Topic: Blocking an IP with the firewall

[paquerette]

Hi,

I've a SME 6.0b3 I've been hijacked by this machine 82.78.197.42
(this b@stard first took control of an old server and then took control of 4 others machines... )

I've successfully took back my computer and i'd like to add a rule to the firewall to deny any access from this IP.

But with the template system, i'm quite lost...
Could someone help me? (it's quite urgent)

For information, the man installed a new SSHD, an irc relay server, and a soft that scan ip block looking for samba security breach. And that's all...
He probably took control of the old computer by exploiting a SSH security breach.

Paquerette

[paquerette]

Heeellllpppppppp  

[raem]

paquerette

> I've a SME 6.0b3 I've been hijacked...
> ....(this b@stard ........
> He probably took control of the old computer by
> exploiting a SSH security breach.

Silly are you then for using an insecure beta release that has been replaced by a final release with even more security updates released for it and with another OS available as a release candidate !

You don't need to block his IP if you use an up to date OS ! eg 6.0.x or 6.5

[paquerette]

Thanks for not helping me... bastard... (in respond to your silly insult)...

I don't have time to upgrade, i'll re install soon, but meanwhile, i'd like to to secure a bit with firewall rules...
Also, i've update every rpm with apt-get (since e-smith project seems to be dead) and upgrade may not be possible.

But it seems you've just post to increase your post count...

I do not thank you for your useless answer.

Paquerette

Note : restricting ssh access to a few IP is good security policy... if the port is blocked you can't even try to exploit a security hole... but you surely are too silly to understand this point

[raem]

paquerette

I notice I was the only person to respond to you, and my suggestion to upgrade was a valid one. Just because you didn't like the answer doesn't give you the right to abuse the poster.

With an ungrateful and discourteous attitude like yours, I hope you get hacked again !

[paquerette]

Silly are you then for

  You start abusing me...!

What should i say... asking for help, got abused and if you think 2 seconds : has your answer helped me : NO, so you can delete it... It will help nobody to custumize firewall rules...

What's the use of this board then : being abused and read useless silly text

And How silly it is to wish someone get hacked...
So that his machine get used to make DDOS on your machine, so that is machine get used to send more spam into your mailbox, so that it's used in more nasty purpose... You are the heart of sillyness

go to hell...

[gordonr]

What's the use of this board then : being abused and read useless silly text

I understand your frustration, but running an insecure Beta is a very dangerous thing to do. You may feel you don't have time to upgrade, but similarly people don't have time to spend on known issues with insecure Betas.

If your box has been compromised, you must start afresh. You cannot be certain that you have removed all traces of the attack unless you do.

- Take a backup
- Reinstall with a clean version
- Apply all updates
- Use the server-manager to restore, which only restores user files
- rm /root/.ssh/authorized_keys*
- rm /home/e-smith/files/users/*/.ssh/authorized_keys*

And How silly it is to wish someone get hacked...

I totally agree. That is a completely inappropriate thing to wish on anyone.

[gordonr]

With an ungrateful and discourteous attitude like yours, I hope you get hacked again !

Sorry Ray - that's totally inappropriate in this forum, or anywhere else.

[raem]

gordonr & paquerette

> Sorry Ray - that's totally inappropriate in this
> forum, or anywhere else

Before reading the last two posts I did feel that comment should be clarified, so I will.

My words were an abbreviation of my thoughts, english being what it is, it can be misconstrued when abbreviated.

I believe I meant that seeing paquerette still wished to run a beta version which has publicly announced security issues, then if he continued using that he would likely get hacked again, even if he "added a rule to the firewall to deny any access from this IP".
In that case he hopefully would then realise that it was not wise to run insecure betas and would in fact take the time to upgrade (as suggested by Gordon also).

It was not meant as a wish for him to get hacked with detrimental consequences as such (as I hope he doesn't really mean I'm a bastard and wishes me to go to hell), but more that if he did get hacked again then hopefully he would learn a lesson from it that time, whereas at present he seemed not be be learning the lesson and still wished to persist with the insecure beta.


Re:
> Note : restricting ssh access to a few IP is good security policy...

I believe Gordon has posted a specific answer as to how to do that in another post today, see

http://forums.contribs.org/index.php?topic=27855.msg115824#msg115824

[paquerette]

Hi,

My e-smith was up to date thanks to apt-get upgrade command... (the only rpm a didn't update was quota* as there were 2 rpm, one from mitel, one normal)
I didn't wait for update from mitel or contribs as the leading of the project was slowly changing...
 
