request to help with setting up IP TABLES // (tcpdump and Maltrail involved)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
request to help with setting up IP TABLES // (tcpdump and Maltrail involved)
Hello,
i had eventual problem with breaching to linux, but i am not network professional,
Start of the story was, that my network meter showed big upload while i was downloading,
So i run tcpdump (1), to confirm external network activity.
Afterwards i used chkrootkit (2) and rkhunter (3), which said that it is POSSIBLE to have malicious software.
I run clamscan (ClamAV) (4) on every directory from '/' separately (i had to exclude /home), no infectious but many 32485 total errors in /sys.
However running simultaneously Maltrail (5), showed two strange actions (ID1 and ID2)
Code:
ID 1 2
threat ee881995 ae3a2c5e
sensor eve eve
events 2 1
serverity medium medium
first_seen 19th 15:14:52 19th 11:35:49
last_seen 19th 15:14:53 19th 11:35:49
sparlkine
src_ip 10.8.8.50 [LAN] 10.0.2.51 [LAN]
src_port 42099 and 53949 46857
dst_ip 103.86.99.99 [SG] 103.86.96.100 [AU]
dst_port 53 (dns) 53 (dns)
proto UDP UDP
type (tiny).cc (w569ut7zbkiqf5b).xyz
trail domain (suspicious) domain (suspicious)
infor (static) (static)
Before i would consider rebuilding my system, i suppose to first tame the hole, but i have small idea about IP TABLES or properly grounded knowledge about networking on the level.
I use default settings of ufw and firewall on the router.
My network looks like : modem (router) >> proper asus router with up to date firmware, firewall, vpn and wifi >> devices
May i ask for reccomendations, if there is something that i suppose to do better on linux settings?
Block inbound DNS on both TCP / UDP port 53, it possible you may be experiencing a DDOS. DNS queries should not be coming into your private network unless I have misinterpreted your logs.
Just a rule of thumb for firewalls. Block everything and only open what is needed. That is just my suggestion and preference
Block inbound DNS on both TCP / UDP port 53, it possible you may be experiencing a DDOS. DNS queries should not be coming into your private network unless I have misinterpreted your logs.
Just a rule of thumb for firewalls. Block everything and only open what is needed. That is just my suggestion and preference
nordvpn configuration file is for sure UDP type https://nordvpn.com/ovpn/, that is why i added udp (properly?)
anyways, with such a set up I CANNOT LOAD ANY SITES, however my upload and download are active because of two IPs, which further i add to the drop rules
Code:
sudo iptables -I INPUT -s 149.154.0.0 -j DROP
sudo iptables -I INPUT -s 91.108.0.0 -j DROP
sudo iptables -I OUTPUT -s 149.154.0.0 -j DROP
sudo iptables -I OUTPUT -s 91.108.0.0 -j DROP
Definitely there is something going on, and after i figure out how to block it properly, i will flush the system, and set up proper rules again.
Would you have any hints how you set up your rules?
Rather than the -L option for iptables the utilities iptables-save and iptables-restore will produce output that is both easier to read and easier to modify.
Rather than the -L option for iptables the utilities iptables-save and iptables-restore will produce output that is both easier to read and easier to modify.
Doesnt seem to really work.
Save probably saves stuff, becasue there is not output
restore seems to load and load and load, so i kill the process after some time.
Beside i have this solution below
Code:
#!/bin/bash
#
# iptables firewall script
# https://www.rosehosting.com
#
IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips
echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain
echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT
echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP
echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT
echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP
#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
echo " * BLOCKING ABUSIVE IPs"
while read IP; do
${IPTABLES} -I INPUT -s "${IP}" -j DROP
done < <(cat "${BLACKLIST}")
fi
#
# Save settings
#
echo " * SAVING RULES"
if [[ -d /etc/network/if-pre-up.d ]]; then
if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
fi
fi
iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules
i modified it from original by deleting this ports from original solution
Code:
echo " * allowing ssh on port 5622"
echo " * allowing ftp on port 21"
echo " * allowing smtp on port 25"
echo " * allowing submission on port 587"
echo " * allowing imaps on port 993"
echo " * allowing pop3s on port 995"
echo " * allowing imap on port 143"
echo " * allowing pop3 on port 110"
$ sudo iptables -nvL
Chain INPUT (policy DROP 81009 packets, 118M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
221 107K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
19 2123 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
19 2123 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 121K packets, 8993K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
and it is much better. today i was under strong bombarding. it is not over though, i still notice noice with
Code:
sudo tcpdump
I am nevertherless happy to find first milestone solution to close this event.
What next steps i suppose to take? My operation system most has to be exchanged.
What would you say about other devices in the network? Sometimes i see phone or other laptop from the network pinging me on tcpdum,
but mostly connections comes from cloudfront and amazon servers.
What are the rules in this part of digital universe?
Doesnt seem to really work.
Save probably saves stuff, becasue there is not output
iptables-save will send to standard output. If there was no output, there were no iptables rules to be saved. The saving would be done via a redirection using > or tee.
iptables-save will send to standard output. If there was no output, there were no iptables rules to be saved. The saving would be done via a redirection using > or tee.
I found this
Code:
sudo sh -c "iptables-save > /etc/iptables.rules"
Code:
$ cat iptables.rules
# Generated by xtables-save v1.8.2 on Tue Mar 23 11:32:49 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [25400:2316886]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Tue Mar 23 11:32:49 2021
# Generated by xtables-save v1.8.2 on Tue Mar 23 11:32:49 2021
*nat
:PREROUTING ACCEPT [133:8348]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [569:39050]
:OUTPUT ACCEPT [569:39050]
COMMIT
However you could have in mind different solution,
anyways you were right, after computer reboot IPtables were not saved, and i had to run the script mentioned in previous post again.
That means i suppose to make iptable configurations to load on every reboot.
There are couple ways, one is to add the script for example above, to the `crontab -e @reboot`, to make the rules persistent,
or use install `iptables-persistent`. During installation, program asked me, if i would like to save current rules. Lets see outcome after reboot.
i just learn pieces of iptables, to learn that nftables exists, and
"nftables replaces the legacy iptables portions of Netfilter"
source : https://en.wikipedia.org/wiki/Nftables
while KIED is other device in the network,
why would it like to communicate to me anyways AND make the processors to do the computation? Computing what?
6. Check if remote terminal exists and close it. More info here.
7. Edit sysctl.conf to prevent SYN-flood attack etc.
8. When i am not using laptop i turn off wlan in bios.
9 Turn off bluetooth in bios.
10. Set up counter and use commands:
"systemctl stop networking" and "nft list ruleset" to check if packets still going when internet is down.
Sounds like you put a lot of effort to organize yourself. Sounds terrific, however now i dont even understand everything you say, no worries though. I'd examined your links (not a book) nand got something for myself.
Turning off blutetooth can be done with service. Check : `sudo sysv-rc-conf` and cross it off.
Systemctl wont work for me unfortunately.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
