[sf-lug] interlopers continued
jr at inconspicuous.org
Sat Jul 21 13:45:10 PDT 2007
Michael Paoli wrote:
> If the host is *not* root compromised, one may want to investigate
> the connections a bit more, to determine if they're legitimate,
> or case of authorized user exceeding their authority / violating policy
> (but short of root compromise) ... or maybe some (quasi-?)legitimate
> software with perhaps some undesired behavior(s).
Good advice. I'm still wondering how anyone jumped to the conclusion
that the box is compromised when the only connections shown in the
netstat originally sent were connections out from the host belmont to 3
irc servers. There was no ident or ssh, both of which were mentioned
somewhere in these threads. To me it just sounds like a user using irc
without your knowledge. Of course it is possible that the box has been
rooted and binaries replaced so that you can't trust the output of
netstat, but I'd definitely make sure its not a user before worrying.
You could block those irc connections and see who complains :) From
memory I believe this is what you want
iptables -A OUTPUT -p tcp -m tcp --dport 6660:6669 -j DROP
You could make up your own ruleset in iptables, and I definitely
recommend it for learning, but for completeness and ease of use you
could use a number of packages that are available. Personally I like
shorewall ( although its probably not the easiest to use at first).
As Rick said (paraphrasing), firewalls aren't a silver bullet and the
services on your host should really be secured. And sometimes people
become complacent when they have a firewall thinking that it solves all
there security needs. But that doesn't mean it doesn't have value - its
a good first line of defense.
More information about the sf-lug