Thursday, February 02, 2006

APF, Iptables, hackers and some random thoughts

So I logged in yesterday to a server recently handed over to me. Upon login, I found the following report of hackers trying to break-in using brute force attacks.

Username Failures Maximum Latest
root 16640 0 Thu Feb 2 -0600 on 209.160.64.
bin 24 0 Thu Feb 2 -0600 on 83-103-110-
daemon 68 0 Thu Feb 2 -0600 on 206.40.148.
adm 94 0 Thu Feb 2 -0600 2006 on ssl.ctssg.c
lp 58 0 Thu Feb 2 -0600 2006 on 83-103-110-
sync 20 0 Thu Feb 2 -0600 2006 on 83-103-110-
shutdown 20 0 Thu Feb 2 -0600 2006 on 83-103-110-
halt 20 0 Thu Feb 2 -0600 2006 on 83-103-110-
mail 68 0 Thu Feb 2 -0600 2006 on 59.3.116.92
news 87 0 Thu Feb 2 -0600 2006 on 125.251.123
uucp 18 0 Thu Feb 2 -0600 2006 on 83-103-110-
operator 23 0 Thu Feb 2 -0600 2006 on 83-103-110-
games 73 0 Thu Feb 2 -0600 2006 on 125.251.123
gopher 12 0 Thu Feb 2 -0600 2006 on 192.38.8.20
ftp 334 0 Thu Feb 2 -0600 2006 on 211.154.205
squid 55 0 Thu Feb 2 -0600 2006 on 219.84.168.
named 99 0 Thu Feb 2 -0600 2006 on 125.251.123
mysql 470 0 Thu Feb 2 -0600 2006 on 211.154.205
rpcuser 15 0 Thu Feb 2 -0600 2006 on 220.80.132.
rpc 12 0 Thu Feb 2 -0600 2006 on 192.38.8.20
apache 260 0 Thu Feb 2 -0600 2006 on 83.228.113.



As if these idiotic hackers (and spammers) aren't enough to "boil your blood" as Ronald says it, the firewall on my sever won't let me connect to another server of mine.

Since yesterday, I have been trying to troubleshoot a faulty APF/iptables configuration on one of my servers. The configuration was setup by a colleague of mine and nonetheless, it brought more headaches than anything I could've imagined (Sorry man, but you gotta pay more attention to rules when adding them).

The problem was that though I could ping my server A from server B, I couldn't connect to it using SSH nor using MySQL. I had explicitily allowed connections from server B and had added server A to hosts.allow file, to no avail.

After more than 16 hours of pulling my hair with the old firewall configurations, (with more than 2000 rules), I finally decided that it was time to try upgrading APF to the most recent version.

Here are some of the helpful commands for reference:

List iptable rules

iptables --list


List IP addresses and port numbers in numeric format:

iptables --list -n


IP tables help refernce

iptables -h


View current iptables rules

cat /etc/sysconfig/iptables | less


View current APF rules ( I hate that the output is shown in pico instead of vi/vim)

apf --list


To fix, I upgraded apf and edited hosts.allow

sshd, imapd, mysqld:XXX.XX.XXX.XXX.86


Once again added the server to /etc/apf/allow_hosts.rules by allowing it explicitly

apf -a XXX.XX.XXX.XXX.86


and using IPTables (if you have no firewall)

iptables -A INPUT -p all -s XXX.XXX.XXX.XXX.86 -j ACCEPT


then reloaded APF and iptables.

To block an IP explicitly using APF, you can use (hacker's address):

/etc/apf/apf -d XX.141.48.33



The lesson I learned is that its much better to let go of your old firewall and use a new one if the current configuration (set up by someone else) is not working.

If you use Firefox and still don't have Jennifer Madden's visual extension installed, do so now as I highly recommend it.

Jay is talking about holding a regional meeting of MySQL users in Columbus, OH. I wish they would come near Atlanta, GA or Greenville, SC soon so I could get to meet all the cool folks.

I really liked Stewart's comments on having an integrated place for comments and documentation with a nice interface. May be if I get time, I will jump on the idea.

Mike has made available Sakila Schema 0.3 which can be downloaded here. Mike, your hard work on the documentation and guiding the community is greatly appreciated.

What a day indeed!

Frank
P.S. If anyone wants to brainstorm on setting up a next generation spam and hacker , blocking and reporting system with , I am all ears.

Resources: hosts.allow, SSH for TCP wrappers, RHCE Security Guide, IPTables tutorial

2 comments:

James said...

Hello, I have trouble connect to mysql from a different machine.
I can connect to mysql after I stop my iptables, but could not connect when start iptables.
My iptables looks like the following:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Could you tell what is wrong?

Thanks!

Frankly Speaking! said...

James: what do the log files say?

Do the following when connecting:

tail -f /path/to/apf/log

Frank