Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

malware and spam control

3 views
Skip to first unread message

buck

unread,
Nov 21, 2009, 5:25:22 PM11/21/09
to
Does anyone have experience with using iptables to control infected M
$ OS machines that get internet access by setting gateway to a Linux
box?

In my setup there is an access control list that uses nat and forward
rules to allow specific computers to access specified ports. Where
the M$ computer employs effective software to prevent infection, that
computer is allowed to use port 25, otherwise it either is not allowed
any internet access at all or the port list does not include port 25.

What I'd like to do is to allow even unprotected machines but drop
when iptables sees abuse. I prefer to use iptables only.

The main problem is in distinguishing between normal vesus infected
activity. Can anyone give examples, perhaps using "recent" matches,
that drop malware but allow normal activity? Can it even be done? Is
there A Better Way?
--
buck

Eric Pozharski

unread,
Nov 22, 2009, 5:29:43 AM11/22/09
to
On 2009-11-21, buck <bu...@private.mil> wrote:
*SKIP*

> The main problem is in distinguishing between normal vesus infected
> activity. Can anyone give examples, perhaps using "recent" matches,
> that drop malware but allow normal activity?

I think, you should look for overviews of currently running botnets.
*If* such overviews have detailed (to some degree) descriptions of this
particular botnet conduct then you have something to build your rules.
If there's no such description -- then trial-and-error.

> Can it even be done?

I guess -- positive. I'm not sure if that's possible to implement such
logic within 'iptables' itself. However I have a successful experience
with implementing beeps on my router (when fw rejects a packet the
router beeps specially).

* configure iptables to log (look for 'LOG' target) packets of
interest
* configure syslogd (or whatever) to write in named pipe
* implement a logic-script that will issue apropriate commands
(those commands could be: reconfiguring fw, remote reboots,
DDoS, sending SMSes, whatever
* run the logic-script reading from the named pipe (beware IO
issues -- if there hasn't been a reader, than the first one
will get everything amassed in pipe, if there's no reader then
writer could eventually block, 'syslogd' needs 'klogd' to run
etc)

> Is there A Better Way?

Yes. Windows Must Die!


--
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom

buck

unread,
Nov 22, 2009, 6:45:26 PM11/22/09
to
Eric Pozharski <why...@pozharski.name> wrote in
news:slrnhgi4km...@orphan.zombinet:

> On 2009-11-21, buck <bu...@private.mil> wrote:
> *SKIP*
>> The main problem is in distinguishing between normal vesus infected
>> activity. Can anyone give examples, perhaps using "recent"
matches,
>> that drop malware but allow normal activity?
>
> I think, you should look for overviews of currently running botnets.
> *If* such overviews have detailed (to some degree) descriptions of
> this particular botnet conduct then you have something to build your
> rules.

Good advice. Having read up some, I realized there was a serious hole
in the firewall on the gateway. There is much more to learn, but I'd
never have found the hole without having done that research, So
THANKS!

I may also experiment with connlimit and tarpit rules, but further
research is needed first.


>> Is there A Better Way?
>
> Yes. Windows Must Die!

Devoutly desired, but not gonna happen in my lifetime.

C.

unread,
Nov 26, 2009, 8:43:52 AM11/26/09
to

Yes - don't use NAT/masquerading - use proper application proxies. Its
a no-brainer to set up Sendmail or Postfix, Squid, leafnode et al.
most of which already have hooks for policy management, automatically
detecting abuse and dynamically blocking access.

C.

buck

unread,
Nov 30, 2009, 5:01:32 PM11/30/09
to
"C." <colin.m...@gmail.com> wrote in news:685875ba-9671-43dc-ad5a-
e15d94...@r5g2000yqb.googlegroups.com:

> On Nov 21, 10:25�pm, buck <b...@private.mil> wrote:
>> Does anyone have experience with using iptables to control infected
M
>> $ OS machines that get internet access by setting gateway to a
Linux
>> box?
>>
>> In my setup there is an access control list that uses nat and
forward
>> rules to allow specific computers to access specified ports. �Where
>> the M$ computer employs effective software to prevent infection,
that
>> computer is allowed to use port 25, otherwise it either is not
allowed
>> any internet access at all or the port list does not include port
25.
>>
>> What I'd like to do is to allow even unprotected machines but drop
>> when iptables sees abuse. �I prefer to use iptables only.
>>
>> The main problem is in distinguishing between normal vesus infected
>> activity. �Can anyone give examples, perhaps using "recent"
matches,
>> that drop malware but allow normal activity? �Can it even be done?

�I


> s
>> there A Better Way?
>> --
>> buck
>
> Yes - don't use NAT/masquerading - use proper application proxies.
Its
> a no-brainer to set up Sendmail or Postfix, Squid, leafnode et al.
> most of which already have hooks for policy management,
automatically
> detecting abuse and dynamically blocking access.
>
> C.

I fail to see how a proxy is going to protect against a user who
blindy clicks OK for everything sent. Perhaps you could point me to a
mailing list, forum or newsgroup where I could get some pointers on
setting up Squid so it protects the network against malware?
--
buck

Steven

unread,
Dec 1, 2009, 6:18:59 AM12/1/09
to
buck wrote:

>
> I fail to see how a proxy is going to protect against a user who
> blindy clicks OK for everything sent. Perhaps you could point me to a
> mailing list, forum or newsgroup where I could get some pointers on
> setting up Squid so it protects the network against malware?
> --
> buck

Squidblock (not sure if it squidblock is still going) or Dansguardian?

habibielwa7id

unread,
Dec 3, 2009, 3:15:28 AM12/3/09
to

-Since you mentioned port 25, I think your real ip addresses are black
listed and you want it not to be so you can send emails without being
blocked because of RPL, If so you can solve the problem by more than 1
method and you should choose to use 1 or all of them and this is the
best, You should use updated antivirus on the Windows boxes, Block
port 25 for all machines exept for the mail server of course, And use
port 587 "MSA" as the SMTP port for Outlook as this is the best way to
do it.
I advice you to install any good monitoring software on your Linux
Gateway like ntop, It will monitor the traffic per host and per
protocol, And so you can check what host is flooding your network with
bad traffic and fix it or clean it from viruses. Only 1 infected host
can halt your Gateway or Mail server. I saw that happened many times
before, I remember when only 1 infected host send my Mail server about
32,000 SPAM messages at once"It's a warm of course", Also too many
traffic can cause a DOS attach to your router and it will hang because
it will not be able to handle the heavy traffic.
Regards,

0 new messages