1

My server has been the target from hackers 3 times in the last month, and the attack seem to follow the same pattern. The attack another site from my server using UDP connection. The report from my ISP is the following:

19 Dec 2014 21:45:41:202 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:069 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:135 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:069 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:171 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:226 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:341 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:092 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:254 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP
19 Dec 2014 21:45:41:153 GMT      my.ip.addr.ess:35323     other.ip.addr.ess:30000           40         UDP

I do have iptables installed and configured, but I guess my settings are not strong enough to prevent such attacks:

#! /bin/bash
### BEGIN INIT INFO
# Provides:          firewall
# Short-Description: Regles iptables
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start/stop firewall
# Description:       Charge la configuration du pare-feu iptables
### END INIT INFO
#### Merci a Buddy pour l'aide apportee
###
#### adapter selon vos besoins et services actifs sur le serveur
###
case "$1" in
start)

## purge
/sbin/iptables -F
/sbin/iptables -X

# Bloque tout le trafic
     /sbin/iptables -t filter -P INPUT DROP
     /sbin/iptables -t filter -P FORWARD DROP
     /sbin/iptables -t filter -P OUTPUT DROP


# Autorise les connexions deja etablies et localhost
     /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
     /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
# on bloque la demande de ping et on autorise ovh pour le monitoring
#/sbin/iptables -t filter -A INPUT -p icmp -j ACCEPT

#on garde la possibilite de faire des ping depuis le serveur
/sbin/iptables -t filter -A OUTPUT -p icmp -j ACCEPT

##RTM et ping OVH
/sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.p19.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.gra.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source a2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.sbg.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.bhs.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT

#Mettre le debut IP du serveur a la place des xxx
/sbin/iptables -A INPUT -p icmp --source my.ip.addr.250 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source my.ip.addr.251 -j ACCEPT

# SSH port 22
        # SSH standard
        # si vous n'avez pas d'IP fixe
/sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# Elasticsearch debugging
/sbin/iptables -t filter -A INPUT -p tcp --dport 9200 -j ACCEPT
        # En cas d'IP fixe, vous pouvez n'autoriser le port 22 que sur vos IP
        # Commentez les lignes standard et decommentez celles-ci apres avoir mis votre/vos IP fixes
#/sbin/iptables -t filter -i eth0 --source VOTRE_IP1 -A INPUT -p TCP --dport 22 -j ACCEPT
#/sbin/iptables -t filter -i eth0 --source VOTRE_IP2 -A INPUT -p TCP --dport 22 -j ACCEPT
#/sbin/iptables -t filter -A OUTPUT -p tcp --dport 22 -j DROP

# DNS
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# HTTP IPv4
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

# mySQL  : mis pour memoire mais il est en general activation inutile
#/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT

# FTP
#/sbin/iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
#/sbin/iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT

##
# Commentez les lignes si pas de service mail sur le serveur
##
# Mail SMTP
/sbin/iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

/sbin/iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT

# /sbin/iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
# /sbin/iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT

# Mail POP3
# /sbin/iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
# /sbin/iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# Mail POP3S
# /sbin/iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
# /sbin/iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

# Mail IMAP
# /sbin/iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
# /sbin/iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Mail IMAP SSL
# /sbin/iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
# /sbin/iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT

# Rsync decommenter si besoin
    # /sbin/iptables -t filter -A OUTPUT -p tcp --dport rsync -j ACCEPT
    # /sbin/iptables -t filter -A INPUT -p tcp --dport rsync -j ACCEPT

# Panels sur le port 10000 : Webmin et Virtualmin
# configuration standard (commenter la ligne ci-dessous si vous utilisez la configuration avec IP fixe)
# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT

 # configuration si IP fixe, decommentez les lignes ci-dessous
    # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 --source VOTRE_IP-FIXE1 -j ACCEPT
    # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 --source VOTRE_IP_FIXE2 -j ACCEPT

# NTP (horloge du serveur)
/sbin/iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# on limite le nombre de demandes de connexions
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#munin, si vous utilisez decommentez les lignes
    # /sbin/iptables -A OUTPUT -p tcp --sport 4949 -j ACCEPT
    # /sbin/iptables -A INPUT -p tcp --dport 4949 -s A.B.C.D -j ACCEPT

### Configuration pour IPv6, decommentez si vous utilisez
# ipv6 on bloque
#/sbin/ip6tables -t filter -P INPUT DROP
#/sbin/ip6tables -t filter -P FORWARD DROP
#/sbin/ip6tables -t filter -P OUTPUT DROP

# Autorise les connexions deja etablies et localhost
#/sbin/ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#/sbin/ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#/sbin/ip6tables -t filter -A INPUT -i lo -j ACCEPT
#/sbin/ip6tables -t filter -A OUTPUT -o lo -j ACCEPT

# ping ipv6
#/sbin/ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
#/sbin/ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT

# port 80 en sortie IPv6 ( apt-get entre autre )
#/sbin/ip6tables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT

# NTP ipv6 (horloge du serveur) sortie uniquement
/sbin/ip6tables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# DNS en sortie IPv6
#/sbin/ip6tables -A OUTPUT -p tcp --dport domain -j ACCEPT
#/sbin/ip6tables -A OUTPUT -p udp --dport domain -j ACCEPT

exit 0
;;

stop)
/sbin/iptables -F
/sbin/iptables -X

exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

Does anyone have any advice on how to prevent it in the futur?

That would be much appreciated.

Thank you!

jchatard
  • 111
  • 3
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Deer Hunter Dec 20 '14 at 08:38
  • 1
    Did you find the entry point and re-install the server after each compromise? Otherwise they may have left a backdoor and come back with privilege escalation overriding your iptables rules. – Enos D'Andrea Dec 20 '14 at 09:03
  • Yes I reinstalled every single time!!!! – jchatard Dec 20 '14 at 13:36
  • And no I couldn't find any entry point, couldn't find anything in the logs either... – jchatard Dec 20 '14 at 13:37

1 Answers1

3

Your firewall rules look good to me. In particular, the "default deny" for outbound packets means that it should be blocking the packets in the report from your ISP.

Are you sure your server is the source of the packets? It's easy to forge the source address for UDP packets.

Mark
  • 34,513
  • 9
  • 86
  • 135
  • 1
    +1 for "are you sure..." Ask your ISP how they know the source address in these packets wasn't forged and whether other source addresses were seen in the attack. – Bob Brown Dec 20 '14 at 11:38
  • Thanks for the suggestion, I'll reach my ISP about this. I'm a bit clueless in the meantime because this happens every once in a while and every time I reinstall the whole system. It's a bit annoying :-) – jchatard Dec 20 '14 at 13:36