Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Another Hacker Question, sorry sorry sorry , but I need your exp
Robert83
post Mar 23 2004, 10:54 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi ,

it's me again, well today is the BIG day, I get a phonecall that the hacker said that I should turn my computer on [ smile.gif smile.gif smile.gif it's always online smile.gif smile.gif ],

the question is , I know you're experience in this is 100x times better then mine, a sign of a hacker attack is always a portscan? or is there other signs?

I mean when I wach in realtime the messages.log [it's sorta like matrix smile.gif ], I know by now [thanx to www.grc.com] , that when a scan is triggered it runs really fast , same ip adress port numbers changing one by one ...etc..is there another sign of this?

also, do you have experience with Imunnix [was just reading about it, seems that it's designed to be really secure out of the box]

Sincerely
Robert B

ps.: sorry for asking again about this thing smile.gif [please forgive smile.gif ]


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Corey
post Mar 23 2004, 11:19 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 1,254
Joined: 21-September 02
From: St John's, Newfoundland, Canada
Member No.: 3



Lol, i never realized it, but your /var/log/messages is like looking at the matrix.

sorry, i have no answer to your question, i just found thatfunny.


--------------------
Corey Quilliam
(former) Linuxhelp.ca Administrator
cquilliam-AT-gmail-dot-com

Want to help out Linuxhelp.net? Check out our Linuxhelp Wiki and see if there are some articles you would like to submit!!

--
Ubuntu 8.04 64-bit - Work Laptop (HP-Compaq NC6400 Core2)
Kubuntu 8.04 64-bit - Desktop (HP m8120n QuadCore)
Ubuntu 6.04 - Server (I'm not upgrading this baby until support runs out in 2012) (Some old POS dell)
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 23 2004, 09:33 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Well ... the way it works is normally like this...

The person is going to have to find a vulnerability ... He might just try a couple big ones, but normally a port scanner is used to try and find specific ports or services running. So at least the major ports, like 21, 22, 25, 80, 110, 135, 137,139, 443, 445 will be checked. If they find any of these open (like in your case port 80) then they might see what version your webserver is and try a know expliot for that ... or if they see port 22 open for ssh, they'll try the ssh protocol 1 exploit, etc.

Mostly, they will have their packets dropped with your firewall, except for maybe port 80 to a webserver.

So the only real thing they could try to exploit is the IPTABLES itself with something like a buffer overflow, or the Apache server (if you still have port 80 in forwarded to a web server).

I think you will pass...


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 26 2004, 06:00 AM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



How did this turn out?


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Mar 26 2004, 06:17 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I think it was a local guy , who works in a computer store here in my city [the client never told me who he is , I mean the hacker], but there is only one "stupid" guy like this in my city , who thinks he's god. The hacker still says that my computer is not turned on, because he can't ping me ... and he also told my client that once he would be able to ping me, he would be able to hack me... well I'm not a pro in linux , but even I need to laugh at that smile.gif smile.gif smile.gif , I called my client and told him to tell the hacker that "hahahaha, do you wan't me to share my / and write readme files in my /home to what to do with the system in order to change things inside it ".

Just a note this guy [wich I'm 99.99% sure , that this is he], tolde me once [when I was about to begin my journey into the world of linux] , that even win95 is better than any distro of linux, and that win98 is better then winxp etc...

So you know how it is...they hate me , well actualy every guy related to computers [and not selling parts to me], hates me, because I take away clients from them...but I'll try living with it smile.gif

Thanks for you're help! smile.gif

Sincerely
Robert B

ps.: I don't say that my firewall is unbeatable, nor do I think that if I know how to set up a firewall, I know everything about linux, but this guy was just "stupid".


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 26 2004, 07:40 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



My external IP address is also not pingable from the outside ... but it is there....I get e-mail and webhits all the time...but pings are blocked. (To fool people {like you're hacker} who think ... If I can't ping it , it's not there)!

