Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Cristiano
Am Sa, den 31.07.2004 schrieb Cristiano Soares um 20:08:
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Cristiano
Install an anti-virus tool on each of the Windows[tm] machines to desinfect them and protect them for the future. Install all available updates from the MS update site.
If you want to find out the bad hosts from you Linux host you certainly will have to check which ports these worms use and then run a portscan against all of the hosts, using nmap. You can too switch on each Windows[tm] machine one by one and observe the traffic on the NAT machine to see whether the single running Win machine tries to "telephone" with other machines. It would be very helpful too to know the ports the worm uses.
In general configure your NAT server properly with a good firewalling setup! This will not protect against all kind of worms because many install through Windows[tm] misdesign, security bugs or simply by mail. Let none of the Windows[tm] hosts run with administrator privileges!
Alexander
P.S. Please don't post html formatted mail to the list, just plain text mail. Don't shout out. We all understand your question without the need to cry (capital letter sentences).
Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Wouldn't it be better to get rid of those viruses on the Windows machines? Or, since it seems you've figured out which machines have viruses, maybe block them using iptables? I believe you can do MAC Address filtering somehow with iptables, although I'm not familiar with this. But I don't see the point. Getting rid of the viruses is the better solution. Search for McAfee's Stinger on Google, or get virus removal tools from Symantec.
dex
On Sun, 2004-08-01 at 02:30 +0800, Dexter Ang wrote:
Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Wouldn't it be better to get rid of those viruses on the Windows machines? Or, since it seems you've figured out which machines have
Or just get rid of the Windows machines? :-P
/me runs
viruses, maybe block them using iptables? I believe you can do MAC Address filtering somehow with iptables, although I'm not familiar with this. But I don't see the point. Getting rid of the viruses is the better solution. Search for McAfee's Stinger on Google, or get virus removal tools from Symantec.
dex
On Saturday 31 July 2004 13:08, Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Cristiano
One possible solution to investigate is something like an Intrusion Detection System which has the ability to react to an intrusion ("snort" has some capability along this line) which runs a script to log in to a network switch and shutting off the offending machine(s) port(s).
A better approach might be to periodically scan your network for vulnerable machines and disconnect them from the rest of the network before they're infected until they can be properly updated. Several free tools are available that detect vulnerable machines; nessus (www.nessus.org) for example.
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
On Sat, 2004-07-31 at 13:48, Mike Klinke wrote:
On Saturday 31 July 2004 13:08, Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Cristiano
One possible solution to investigate is something like an Intrusion Detection System which has the ability to react to an intrusion ("snort" has some capability along this line) which runs a script to log in to a network switch and shutting off the offending machine(s) port(s).
A better approach might be to periodically scan your network for vulnerable machines and disconnect them from the rest of the network before they're infected until they can be properly updated. Several free tools are available that detect vulnerable machines; nessus (www.nessus.org) for example.
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
Simple answer -- 1) Uneducated users who open everything they get in the mail or by instant messaging. 2) No virus protection software loaded/not updated.
The firewall would not block mail, and clueless users are the most dangerous thing on any network.
On Saturday 31 July 2004 15:56, Jeff Vian wrote:
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
Simple answer --
- Uneducated users who open everything they get in the mail or by
instant messaging. 2) No virus protection software loaded/not updated.
The firewall would not block mail, and clueless users are the most dangerous thing on any network.
If my memory serves me the msblaster worm spread primarily by way of the MS bug addressed by:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
but you're right that there was a e-mail vector as well. The other person needs to answer my question above before assuming it's only due to "stupid users."
Regards, Mike Klinke
On Sat, 2004-07-31 at 16:14, Mike Klinke wrote:
On Saturday 31 July 2004 15:56, Jeff Vian wrote:
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
Simple answer --
- Uneducated users who open everything they get in the mail or by
instant messaging. 2) No virus protection software loaded/not updated.
The firewall would not block mail, and clueless users are the most dangerous thing on any network.
If my memory serves me the msblaster worm spread primarily by way of the MS bug addressed by:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
That is the one he said was primary. However, he did say others viruses were in the mix as well. And once it opened the back door from the first machine it could then possibly provide access to outsiders to the entire network.
but you're right that there was a e-mail vector as well. The other person needs to answer my question above before assuming it's only due to "stupid users."
