hosts file gets hacked

Support for security such as Firewalls and securing linux
Post Reply
john27
Posts: 21
Joined: 2006/10/06 17:08:13

hosts file gets hacked

Post by john27 » 2006/10/06 17:19:50

Can anyone elaberate on how this is done and how network funtionality keeps dying. Also what can be done to eliminate this problem in the future. This machine runs cent os 4.4 as a samba server and a masq server. Could also someone show an example to log every incoming ip request "dropped denied or rejected" for iptables. Now off to rebuilding it.

Best Regards,
John

garskoci
Posts: 93
Joined: 2006/07/08 14:50:57
Location: Houston, TX

Re: hosts file gets hacked

Post by garskoci » 2006/10/06 18:12:01

Can you elaborate on "hosts file gets hacked" and "network funtionality keeps dying"?

john27
Posts: 21
Joined: 2006/10/06 17:08:13

Re: hosts file gets hacked

Post by john27 » 2006/10/06 18:57:33

OK. The hosts file in /etc/hosts got hacked into. Furthermore when the machine was compromised they did something to the Network Stack in the OS causing all network functions to stop.

Example: host file had...
***********************************
mine:
#without the following network functionality will fail
127.0.0.1 localhost
192.0.0.1/24 foobar.host

*************************************
hacked version:
without the following network functionality will fail
192.0.0.1/24 foobar.host
192.0.0.2/24 foobar.host2

**************************************

notice the comment taken out to leave me a lil message...

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

hosts file gets hacked

Post by NedSlider » 2006/10/07 06:59:07

[quote]
john27 wrote:
Could also someone show an example to log every incoming ip request "dropped denied or rejected" for iptables.
Best Regards,
John[/quote]

Add a line at the end of your INPUT chain to log any packets that haven't been ACCEPTED by previous rules before they're DROPPED (assuming the default policy for the INPUT chain is DROP). In this example, we limit the number of log entries to 10 per minute so as not to fill our logs if we're the subject of DDoS (you can adjust this as necessary to suit your needs):

[code]
# Log dropped packets with a limit of 10 entries per minute and log to /var/log/firewall with the prefix "Firewall Packets Dropped: "
iptables -A INPUT -m limit --limit 10/minute -j LOG --log-level 7 --log-prefix "Firewall Packets Dropped: "
[/code]

Then you'll need to add the following to /etc/syslog.conf to reflect the debug level used (--log-level 7) and to log to /var/log/firewall. Don't forget to restart the iptables and syslog services to activate these changes.

[code]kern.=debug /var/log/firewall[/code]

The "Firewall Packets Dropped: " prefix is useful when filtering your firewall logs to easily see exactly what's been dropped compared to anything else that gets logged.

Take a look at the LOG target for more info, and see also this article for some basic information:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Checking_The_Firewall_Logs

Hope that helps,

Ned

john27
Posts: 21
Joined: 2006/10/06 17:08:13

Re: hosts file gets hacked

Post by john27 » 2006/10/07 10:07:34

Ned,

Thank you very much for the insight into questions. I have also read your tutorial on iptables and took a look at the link you posted.

OK whats the purpose in using Debug? I do not mean to sound stupid but there is also other issues that arrise when using such commands. I have always just used LOG but it's not giving me what I want in logging dropped or rejected connections as I am a growing Nix user. I have had a whole life of Windows administration wishing now it had been only Unix/Linux.

What exactly does this do?

kern.=debug /var/log/firewall

And also --log-level 7?

Are there different logging levels that iptables can run and when the Debug directive is issued or executed does it put the firewall in debug mode thus slowing the performance down of it?

Thanks a lot,

John

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

Re: hosts file gets hacked

Post by NedSlider » 2006/10/07 19:54:22

Hi John,

--log-level 7 is the same as --log-level debug, and by default would be logged to /var/log/messages along with everything else

Here's a nice little explanation of log-level and syslog:

[quote]This is the option to tell iptables and syslog which log level to use. For a complete list of log levels read the syslog.conf manual. Normally there are the following log levels, or priorities as they are normally referred to: debug, info, notice, warning, warn, err, error, crit, alert, emerg and panic. The keyword error is the same as err, warn is the same as warning and panic is the same as emerg. Note that all three of these are deprecated, in other words do not use error, warn and panic. The priority defines the severity of the message being logged. All messages are logged through the kernel facility. In other words, setting kern.=info /var/log/iptables in your syslog.conf file and then letting all your LOG messages in iptables use log level info, would make all messages appear in the /var/log/iptables file. Note that there may be other messages here as well from other parts of the kernel that uses the info priority. For more information on logging I recommend you to read the syslog and syslog.conf man-pages as well as other HOWTOs etc.[/quote]

loglevels are defined in the kernel as follows:

#define KERN_EMERG "" /* system is unusable */
#define KERN_ALERT "" /* action must be taken immediately */
#define KERN_CRIT "" /* critical conditions */
#define KERN_ERR "" /* error conditions */
#define KERN_WARNING "" /* warning conditions */
#define KERN_NOTICE "" /* normal but significant condition */
#define KERN_INFO "" /* informational */
#define KERN_DEBUG "" /* debug-level messages */

Unless you're actually going to check your logs on a regular basis, you may just as well log to /var/log/messages like so:

iptables -A INPUT -m limit --limit 10/minute -j LOG

At least you'll have some logs should you need them :-D

Oops - forgot the last part of your question - no, it shouldn't affect performance (particularly if you limit it as shown above). You're firewall still has to deal with these packets (ie, DROP them), so logging them won't make a huge difference unless you're being DDoS attacked and are logging without limits (at which point you're net performance is going to be severely affected anyway).

Post Reply

Return to “CentOS 4 - Security Support”