If your client (and not the hacker) doesn't think your external computer is there ... setup a website with a port 80 open ... tell the client it is there, let him surf to it ... tell the client to have his hacker try to get in .... when the hacker says, hey his computer isn't even on ... tell the client to go back to the website and see that your computer is indeed ON .. and not detectable (much less hackable) by the hacker....should be a sure sell!


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Mar 26 2004, 07:43 AM
Post #7


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Okay,

I'll do it

I mean I'll start Apache up, with default settings

should be safe if I forward port 80 to my computer 192.168.0.102 right?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 26 2004, 09:01 AM
Post #8


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

well I've aded a network card to my firewall eth2 so :
eth0 lan eth1 internet eth2 webserver

eth2 at the firewall is 192.168.100.1
and at the webserver site is 192.168.100.2

my nat server is 192.168.10.2
eth0 is 192.168.10.1

here is my iptables rules

CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx


The problem is that I cannot access the webserver from my computer 192.168.0.102 [wich is going out trough the NAT server] , I type my public ip adress like this in mozilla http://xxx.xxx.xxx.xxx and then on the firewall computer while watching what is droped I get 192.168.10.2 trying to connect to 192.168.100.2 port 80 ... what is wrong here in this firewall ruleset?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 26 2004, 09:30 AM
Post #9


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



forgot to add the line :

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT

smile.gif

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 26 2004, 10:52 AM
Post #10


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

is the above mentioned iptables ruleset a good one with this DMZ , is this the way to do it properly?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 26 2004, 02:04 PM
Post #11


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,
this is how my iptables looks now :

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.100.0/255.255.255.0 -o eth1 -j SNAT -to-source xxx.xxx.xxx.xxx

the problem is that I can't acces my webpage from the internal lan [I type 217.26.69.17], but I can access it from the outside world...

iptables simply drops outgoing packets from 192.168.100.2 to 192.168.10.2

it writes out a line like this
IptablesIN=eth2 OUT=eth0 SRC=192.168.100.2 DST=192.168.10.2 LEN=60 TOS=0x00 ....
IptablesIN=eth0 OUT=eth2 SRC=192.168.10.2 DST=192.168.100.2 ...

what is the problem?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 27 2004, 08:11 AM
Post #12


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



please forgive me that I post this again,
but please help me, what did I do wrong, what was the mistake that I made?
I was trying to figure this out, but I just can't...maybe I'm overlooking something...

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 27 2004, 01:47 PM
Post #13


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I don't see anything wrong ... try putting the PREROUTING line before the :

iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
------------------------------------------
also ... when you get it working ...... change the:

iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

to

iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

(otherwise if someone beaks into the webserver, they can get into the internal LAN)


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Mar 27 2004, 02:09 PM
Post #14


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Thank you for the info
and THANK you for you're advice!

thanx smile.gif

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 27 2004, 02:29 PM
Post #15


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi I did what you told me to do,

and I get the following drop-and-log it now...

iptables IN=eth0 OUT=eth2 SRC=192.168.10.2[nat/proxy/dns-->I'm behind this[192.168.0.102]] DST=192.168.100.2 [webserver]
CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.100.0/255.255.255.0 -o eth1 -j SNAT -to-source xxx.xxx.xxx.xxx


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 27 2004, 03:16 PM
Post #16


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Try moving the

iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it

to the bottom of the script...


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Mar 27 2004, 06:57 PM
Post #17


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,
it works now, thank you for you're help very-very much! smile.gif


Guess what, as you know Fedora Core 1 [the mythtv test thingie], I just set it up to work as a webserver [using default, no iptables or any security], well I just set by it to check something out, the monitor was blank so I moved the mouse, and I saw at the login the following : Fedora Core Eliminated now this is either a hacker attack or my friend [he is going to get it tomorrow] , I've checked the system with ./chkrootkit found nothing, also checked the log files for apache , noone from the world loged into it , only me from my other cable modem [wich has a private ip adress].

So I don't know to panic or not to...I guess a hacker would normaly not do such a thing since this would reveal him to me, and that's something I hacker would normaly not want right...?


Thank for you're iptables help again, thank you thank you thank you smile.gif

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 19th October 2017 - 11:33 AM