netfitler against Trojans and worms

netfitler against Trojans and worms

[Saad Faruque]

Hello List,
We are having a windows network (our clients network) with private ip
address with a linux gateway. The linux box is doing SNAT for all
(windows network) users, that means its forwarding all the users
request to the Internet. But the problem is the internal windows
network is effected by all different kind of worms and Trojans, which
are coursing a huge amount of unwanted upload/requests to Internet. 
remember these are the workstations we don't have total control over.
Securing these windows work stations is some thing which we cant very
easily do.
So we are currently protecting these stations with simple netfilter
rulez such as
iptables -A FORWARD -p tcp --dport 135 -j DROP
iptables -A FORWARD -p udp --dport 1025 -j DROP
.
.
.
.
iptables -A FORWARD -p tcp --dport 1214 -j DROP
iptables -A FORWARD -p udp --dport 3127:3198 -j DROP
which are some commonly used virus ports.
my question if there any such project or document  which lists all the
well known virus ports, virus detection signature which i can use with
string serch or from port and tcp flag.
i did find couple of sites ex.
(http://www.doshelp.com/trojanports.htm) which lists some ports. but i
really am not sure if u simply block all these ports if it will effect
my clients regular internet activity. any alternative suggestions are
also welcome :)

Regards,
Saad Faruque.

Re: netfitler against Trojans and worms

[Gavin Hamill]

On Monday 05 July 2004 14:59, Saad Faruque wrote:

> i did find couple of sites ex.
> (http://www.doshelp.com/trojanports.htm) which lists some ports. but i
> really am not sure if u simply block all these ports if it will effect
> my clients regular internet activity. any alternative suggestions are
> also welcome :)

My suggestion would to stop fire-fighting and instead turn the problem on its 
head.

Change your default policy from ACCEPT to DROP, and put in rules so that 
people are allowed to access port 80, 443, etc. and only the ports they 
actually NEED access to.

Cheers,
Gavin.

Re: netfitler against Trojans and worms

[Saad Faruque]

I did think of doing  it the other way around, but again i have to
list all the internet services that are being used which is also
changing continuously. but again well known ports can cause problem as
well. wouldn't it be nice if i am being able to detect them from the
port string type, flag, protocol .. with any or any of their
combination. more like a layer 7 filtering. im just trying to find a
smarter way of doing it, which will be more effective and could be
updated easily.
Regards,
Saad

On Mon, 5 Jul 2004 15:10:06 +0100, Gavin Hamill <gdh@acentral.co.uk> wrote:
> On Monday 05 July 2004 14:59, Saad Faruque wrote:
> 
> > i did find couple of sites ex.
> > (http://www.doshelp.com/trojanports.htm) which lists some ports. but i
> > really am not sure if u simply block all these ports if it will effect
> > my clients regular internet activity. any alternative suggestions are
> > also welcome :)
> 
> My suggestion would to stop fire-fighting and instead turn the problem on its
> head.
> 
> Change your default policy from ACCEPT to DROP, and put in rules so that
> people are allowed to access port 80, 443, etc. and only the ports they
> actually NEED access to.
> 
> Cheers,
> Gavin.
> 
>

Re: netfitler against Trojans and worms

[Gavin Hamill]

On Monday 05 July 2004 15:46, Saad Faruque wrote:
> I did think of doing  it the other way around, but again i have to
> list all the internet services that are being used which is also
> changing continuously. 

Unless you're running a lot of P2P applications, I can't see the 'need' list 
being very long... 21, 22, 80, 110, 143, 443, 993, 995... maybe a few others 
for remote desktop apps, etc.

> more like a layer 7 filtering. im just trying to find a
> smarter way of doing it, which will be more effective and could be
> updated easily.

