[Techtalk] How to block Blaster Worm from iptables ?
rasjidw at openminddev.net
Sun Aug 24 17:58:21 EST 2003
On Sunday 24 August 2003 02:22, Brenda Bell wrote:
> A solid firewall should only open the ports that are absolutely required.
Just to second this and to share a recent experience.
A year or so ago I set up our work's firewall. All incoming connections were
denyed except mail and VPN, but I allowed all outgoing connections since it
seemed to easiest thing to do. However, I did make one exception
(thankfully), which is that mail could only be sent out from our internal
mail-server. Our mail-server has virus scanning, and since all our machines
where configured to send out via our local mail-server, I figured that no-one
would complain if I blocked outgoing connections on port 25. I also figured
that if a virus did get in and try to send itself out directly, it would show
up in the firewall logs.
A few weeks ago I was checking the firewall logs and noticed that something
was trying to connect out on port 25 to a hotmail server. Moreover, it was
attempting to do so every 30 seconds. I did not like the look of this at
all. Went down the the machine in question. Ran a full virus scan.
Nothing. Firewall still showing suspect activity. Installed ZoneAlarm, but
ZoneAlarm could not be run. Now I knew there was something strange going on.
Pulled hair out for an hour or two. Eventually found a utility that maps
ports to active processes (can't remember its name at the moment, but it was
the only one I could find that did this for Windows 98) and found the
offending file. pidlex.exe. Turns out it was a trojan called
Backdoor.Niovadoor. It disables various antivirus and firewall programs, and
attempts to send back passwords etc to ... someone. Not happy! But once
found, it was fairly easy to clean up.
The only reason this trojan was spotted was because I had decided to block
outgoing connections to port 25 (except from our mail server - which runs
Linux anyway and so it not going to be affected by Windows viruses).
I now block all outgoing connections that are not required for business
reasons. I allow http, https, ftp, pop, dns and a few other I can't think of
right now, but everything else outgoing is blocked and logged. Amazingly
enough, not a single user (of around 35) has complained. So I guess no-one
was using ICQ etc after all!
Our network is not 100% secure. None is. But now if something does get in, I
am much more likely to notice if it attempts to make any unusual outgoing
connection. And it will be much harder for it to spread itself.
So to anyone out there who thinks that blocking outgoing connections with your
firewall is a bit 'over the top' (as I used to) I would suggest otherwise.
And if playing around with iptables etc is not really your thing, then get a
good 'pre-packaged' system like IPCop, Smoothwall, Astaro etc.
Thanks for listening. :-)
Canberra, Australia UTC + 10
More information about the Techtalk