The security hole was that the original server that was hacked as a no-need-of-password ssh root access to my e-smith (with authorized_keys) (i know, this is silly...) so that backup could be send through ssh.

The hacker was using the same ip to connect to 4 machine, so blocking his ip was a good thing.
Or even better, restricting ssh access to only 3 IP (3 places where i usualy work)

This could have secured for a while my box as I really need this box to be up for a week or two.

whereas at present he seemed not be be learning the lesson and still wished to persist with the insecure beta.

I did learn it, but you're not in my position, i've a looootttt  a of work to do to set up a new production server for my company (and also 3 linux box to re-install). My personnal box is less important.
I enforce security policy where it can save jobs.

Finally, the doom of my e-smith is to run with gentoo and the fresh install Gordon was advising will be made in a few weeks.

(as I hope he doesn't really mean I'm a bastard and wishes me to go to hell)

Sorry... I was a bit angry...


so maybe this

Code: [Select]


db configuration set msterminalserver service \
    TCPPort 22 \
    access public \
    status enabled \
    AllowHosts ip1 ip2 ip3


will only let tcp traffic through port 22 for IPs 1,2,3 ?

Paquerette

[raem]

paquerette

> Finally, the doom of my e-smith is to run with
> gentoo and the fresh install Gordon was advising
> will be made in a few weeks.

Gordon is correct to advise you to rebuild the hacked server completely, that's the only safe way.

If you decide to stay with the current box, it will only take 10-15 minutes to upgrade from 6b3 to 6.0.x, assuming no issues with incompatible contribs.


I was referring to:

If you have e-smith-packetfilter-1.15.0-03 or above installed, which you can get from here
ftp://ftp.ibiblio.org/pub/linux/distributions/e-smith/contrib/GordonRowell/RPMS/noarch/
you can do the following:

Code:
/sbin/e-smith/db configuration setprop sshd TCPPort 22
/sbin/e-smith/db configuration setprop sshd AllowHosts <list>
/sbin/e-smith/signal-event remoteaccess-update

where <list> is a comma separated list of IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24).

Ssh will then only be allowed from those IP addresses. The firewall code will drop ssh connections from any other hosts.

[gordonr]

I did learn it, but you're not in my position, i've a looootttt  a of work to do to set up a new production server for my company (and also 3 linux box to re-install). My personnal box is less important.
I enforce security policy where it can save jobs.

A word of advice - always assume that other people are at least as busy as you are. You are asking for their help - assume that their time is at least as valuable as yours.

Thanks,

Gordon

[paquerette]

I did learn it, but you're not in my position, i've a looootttt  a of work to do to set up a new production server for my company (and also 3 linux box to re-install). My personnal box is less important.
I enforce security policy where it can save jobs.

A word of advice - always assume that other people are at least as busy as you are. You are asking for their help - assume that their time is at least as valuable as yours.

Thanks,

Gordon

Fine... so why not just answering the question (blocking an ip with the firewall) and after make some suggestion...

I would have answered like this... that's why i was a bit frustrated not to have my answer

[paquerette]

paquerette

> Finally, the doom of my e-smith is to run with
> gentoo and the fresh install Gordon was advising
> will be made in a few weeks.

Gordon is correct to advise you to rebuild the hacked server completely, that's the only safe way.

If you decide to stay with the current box, it will only take 10-15 minutes to upgrade from 6b3 to 6.0.x, assuming no issues with incompatible contribs.


I was referring to:

If you have e-smith-packetfilter-1.15.0-03 or above installed, which you can get from here
ftp://ftp.ibiblio.org/pub/linux/distributions/e-smith/contrib/GordonRowell/RPMS/noarch/
you can do the following:

Code:
/sbin/e-smith/db configuration setprop sshd TCPPort 22
/sbin/e-smith/db configuration setprop sshd AllowHosts <list>
/sbin/e-smith/signal-event remoteaccess-update

where <list> is a comma separated list of IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24).

Ssh will then only be allowed from those IP addresses. The firewall code will drop ssh connections from any other hosts.

Thanks a lot for the answer  

[gordonr]

Fine... so why not just answering the question (blocking an ip with the firewall) and after make some suggestion...

My initial post told you to backup/reinstall/restore. A hijacked box is a hijacked box and cannot be trusted.

I stand by my advice that there is no safe alternative to a reinstall/restore - blocking specific IPs from SSH access doesn't help when the box has already had SSHD compromised.

My other post told you how to allow SSH for specific hosts. But there is no point in doing that on an already compromised box.