Re: Desperate for good firewall: ARP and DNS attacks
> I've been having some serious problems with my systems lately, and
> after my ISP checked out some packet captures etc., I was told
> essentially someone or something wants me visible on the Internet all
> the time, and the packets are saying what my new IP address is
> whenever I get a new one over DHCP.
What sort of Internet connection do you use? What hosts are connected?
> I was wondering if anyone could help me with this problem. I'm a
> beginner with firewalls and I don't think I could do this by myself
> without a good book on iptables (I have some understanding, but
> normally there's only a couple of pages on iptables in a Linux book of
> 500 pages or more).
> I would also like further rules to keep my system really secure and to
> alert me in some way with an IDS or if something gets through the
> firewall. (Snort?)
> I have some malware on my system at the moment, so this is a tricky
> one. It will have to take care of incoming and outgoing.
> I am not exactly sure how to get the malware off my computer either:
> I've tried wiping the discs with LiveCDs but sometimes it works,
> sometimes it doesn't.
What operating system are you using?
How do you detect malware on your system?
> I don't know who or what is doing this, but I have seen uploads of
> traffic to the Internet not from me, I seem to be on multicast (is
> that normal?), and I've had the usual spammers and fraudsters trying
> to get my machine. Even after I boot them off, it still continues. I
> pulled the logs off my modem/router and it happily said how it got in,
> flushed the firewall rules and put me on a fake DNS proxy.
What do you mean by 'on multicast'? From where did you boot whom off how?
Your router got taken over? Did you replace it? What/who is 'it'?
> I think I might need some professional help. If there's an expert
> around here on security which includes firewalls and security
> software, please send me an email at linux dot user dot au at gmail.
Just a warning: I'm no expert.
> Also, I'd like to know if there are security issues with the network
> or business card installs. I have observed files called passwords.dat,
> partman.dat and config.dat with passwords in the clear just before I
> stopped it rebooting after the install, and I do know that these
> people attacking my systems go through the network and manage to even
> flash my modem/router firmware or configure it for themselves.
> Is it a serious security issue to have those files in
> /var/lib/[cdebconf I think] in the initial RAM disk (not the
> "in-target" disk partition) for attackers to see?
As long as these reside on ramdisks, the security issues are slight.
Attackers would have to exploit vulnerabilities in the install system over
the network. This is unlikely.
> I would also like to
> know what exactly should be in an initrd.gz: if someone could upload a
> known good one that hasn't been fiddled with I would appreciate that
> so I can compare it to those I have. I use Debian GNU/Linux 5.0.4
> Lenny AMD64.
You can download official Debian images from http://www.debian.org. An
attacker would have to go to great lengths to provide malicious ones.
So unless you have something of great value (or have annoyed somebody
a great deal) it is exteremely unlikely anybody would do this. You can also
download Debian testing images, those are generated daily and even harder to
If you want to be extra sure, take the SHA1 hash of an image and compare
out-of-band with a trusted person. You would
1. Download an image from debian.org
2. take its SHA1 hash
3. Phone a trusted person to do the same
4. compare SHA1 hashes
If they are different, first verify you both downloaded the same image.
If the images really are different, publish both somewhere for people to
have a look at them. Also in this case you should consider contacting your
friendly law enforcement agency, it is likely that there is a law against
this, though I don't know where you live.