[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] pmfirewall (was worm attack)

Subject: [cobalt-users] pmfirewall (was worm attack)
From: "Gerald Waugh" <gerald@xxxxxxxxx>
Date: Sat Sep 22 13:02:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Like adding port 81 to HTTP - or your /admin and /siteadmin thingies won't
work.
> I've also got another problem with pmfirewall, and I'm struggling to find it -
HTTPD ceases to work AT ALL when I've installed the thing, but (thank > deity)
that telnet still worked for my to login and remove/reboot.

> Does anyone know what might have gone amiss on this PMFIREWALL installation to
bash my HTTPD access? - all I did was respond (I thought > appropriately) to the
prompts - then duplicate a bunch of IPCHAINS commands to block IPs generating
NIMDA worm requests, and reboot.


Did http cease to work before or after you added the nimda rules?
My auto generated scripts are below, followed by the custom ones.
I do have port 443 for SSL

#DHCP CLIENT BLOCK
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 67:68 -i $OUTERIF -j DENY
#FTP
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 21 -j ACCEPT
#SSH
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 22 -j ACCEPT
#HTTPD
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT
#POP
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 110 -j ACCEPT
#SMTP
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 25 -j ACCEPT

#IDENTD
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 113 -j ACCEPT
#NETBIOS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j
DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j
DENY
#SSL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 443 -j ACCEPT
#RIP
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 520 -i $OUTERIF -j REJECT
#NFS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j
DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j
DENY -l
#XSERVER
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j
DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j
DENY
#
I added the following custom rules
#CUSTOM   -- for rsync 1.2.3.4/28 is my IP subnet
$IPCHAINS -A input -p tcp -s 1.2.3.4/28 -d $REMOTENET 873 -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p udp -s 1.2.3.4/28 -d $REMOTENET 873 -i $OUTERIF -j ACCEPT
#CUSTOM  --- for admserv
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 81 -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 444 -i $OUTERIF -j ACCEPT

The auto generated scripts:

Prev by Date: [cobalt-users] NIMDA Attacks - Anyway to deny requests?
Next by Date: Re: [cobalt-users] IIS Revenge ?
Previous by thread: Re: RANT! Re: [cobalt-users] OT:URGENT: JS/Kak@M virus on list.cobalt.com !!!
Next by thread: [cobalt-users] Root partition nearly full

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index