This is possible :)

http://l7-filter.sourceforge.net/

It needs kernel 2.6 to be 'easy', if you use 2.4 you can only rate-limit and 
not simply drop packets based on the application type.

gdh

Re: netfitler against Trojans and worms

[Antony Stone]

On Monday 05 July 2004 3:10 pm, Gavin Hamill wrote:

> On Monday 05 July 2004 14:59, Saad Faruque wrote:
> > i did find couple of sites ex.
> > (http://www.doshelp.com/trojanports.htm) which lists some ports. but i
> > really am not sure if u simply block all these ports if it will effect
> > my clients regular internet activity. any alternative suggestions are
> > also welcome :)
>
> My suggestion would to stop fire-fighting and instead turn the problem on
> its head.
>
> Change your default policy from ACCEPT to DROP, and put in rules so that
> people are allowed to access port 80, 443, etc. and only the ports they
> actually NEED access to.

I agree completely with this.   Standard security practice is to "block 
everything which is not expressly allowed", and to allow only that which is 
known to be needed.

In a later posting you say you don't know what to allow - one approach which 
is very effective is to block everything, allow web, email and dns, then wait 
until your users say "I can't do X", and then decide whether they should be 
allowed to do X or not.

If it isn't you who makes the decisions about what they should be allowed to 
do, then ask the person whose decision it is to give you a list of all the 
applications they're supposed to be able to access on the Internet.

In another posting you also said that you are not able to ensure the security 
of the machines in the internal network.   A good way to deal with that is to 
apply the security policy above, but then LOG all blocked packets, and 
summarise them by source IP address on a daily basis.   Anyone whose machine 
generates enough blocked traffic that it looks like it's infected with 
something gets a DROP (or REJECT) rule in the firewall until they clean up 
their machine.

You don't have to say much to justify this - you are insisting that they clean 
their machines so that they don't spread things to other machines on the 
network.   You can stop them spreading it to the Internet, but you can't stop 
them spreading to the local LAN.

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: netfitler against Trojans and worms

[Saad Faruque]

I just thought if i was missing out some thing. i will give some more
thought into it. including all of your suggestions. or may be try out
things the way u suggested to figure out how it goes. wish me luck.
and thanks a lot for all ur time and help.

Regards,
Saad

On Mon, 5 Jul 2004 16:21:59 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
> 
> 
> On Monday 05 July 2004 3:10 pm, Gavin Hamill wrote:
> 
> > On Monday 05 July 2004 14:59, Saad Faruque wrote:
> > > i did find couple of sites ex.
> > > (http://www.doshelp.com/trojanports.htm) which lists some ports. but i
> > > really am not sure if u simply block all these ports if it will effect
> > > my clients regular internet activity. any alternative suggestions are
> > > also welcome :)
> >
> > My suggestion would to stop fire-fighting and instead turn the problem on
> > its head.
> >
> > Change your default policy from ACCEPT to DROP, and put in rules so that
> > people are allowed to access port 80, 443, etc. and only the ports they
> > actually NEED access to.
> 
> I agree completely with this.   Standard security practice is to "block
> everything which is not expressly allowed", and to allow only that which is
> known to be needed.
> 
> In a later posting you say you don't know what to allow - one approach which
> is very effective is to block everything, allow web, email and dns, then wait
> until your users say "I can't do X", and then decide whether they should be
> allowed to do X or not.
> 
> If it isn't you who makes the decisions about what they should be allowed to
> do, then ask the person whose decision it is to give you a list of all the
> applications they're supposed to be able to access on the Internet.
> 
> In another posting you also said that you are not able to ensure the security
> of the machines in the internal network.   A good way to deal with that is to
> apply the security policy above, but then LOG all blocked packets, and
> summarise them by source IP address on a daily basis.   Anyone whose machine
> generates enough blocked traffic that it looks like it's infected with
> something gets a DROP (or REJECT) rule in the firewall until they clean up
> their machine.
> 
> You don't have to say much to justify this - you are insisting that they clean
> their machines so that they don't spread things to other machines on the
> network.   You can stop them spreading it to the Internet, but you can't stop
> them spreading to the local LAN.
> 
> Regards,
> 
> Antony.
> 
> --
> Behind the counter a boy with a shaven head stared vacantly into space,
> a dozen spikes of microsoft protruding from the socket behind his ear.
> 
>  - William Gibson, Neuromancer (1984)
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
>