I agree that an answer to how the first infection got thru the firewall (and if he has one) is the real issue here. Once the first one was infected the rest are vulnerable because the source is inside any firewall he had.
Regards, Mike Klinke
On Saturday 31 July 2004 17:01, Jeff Vian wrote:
I agree that an answer to how the first infection got thru the firewall (and if he has one) is the real issue here. Once the first one was infected the rest are vulnerable because the source is inside any firewall he had.
Heh, the only thing I can say for sure is that there have just been too damn many of these incidents in recent years and I'm about to petition for a "Computer Driver's License Program."
Not really, there's too much libertarian blood in my veins, but some days ....
Regards, Mike Klinke
The virus get into the user machine by e-mail from other ISPs. Thats noway i can block e-mail ports. I blocked ports TCP 4444,135,445 and UDP 69, known as ports that w32.blaster and others worms use to spread in the network. I really want to be able to scan every package that pass through the firewall and see from witch host its comming from. Ex: host-192.168.1.175 is sending strange packages that maybe a virus attack.
Thanks
Cristiano
----- Original Message ----- From: "Jeff Vian" jvian10@charter.net To: lsomike@futzin.com; "For users of Fedora Core releases" fedora-list@redhat.com Sent: Saturday, July 31, 2004 7:01 PM Subject: Re: virus/worms killing a network...
On Sat, 2004-07-31 at 16:14, Mike Klinke wrote:
On Saturday 31 July 2004 15:56, Jeff Vian wrote:
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
Simple answer --
- Uneducated users who open everything they get in the mail or by
instant messaging. 2) No virus protection software loaded/not updated.
The firewall would not block mail, and clueless users are the most dangerous thing on any network.
If my memory serves me the msblaster worm spread primarily by way of the MS bug addressed by:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
That is the one he said was primary. However, he did say others viruses were in the mix as well. And once it opened the back door from the first machine it could then possibly provide access to outsiders to the entire network.
but you're right that there was a e-mail vector as well. The other person needs to answer my question above before assuming it's only due to "stupid users."
I agree that an answer to how the first infection got thru the firewall (and if he has one) is the real issue here. Once the first one was infected the rest are vulnerable because the source is inside any firewall he had.
Regards, Mike Klinke
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Sat, 2004-07-31 at 23:09, Cristiano Soares wrote:
The virus get into the user machine by e-mail from other ISPs. Thats noway i can block e-mail ports. I blocked ports TCP 4444,135,445 and UDP 69, known as ports that w32.blaster and others worms use to spread in the network. I really want to be able to scan every package that pass through the firewall and see from witch host its comming from. Ex: host-192.168.1.175 is sending strange packages that maybe a virus attack.
Thanks
Cristiano
Just add the log option to the firewall rules for your internal hosts. Thus everything seen will be logged. You then can scan the logs for those hosts and see what ports they are trying to access, etc.
----- Original Message ----- From: "Jeff Vian" jvian10@charter.net To: lsomike@futzin.com; "For users of Fedora Core releases" fedora-list@redhat.com Sent: Saturday, July 31, 2004 7:01 PM Subject: Re: virus/worms killing a network...
On Sat, 2004-07-31 at 16:14, Mike Klinke wrote:
On Saturday 31 July 2004 15:56, Jeff Vian wrote:
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
Simple answer --
- Uneducated users who open everything they get in the mail or by
instant messaging. 2) No virus protection software loaded/not updated.
The firewall would not block mail, and clueless users are the most dangerous thing on any network.
If my memory serves me the msblaster worm spread primarily by way of the MS bug addressed by:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
That is the one he said was primary. However, he did say others viruses were in the mix as well. And once it opened the back door from the first machine it could then possibly provide access to outsiders to the entire network.
but you're right that there was a e-mail vector as well. The other person needs to answer my question above before assuming it's only due to "stupid users."
I agree that an answer to how the first infection got thru the firewall (and if he has one) is the real issue here. Once the first one was infected the rest are vulnerable because the source is inside any firewall he had.
Regards, Mike Klinke
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
The virus get into the user machine by e-mail from other ISPs. Thats noway i can block e-mail ports. I blocked ports TCP 4444,135,445 and UDP 69, known as ports that w32.blaster and others worms use to spread in the network. I really want to be able to scan every package that pass through the firewall and see from witch host its comming from. Ex: host-192.168.1.175 is sending strange packages that maybe a virus attack.
Yes but you CAN use mimedefang, mailscanner or amavis-new to scan all emails for virii.
Hi,
The virus get into the user machine by e-mail from other ISPs. Thats noway i can block e-mail ports. I blocked ports TCP 4444,135,445 and UDP 69, known as ports that w32.blaster and others worms use to spread in the network. I really want to be able to scan every package that pass through the firewall and see from witch host its comming from. Ex: host-192.168.1.175 is sending strange packages that maybe a virus attack.
as somebody already suggested you should install the snort intrusion detection system on the FC2 box (http://www.snort.org). Then you should search for snort pattern files regarding these worms (some are included in the standard packages, but perhaps not all you need).
It's also possible to configure snort such a way, that it acts as an intrusion prevention system, that is it will cut a connection if it detects some worm activity.
But be warned: it's not trivial to set up and run a network intrusion detection/prevention system correctly. Depending on your current knowledge you may have to learn a lot.
Especially if you configure it as an intrusion prevention system changes are that you cut internet access for all machines by, e.g. blocking the name servers.
-volker
On Sat, 31 Jul 2004, Jeff Vian wrote:
On Sat, 2004-07-31 at 16:14, Mike Klinke wrote:
On Saturday 31 July 2004 15:56, Jeff Vian wrote:
Assuming that your FC2 box is also acting as a firewall I'm curious as to how your network machines are getting infected. If you're not running a firewall you may strongly want to consider one.
Regards, Mike Klinke
Simple answer --
- Uneducated users who open everything they get in the mail or by
instant messaging. 2) No virus protection software loaded/not updated.
The firewall would not block mail, and clueless users are the most dangerous thing on any network.
If my memory serves me the msblaster worm spread primarily by way of the MS bug addressed by:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
That is the one he said was primary. However, he did say others viruses were in the mix as well. And once it opened the back door from the first machine it could then possibly provide access to outsiders to the entire network.
The people who are the biggest risk are sometimes the hardest to train.
I have encountered this many times before.
There are a couple of possible problems/causes here.
You have the users who are unwilling/unable to learn how to use, or discipline themselves enough, to use anti-virus tools and keep them up to date. There are anti-virus tools out there that are pretty heavy handed that deal with these sort of problems. They cost money and admin time. They also require buy-in from management.
There are also people (usually managers and/or sales people) who feel that the rules do not apply to them. Those are the ones that turn off the virus protection because it got in the way or don't want to be bothered by it.
Another problem are people who have laptops that are used at home and at work. They tend to be a vector for all sorts of things that slip past any firewall checking. (Especially since these machines tend to be used for surfing the web and who knows what else at home.)
but you're right that there was a e-mail vector as well. The other person needs to answer my question above before assuming it's only due to "stupid users."
I agree that an answer to how the first infection got thru the firewall (and if he has one) is the real issue here. Once the first one was infected the rest are vulnerable because the source is inside any firewall he had.
Some people just have not figured it out yet. I am still amazed by supposed "computer savy" people who get bit by spyware because they did not know that Kazaa would infect their system or that e-mail addresses can be forged.
What is worse are the people who refuse to learn. Those I have no sympathy for. (And there are a lot of them...)
On Sun, 2004-08-01 at 01:47, alan wrote:
On Sat, 31 Jul 2004, Jeff Vian wrote:
On Sat, 2004-07-31 at 16:14, Mike Klinke wrote:
On Saturday 31 July 2004 15:56, Jeff Vian wrote:
Man, this just goes on and on.
Notice how so many things can have such a large impact on your daily level of pre-occupation. Uneducated users, types of virus, firewalling, and the never-ending deluge of spam.
Considering all the _money_ invested in the man hours spent doing this kind of work instead of installing intranet web servers to make information available to people on the inside, or just anything _including_ time with your feet up on the desk...
Isn't it time to drop Microsoft? Is there really any reason to run it, that can't be supplanted by running VMWare for those special machines that have remaining legacy applications? Sure, it's $300 per such machine, but look at all the _WORK_ you're going through, just in hopes it won't flood the users on the inside with problems?
I'm about to move to another duty station in a rare 'flash cube in the sky'. I've run some estimations for their site, even though I'm there in only a security capacity. For 160 workstations, the workload alone requires 4 MCSE's. One Linux guy could cover it, and several other buildings all by himself. MCSE's can handle 40 workstations (some say less, but this is a industry standard) and Linux people can handle from 100-1000 depending on configuration.
So for this one bank's building, without discussions of virus software, support contracts so that Microsoft will at least answer your phone call, and all that stuff, would save $50,000 just by changing their OS.
Sometimes it's just best to flush the parts that remain and start over. I just don't understand why people don't see that. I can't see the value of restricting Windows boxes so tightly they're useless, just so they won't have to be re-installed.
You can do it; I've been Microsoft free at home since 1992, at work since 2001. It reminds me of the early days of computing around 1978-85: simply no bullshit. Computing is like a toolkit, not a curse.
Start small; set up a communal server to hold user directories, font servers, and other nice things, then put Fedora on the least-computer-saavy person's desk. Then add five more, then rollout 10-20 at a time until you're set. You _will_ see an end to all of this non-work-related garbage and will be able to get some real work done, finally.
Enjoy!
Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Cristiano
Besides removing the virus , the only things you can do are: 1 - installing a AV software on all windows machines and keep it updated. 2 - install all the updates. 3 - block every unwanted incoming connection on your firewall. Only open the necessary ports.
I do only #3 here (using a linksys cable router) and never had problems with worms like Blaster (which spreads through network shares and a few other ways). If you block all the unnecessary incoming trafic , you'll be almost safe. Just ensure that your users never have unnecessary privileges on the windows machines (never give poweruser or admin privileges , unless they really need it and revoke them as soon as the need finishes) , that they dont close the AV (kinda tricky.. dont know if this can be done) and teach them to use a mail client that isnt vulnerable to all those worms (which means , goodbye Outlook and Outlook Express).
-- Pedro Macedo
On Sat, 2004-07-31 at 12:55, Pedro Fernandes Macedo wrote:
Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
There are tools to check vulnerable machines, hfnetchck, you can also use tools from symantec to scan for already infected machines. Mcafee and symantec have one, as well as microsoft.
Yes there are a number of tools, either included or available.
You can try iptraf , etherape , tcpdump or ethereal, but there are many others.
When looking for bandwidth hogs I prefer etherape or iptraf.
You can get etherape for Fedora at : http://dag.wieers.com/packages/etherape/
I have noticed a lot of DNS queries and SMTP traffic caused by most virus infected machines lately. You can find them using tcpdump if you filter destination ports 25 and 53, like this:
tcpdump -nvv -i eth1 dst port 25 or dst port 53
You will need to be root to run tcpdump, and press CTRL-C to stop.
If your internal network is not on eth1 then change it to what your internal interface is.
To reduce the impact of the infected machines, set up some firewall rules only allowing SMTP {TCP port 25} connections to your SMTP server from your internal machines. Also block all out going traffic on UDP ports 135,139 and 445. This will reduce your traffic and reduce the chance of your internal machines from infecting other machines on the internet.
Good luck.
Cristiano Soares wrote:
Hi All. Im desperate to get my network back working fine. Here is my situation.
I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other one is connected to a network that receive IPs from that server through DHCPD service, and then the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.
Cristiano
Guy Fraser wrote:
Yes there are a number of tools, either included or available.
You can try iptraf , etherape , tcpdump or ethereal, but there are many others.
When looking for bandwidth hogs I prefer etherape or iptraf.
You can get etherape for Fedora at : http://dag.wieers.com/packages/etherape/
If you prefer a console app, I can recommend "iftop"
http://www.ex-parrot.com/~pdw/iftop/
-
Alan -
Alexander Dalloz -
Brian Fahrlander -
Cristiano Soares -
David Malcolm -
Dexter Ang -
Gene Delitzoy -
Guy Fraser -
Jeff Vian -
John Arthur -
John Thompson -
Mike Klinke -
Pedro Fernandes Macedo -
Volker Kindermann