Desperate for good firewall: ARP and DNS attacks
Hello all,
I've been having some serious problems with my systems lately, and
after my ISP checked out some packet captures etc., I was told
essentially someone or something wants me visible on the Internet all
the time, and the packets are saying what my new IP address is
whenever I get a new one over DHCP.
I was wondering if anyone could help me with this problem. I'm a
beginner with firewalls and I don't think I could do this by myself
without a good book on iptables (I have some understanding, but
normally there's only a couple of pages on iptables in a Linux book of
500 pages or more).
I would also like further rules to keep my system really secure and to
alert me in some way with an IDS or if something gets through the
firewall. (Snort?)
I have some malware on my system at the moment, so this is a tricky
one. It will have to take care of incoming and outgoing.
I am not exactly sure how to get the malware off my computer either:
I've tried wiping the discs with LiveCDs but sometimes it works,
sometimes it doesn't.
I don't know who or what is doing this, but I have seen uploads of
traffic to the Internet not from me, I seem to be on multicast (is
that normal?), and I've had the usual spammers and fraudsters trying
to get my machine. Even after I boot them off, it still continues. I
pulled the logs off my modem/router and it happily said how it got in,
flushed the firewall rules and put me on a fake DNS proxy.
I think I might need some professional help. If there's an expert
around here on security which includes firewalls and security
software, please send me an email at linux dot user dot au at gmail.
Also, I'd like to know if there are security issues with the network
or business card installs. I have observed files called passwords.dat,
partman.dat and config.dat with passwords in the clear just before I
stopped it rebooting after the install, and I do know that these
people attacking my systems go through the network and manage to even
flash my modem/router firmware or configure it for themselves.
Is it a serious security issue to have those files in
/var/lib/[cdebconf I think] in the initial RAM disk (not the
"in-target" disk partition) for attackers to see? I would also like to
know what exactly should be in an initrd.gz: if someone could upload a
known good one that hasn't been fiddled with I would appreciate that
so I can compare it to those I have. I use Debian GNU/Linux 5.0.4
Lenny AMD64.
I also wonder about why it won't allow me security or volatile
updates. This makes me think my "updates" are perhaps malicious
software coming from elsewhere.
--
With thanks,
Hamish
Reply to: