Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Server hacked on known port
Special Forums Cybersecurity Server hacked on known port Post 303029984 by bakunin on Monday 4th of February 2019 06:37:06 AM
Old 02-04-2019
If i remember correctly 1521 is one of the standard ports for the Oracle listener, so i suppose you have an Oracle database running there. That the listener listens is quite as it should be, no?

What makes you think the server "was hacked"?

I mean, iptables is just a packet filter and as such it cannot discern between legitimate content and an illegitimate one. It filters packets based on IP address (layer 3) and port (layer 4), nothing more, nothing less. Obviously you need to allow traffic to the configured port of the listener otherwise the database would not be usable. So either you allow this port or you disable it (eventually restricting to a certain range of IP addresses), but what content goes over this port (i.e. legitimate database queries vs. malicious content) the packet filter is the wrong tool to assess. For that you will need a "stateful inspection" type of firewall which iptables is not.

Also be aware that the concept of "host based firewalls" is a flawed one per design. A hosts role is either providing a service (that is: some application) OR providing firewall services, but not both! The reason is you don't want the host you want to protect run the firewall itself, beause in this scenario the malicious packages already have reached the interface they are trying to attack. You want the firewall in front of (and separated from) the host you try to protect so that the malicious content doesn't even reach the interface you want to protect.

I hope this helps.

bakunin
Last edited by bakunin; 02-04-2019 at 05:08 PM.. Reason: confused "stateful inspection" with "deep state inspection" - oh, the paranoia
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

which port to write my server application?

I want to write a server application that would accept HTTP requests from client. The server would be on a machine that has no connection to the INTERNET. The clients that would be posting their HTTP requests would be doing so through webbrowser .Thus it would be sort of intranet application.... (0 Replies)
Discussion started by: rraajjiibb
0 Replies

2. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

3. UNIX for Dummies Questions & Answers

Old ATT Server Port Question

Just got old ATT server (10 base T)shipped and want to connect to Windows using com port. Got hardware to connect RJ45 from windows box & serial on ATT. I added XP static ip to host file but get no ping return. Do I have to open unix com port? How? (2 Replies)
Discussion started by: kctech
2 Replies

4. UNIX for Advanced & Expert Users

ssh port forward over three server

Hello there, I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture... Client Server1 | Server2 ------- ------- | ------- |...... | |...... | | |...... ... (2 Replies)
Discussion started by: Art007
2 Replies

5. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

6. UNIX for Dummies Questions & Answers

Plesk Server Hacked - How to Backup

Hello! First of all: I am a newbie. :o :( I have a CentOS 64bit server with Plesk Panel 8.6. And have been hacked. :mad: After many tries and support tickets, I am configuring a new server, with Suse 11 and Plesk 9.2. I know that Plesk 8.6 have a backup utility (Parallels Plesk Control... (3 Replies)
Discussion started by: miguelvidal
3 Replies

7. Cybersecurity

Different ssh fingerprints on server vs the one on port 22

Hi Guys, My certificate in /etc/ssh is different to what is on port 22. username@server:~$ ssh-keyscan -p 22 127.0.0.1 > /tmp/rsa.tmp # 127.0.0.1 SSH-1.99-OpenSSH_33.33 username@server:~$ ssh-keygen -lf /tmp/rsa.tmp 1024 46:something..................... 127.0.0.1... (0 Replies)
Discussion started by: mu100
0 Replies

8. Solaris

How to find port number wwn of particular port on dual port HBA,?

please find the below o/p for your reference bash-3.00# fcinfo hba-port HBA Port WWN: 21000024ff295a34 OS Device Name: /dev/cfg/c2 Manufacturer: QLogic Corp. Model: 375-3356-02 Firmware Version: 05.03.02 FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies

LEARN ABOUT DEBIAN

firehol

FIREHOL(1)						      General Commands Manual							FIREHOL(1)

NAME

       firehol - An easy to use but powerful iptables stateful firewall

SYNOPSIS

       firehol start|try|stop|restart|condrestart|status|panic|save|debug|helpme

       firehol configfile [start|debug|try]

       firehol nothing

DESCRIPTION

       firehol	is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any num-
       ber of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services
       (including positive and negative expressions).

       firehol is a language to express firewalling rules, not just a script that produces some kind of a firewall.

       The goals of firehol are:

       o Being as easy as possible
	   Independently  of the security skills he/she has, firehol allows to create and understand complex firewalls in just a few seconds.  The
	   configuration files are very easy to type and read.

       o Being as secure as possible.
	   By allowing explicitly only the wanted traffic to flow firehol secures your system. firehol produces stateful rules for any service	or
	   protocol, in both directions of the firewall.

       o Being as open as possible.
	   Althoug  firehol is pre-configured for a large number of services, you can configure any service you like and firehol will turn it into
	   a client, a server, or a router.

       o Being as flexible as possible.
	   firehol can be used by end users and guru administrators requiring extremely complex firewalls. firehol configuration  files  are  BASH
	   scripts;  you  can  write in them anything BASH accepts, including variables, pipes, loops, conditions, calls to external programs, run
	   other BASH scripts with firehol directives in them, etc.

       o Being as simple as possible.
	   firehol is easy to install on any modern Linux system; only one file is required, no compilations involved.

Options
       start
	   Activates the firewall configuration. The configuration is expected to be found in /etc/firehol/firehol.conf.

       try Activates the firewall, but waits until the user types the word commit.  If this word is not typed  within  30  seconds,  the  previous
	   firewall is restored.

       stop
	   Stops a running iptables firewall by running /etc/init.d/iptables stop.  This will allow all traffic to pass unchecked.

       restart
	   This is an alias for start and is given for compatibility with /etc/init.d/iptables.

       condrestart
	   Starts  the	firehol  firewall  only  if it is not already active. It does not detect a modified configuration file, only verifies that
	   firehol has been started in the past and not stopped yet.

       status
	   Shows the running firewall, as in /sbin/iptables -nxvL | less

       panic
	   It removes all rules from the running firewall and then it DROPs all traffic on all iptables tables	(mangle,  nat,	filter)  and  pre-
	   defined  chains  (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING), thus blocking all IP communication. DROPing is not done by changing
	   the default policy to DROP, but by adding just one rule per table/chain to drop all traffic, because the default iptables scripts  sup-
	   plied by many systems (including RedHat 8) do not reset all the chains to ACCEPT when starting (firehol resets them correctly).

	   When  activating  panic  mode,  firehol  checks for the existance of the SSH_CLIENT shell environment variable (set by SSH). If it find
	   this, then panic mode will allow the established SSH connection specified in this variable to operate. Notice that in order for this to
	   work, you should have su without the minus (-) sign, since su - overwrites the shell variables and therefore the SSH_CLIENT variable is
	   lost.

	   Alternativelly, after the panic argument you can specify an IP address in which  case  all  established  connections  between  this	IP
	   address and the host in panic will be allowed.

       save
	   Start the firewall and then save it using /sbin/iptables-save to /etc/sysconfig/iptables.

	   Since v1.64, this is not implemented using /etc/init.d/iptables save because there is a bug in some versions of iptables-save that save
	   invalid commands (! --uid-owner A is saved as --uid-owner !A) which cannot be restored. firehol fixes this problem (by saving  it,  and
	   then replacing --uid-owner ! with ! --uid-owner).

	   Note  that  not all firehol firewalls will work if restored with: /etc/init.d/iptables start because FireHOL handles kernel modules and
	   might have queried RPC servers (used by the NFS service) before starting the firewall. Also, firehol automatically checks current  ker-
	   nel configuration for client ports range. If you restore a firewall using the iptables service your firewall may not work as expected.

       debug
	   Parses the configuration file but instead of activating it, it shows the generated iptables statements.

       explain
	   Enters  an  interactive  mode  where  it accepts normal configuration commands and presents the generated iptables commands for each of
	   them, together with some reasoning for its purpose. Additionally, it automatically generates a configuration script based on  the  suc-
	   cessfull commands given.

	   When in directive mode, firehol has the following special commands:

	   o help
	       Present some help
	   o show
	       Present the generated firehol configuration
	   o quit
	       Exit interactive mode and quit firehol

       helpme
	   Tries  to guess the firehol configuration needed for the current machine. firehol will not stop or alter the running firewall. The con-
	   figuration file is given in the standard output of firehol, thus

	    /etc/init.d/firehol helpme >/tmp/firehol.conf

	   will produce the output in /tmp/firehol.conf.

	   The generated firehol configuration should and must be edited before used on your systems. You are required to take many decisions  and
	   the comments of the generated file will instruct you for many of them.

       configfile
	   A  different  configuration	file.  If  no other argument is given, the configuration file will be tried (default = try). Otherwise the
	   argument next to the filename can be one of start, debug, try.

       nothing
	   Presents help about firehol usage.

FILES

	   /etc/firehol/firehol.conf

AUTHOR

       firehol written by Costa Tsaousis <costa@tsaousis.gr>.

       Man page written by Marc Brockschmidt <marc@marcbrockschmidt.de>.

SEE ALSO

       firehol.conf(5), iptables(8), bash(1)

								    2003-04-30								FIREHOL(1)
All times are GMT -4. The time now is 07:16 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy