[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Masquerade hacking problem.

From: Ernest E Vogelsinger <ernest vogelsinger at>
To: redhat-list redhat com
Cc: redhat mail list <redhat-list redhat com>
Subject: Re: Masquerade hacking problem.
Date: Sat Nov 2 15:28:27 2002

At 20:50 02.11.2002, linux power said:
--------------------[snip]-------------------- 

>It seems that masqureade use netbios-ns port to broadcast for the whole
>world thats its seeking a vacant ip address.That it a major firewall
>problem in my computer because I cant close the netbios ports, and result
>in hacking attempts all the time.
--------------------[snip]-------------------- 

I don't think so, this might be a DHCP issue.

You're using iptables? Insert something like that into your firewall script:

# --------------------------------------------
# the SMB table is executed for all NetBios related traffic
# --------------------------------------------
/sbin/iptables -N SMB

# allow traffic to/from the specified IP's
/sbin/iptables -A SMB -s xxx.xxx.xxx.xxx -j ACCEPT      # xxx's machine
/sbin/iptables -A SMB -d xxx.xxx.xxx.xxx -j ACCEPT
/sbin/iptables -A SMB -s xxx.xxx.xxx.xx -j ACCEPT       # yyy's machine
/sbin/iptables -A SMB -d xxx.xxx.xxx.xx -j ACCEPT

# and kill everything else
/sbin/iptables -A SMB -j DROP

# --------------------------------------------
# the SILENTDROP table filters out all NetBios traffic
# --------------------------------------------
/sbin/iptables -N SILENTDROP

/sbin/iptables -A SILENTDROP -p tcp --dport 137 -j SMB
/sbin/iptables -A SILENTDROP -p tcp --dport 138 -j SMB
/sbin/iptables -A SILENTDROP -p tcp --dport 139 -j SMB
/sbin/iptables -A SILENTDROP -p tcp --dport 445 -j SMB
/sbin/iptables -A SILENTDROP -p udp --dport 137 -j SMB
/sbin/iptables -A SILENTDROP -p udp --dport 138 -j SMB
/sbin/iptables -A SILENTDROP -p udp --dport 139 -j SMB
/sbin/iptables -A SILENTDROP -p udp --dport 445 -j SMB

/sbin/iptables -A SILENTDROP -p tcp --sport 137 -j SMB
/sbin/iptables -A SILENTDROP -p tcp --sport 138 -j SMB
/sbin/iptables -A SILENTDROP -p tcp --sport 139 -j SMB
/sbin/iptables -A SILENTDROP -p tcp --sport 445 -j SMB
/sbin/iptables -A SILENTDROP -p udp --sport 137 -j SMB
/sbin/iptables -A SILENTDROP -p udp --sport 138 -j SMB
/sbin/iptables -A SILENTDROP -p udp --sport 139 -j SMB
/sbin/iptables -A SILENTDROP -p udp --sport 445 -j SMB


# --------------------------------------------
# insert these at the top for the INPUT, OUTPUT, and FORWARD tables
# assuming eth0 is the interface to the internet, and eth1 to internal network
# --------------------------------------------
/sbin/iptables -A INPUT -i eth1 -j SILENTDROP
/sbin/iptables -A INPUT -i eth0 -j SILENTDROP
/sbin/iptables -A OUTPUT -i eth1 -j SILENTDROP
/sbin/iptables -A OUTPUT -i eth0 -j SILENTDROP
/sbin/iptables -A FORWARD -i eth1 -j SILENTDROP
/sbin/iptables -A FORWARD -i eth0 -j SILENTDROP

Taken (and shortened) from our firewall script which seems to work
perfectly on this issue...

-- 
   >O     Ernest E. Vogelsinger                /~\ The ASCII
   (\)    ICQ #13394035                        \ / Ribbon Campaign 
    ^                                           X  Against
                                               / \ HTML Email

References:
- Masquerade hacking problem.
  - From: linux power

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]