Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Server hacked on known port
Special Forums Cybersecurity Server hacked on known port Post 303029984 by bakunin on Monday 4th of February 2019 06:37:06 AM
Old 02-04-2019
If i remember correctly 1521 is one of the standard ports for the Oracle listener, so i suppose you have an Oracle database running there. That the listener listens is quite as it should be, no?

What makes you think the server "was hacked"?

I mean, iptables is just a packet filter and as such it cannot discern between legitimate content and an illegitimate one. It filters packets based on IP address (layer 3) and port (layer 4), nothing more, nothing less. Obviously you need to allow traffic to the configured port of the listener otherwise the database would not be usable. So either you allow this port or you disable it (eventually restricting to a certain range of IP addresses), but what content goes over this port (i.e. legitimate database queries vs. malicious content) the packet filter is the wrong tool to assess. For that you will need a "stateful inspection" type of firewall which iptables is not.

Also be aware that the concept of "host based firewalls" is a flawed one per design. A hosts role is either providing a service (that is: some application) OR providing firewall services, but not both! The reason is you don't want the host you want to protect run the firewall itself, beause in this scenario the malicious packages already have reached the interface they are trying to attack. You want the firewall in front of (and separated from) the host you try to protect so that the malicious content doesn't even reach the interface you want to protect.

I hope this helps.

bakunin
Last edited by bakunin; 02-04-2019 at 05:08 PM.. Reason: confused "stateful inspection" with "deep state inspection" - oh, the paranoia
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

which port to write my server application?

I want to write a server application that would accept HTTP requests from client. The server would be on a machine that has no connection to the INTERNET. The clients that would be posting their HTTP requests would be doing so through webbrowser .Thus it would be sort of intranet application.... (0 Replies)
Discussion started by: rraajjiibb
0 Replies

2. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

3. UNIX for Dummies Questions & Answers

Old ATT Server Port Question

Just got old ATT server (10 base T)shipped and want to connect to Windows using com port. Got hardware to connect RJ45 from windows box & serial on ATT. I added XP static ip to host file but get no ping return. Do I have to open unix com port? How? (2 Replies)
Discussion started by: kctech
2 Replies

4. UNIX for Advanced & Expert Users

ssh port forward over three server

Hello there, I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture... Client Server1 | Server2 ------- ------- | ------- |...... | |...... | | |...... ... (2 Replies)
Discussion started by: Art007
2 Replies

5. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

6. UNIX for Dummies Questions & Answers

Plesk Server Hacked - How to Backup

Hello! First of all: I am a newbie. :o :( I have a CentOS 64bit server with Plesk Panel 8.6. And have been hacked. :mad: After many tries and support tickets, I am configuring a new server, with Suse 11 and Plesk 9.2. I know that Plesk 8.6 have a backup utility (Parallels Plesk Control... (3 Replies)
Discussion started by: miguelvidal
3 Replies

7. Cybersecurity

Different ssh fingerprints on server vs the one on port 22

Hi Guys, My certificate in /etc/ssh is different to what is on port 22. username@server:~$ ssh-keyscan -p 22 127.0.0.1 > /tmp/rsa.tmp # 127.0.0.1 SSH-1.99-OpenSSH_33.33 username@server:~$ ssh-keygen -lf /tmp/rsa.tmp 1024 46:something..................... 127.0.0.1... (0 Replies)
Discussion started by: mu100
0 Replies

8. Solaris

How to find port number wwn of particular port on dual port HBA,?

please find the below o/p for your reference bash-3.00# fcinfo hba-port HBA Port WWN: 21000024ff295a34 OS Device Name: /dev/cfg/c2 Manufacturer: QLogic Corp. Model: 375-3356-02 Firmware Version: 05.03.02 FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies

LEARN ABOUT OPENSOLARIS

ipfilter

ipfilter(5)						Standards, Environments, and Macros					       ipfilter(5)

NAME

       ipfilter - IP packet filtering software

DESCRIPTION

       IP  Filter is software that provides packet filtering capabilities on a Solaris system. On a properly setup system, it can be used to build
       a firewall.

       Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. See  ipf(1M)  for  a
       procedure to enable and activate the IP Filter feature.

HOST-BASED FIREWALL
       To  simplify  IP Filter configuration management, a firewall framework is created to allow users to configure IP Filter by expressing fire-
       wall policy at system and service level. Given the user-defined firewall policy, the framework generates  a  set  of  IP  Filter  rules	to
       enforce	the  desired  system  behavior. Users specify system and service firewall policies that allow or deny network traffic from certain
       hosts, subnets, and interface(s). The policies are translated into a set of active IPF rules to enforce the specified firewall policies.

       Note -

	 Users can still specify their own ipf rule file if they choose not to take advantage of the framework. See ipf(1M) and ipf(4).

   Model
       This section describes the host-based firewall framework. See svc.ipfd(1M) for details on how to configure firewall policies.

       A three-layer approach with different precedence levels helps the user achieve the desired behaviors.

       Global Default

	   Global Default - Default system-wide firewall policy. This policy is automatically inherited by all	services  unless  services  modify
	   their firewall policy.

       Network Services

	   Higher  precedence than Global Default. A service's policy allows/disallows traffic to its specific ports, regardless of Global Default
	   policy.

       Global Override

	   Another system-wide policy that takes precedence over the needs of specific services in Network Services layer.

	 Global Override
	       |
	       |
	 Network Services
	       |
	       |
	 Global Default

       A firewall policy includes a firewall mode and an optional set of network sources. Network sources are IP  addresses,  subnets,	and  local
       network interfaces, from all of which a system can receive incoming traffic. The basic set of firewall modes are:

       None

	   No firewall, allow all incoming traffic.

       Deny

	   Allow all incoming traffic but deny from specified source(s).

       Allow

	   Deny all incoming traffic but allow from specified source(s).

   Layers in Detail
       The  first  system-wide	layer,	Global	Default,  defines a firewall policy that applies to any incoming traffic, for example, allowing or
       blocking all traffic from an IP address. This makes it simple to have a policy that blocks all incoming traffic	or  all  incoming  traffic
       from unwanted source(s).

       The  Network  Services  layer  contains	firewall policies for local programs that provide service to remote clients, for example, telnetd,
       sshd, and httpd. Each of these programs, a network service, has its own firewall policy that controls access to its service.  Initially,  a
       service's  policy is set to inherit Global Default policy, a "Use Global Default" mode. This makes it simple to set a single policy, at the
       Global Default layer, that can be inherited by all services.

       When a service's policy is different from Global Default policy, the service's policy has higher precedence. If Global  Default	policy	is
       set  to	block all traffic from a subnet, the SSH service could be configured to allow access from certain hosts in that subnet. The set of
       all policies for all network services comprises the Network Service layer.

       The second system-wide layer, Global Override, has a firewall policy that also applies to any incoming network  traffic.  This  policy  has
       highest	precedence  and overrides policies in the other layers, specifically overriding the needs of network services. The example is when
       it is desirable to block known malicious source(s) regardless of services' policies.

   User Interaction
       This framework leverages IP Filter functionality and is active only when svc:/network/ipfilter is enabled and inactive when  network/ipfil-
       ter  is	disabled. Similarly, a network service's firewall policy is only active when that service is enabled and inactive when the service
       is disabled. A system with an active firewall has IP Filter rules for each running/enabled network service and system-wide policy(s)  whose
       firewall mode is not None.

       A  user configures a firewall by setting the system-wide policies and policy for each network service. See svc.ipfd(1M) on how to configure
       a firewall policy.

       The firewall framework composes of policy configuration and a mechanism to generate IP Filter rules from  the  policy  and  applying  those
       rules to get the desired IP Filter configuration. A quick summary of the design and user interaction:

	   o	  system-wide policy(s) are stored in network/ipfilter

	   o	  network services' policies are stored in each SMF service

	   o	  a user activates a firewall by enabling network/ipfilter (see ipf(1M))

	   o	  a user activates/deactivate a service's firewall by enabling/disabling that network service

	   o	  changes to system-wide or per-service firewall policy results in an update to the system's firewall rules

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+

SEE ALSO

       svcs(1), ipf(1M), ipnat(1M), svcadm(1M), svc.ipfd(1M), ipf(4), ipnat(4), attributes(5), smf(5)

       System Administration Guide: IP Services

NOTES

       The nfsd service is managed by the service management facility, smf(5), under the service identifier:

	 svc:/network/ipfilter:default

       Administrative  actions	on  this  service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The ser-
       vice's status can be queried using the svcs(1) command.

       IP Filter startup configuration files are stored in /etc/ipf.

SunOS 5.11							    18 Feb 2009 						       ipfilter(5)
All times are GMT -4. The time now is 06:48 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy