeness and ease of use you 
could use a number of packages that are available.  Personally I like 
shorewall ( although its probably not the easiest to use at first).

As Rick said (paraphrasing), firewalls aren't a silver bullet and the 
services on your host should really be secured.  And sometimes people 
become complacent when they have a firewall thinking that it solves all 
there security needs.  But that doesn't mean it doesn't have value - its 
a good first line of defense. 

Good luck,
John