A little experiment & a iptables script

So in addition to my adding an unprotected outdated windows XP system to the internet, and watching as it got slammed with internet nasties within 10 minutes of being on-line, I decided to do the same with a Linux machine.

Linux is great for monitoring the incoming, as a simple iptables rule will show you what is hitting the interface at any time.

So, after one hour of being on-line, nothing of any major concern came the way of the machine. A few SSH log in attempts, 10 a penny those, here are some details

root@feddesk $> lastb | awk ‘{print $1}’ | sort | uniq -c | sort -rn | head -5
43 root
16 test
6 guest
1 btmp
1
root@feddesk $> awk ‘gsub(“.*sshd.*Failed password for (invalid user )?”, “”) {print $1}’ /var/log/secure* | sort | uniq -c | sort -rn | head -5
43 root
8 test
3 guest
root@feddesk $> awk ‘gsub(“.*sshd.*Failed password for (invalid user )?”, “”) {print $3}’ /var/log/secure* | sort | uniq -c | sort -rn | head -5
54 61.155.177.2

Thats 54 times 61.155.177.2 tried to log in via SSH. A simple whois from the terminal tells us who this is

root@feddesk $> whois 61.155.177.2
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 61.155.0.0 – 61.155.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-JS
mnt-routes: maint-chinanet-js
changed: hostmaster@ns.chinanet.cn.net 20020209
changed: hostmaster@ns.chinanet.cn.net 20030306
status: ALLOCATED non-PORTABLE
source: APNIC

route: 61.155.0.0/16
descr: CHINANET jiangsu province network
country: CN
origin: AS23650
mnt-by: MAINT-CHINANET-JS
changed: ip@jsinfo.net 20030414
source: APNIC

role: CHINANET JIANGSU
address: 260 Zhongyang Road,Nanjing 210037
country: CN
phone: +86-25-86588231.+86-25-86588745
fax-no: +86-25-86588104
e-mail: ip@jsinfo.net
trouble: send anti-spam reports to spam@jsinfo.net
trouble: send abuse reports to abuse@jsinfo.net
trouble: times in GMT+8
admin-c: CH360-AP
tech-c: CS306-AP
tech-c: CN142-AP
nic-hdl: CJ186-AP
remarks: http://www.jsinfo.net
notify: ip@jsinfo.net
mnt-by: MAINT-CHINANET-JS
changed: dns@jsinfo.net 20090831
changed: ip@jsinfo.net 20090831
changed: hm-changed@apnic.net 20090901
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC

Yup its the Chinese. There are litteraly thousands of pages on the internet detailing how to improve SSH security, but they all boil down to the same thing, dont allow Root to log in, move the port from TCP/22, dont allow password logins only certificates. If you must use passwords, enforce a secure password scheme.

Loads of other hits from China. I mean LOADS of probes, logins, scans and connect attempts to loads of what seem to be random ports. The sheer amount of attempts from china was surprising, well over 90% of the log was Chinese IP addresses. They seemed very keen on trying port TCP 8080, no doubt looking for insecure proxy servers to use to either hide behind, or evade the “Great Wall”.

It turns out that my ISP, like many now, is filtering NetBIOS traffic at the border, so I did’nt see any of the various exploits of the Microsoft sharing services. Not even any from my local subnet. So they might be filtering it local as well as at the borders. I’m not a supporter of the ISP filtering any traffic, never have been. I would rather deal with it than be “protected” by an upstream service.

Well, it confirmed one thing I already knew. Linux is the more secure Operating system, by design. But it would be easy to accidentally change it to make it as insecure as Windows Machines if your not careful in how you set it up.

Here is a simple iptables rule set for a standalone desktop machine

#A very Simple basic firewall.
#to use, type #iptables-restore iptables.txt
#Michael Thompson 2010

# Generated by iptables-save v1.4.5 on Wed Apr  7 16:47:14 2010
*filter

#You could have the default target set as drop, and you would not have to have the last line in the rules
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56348:175502723]

#Drop Any invalid packets straight out.
-A INPUT -m state –state INVALID -j DROP

#Accept any connection on the LocalHost address. Things may break if you dont…..
-A INPUT -i lo -j ACCEPT

#Accept Local network traffic without anyrules. If you trust the network 100%. Else Filter that too.
-A INPUT -s 192.168.0.0/16 -j ACCEPT

#Allow for ICMP, but control it.
-A INPUT -p icmp -m icmp –icmp-type 8 -m limit –limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT

#Allow anything that is already known about.
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#SSH probes are VERY Common, detect and log them, but not if from inside the network, else we would flood.
-A INPUT ! -s 192.168.0.0/16 -p tcp -m tcp –dport 22 -j LOG –log-prefix “SSH Attempt: “

#I like to log, so log all dropped packets here.
-A INPUT ! -s 192.168.0.0/16 -p tcp ! –dport 22 -j LOG

#Dosnt fit the rules above? Throw it out.
-A INPUT -j DROP

#Reject forwarding, we’re not a router, and will be doing no forwarding here.
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Apr  7 16:47:14 2010