2012-02-21 - Re: [GRASE-Hotspot] Firewall recommendations

Header Data

From: Tim White <ti***8@gmail.com>
Message Hash: c7bb8fea123ec9557f0f5522094acf1c9a56cd564dd76a6f354f309e14ac9546
Message ID: <4F436F55.8040305@gmail.com>
Reply To: <1329815486.18433.YahooMailNeo@web161403.mail.bf1.yahoo.com>
UTC Datetime: 2012-02-21 03:17:57 UTC
Raw Date: Tue, 21 Feb 2012 20:17:57 +1000

Raw message 

On 21/02/12 19:11, tim storey wrote:
> I have had a worm launch spam attacks from within my network. My ISP 
> is requesting that I do something about it or else I will be 
> blacklisted and shut down.
> Blocking port 445 worked for a few hours, but then the same worm 
> simply used a different port to do the thing again.
> My customer base is made up largely of students who have absolutely no 
> concept of security - their laptops are positively crawling with 
> viruses/malware. I do the best I can to educate them, but it largely 
> falls on deaf ears.
> I want to be able to allow unrestricted web access (I do not have a 
> mail server, nor do I wish to have one), but I realise that I have to 
> make certain restrictions to protect other web users as well as myself.
> Endian firewall (community version) offers web antivirus and web 
> antispam filtering. This makes a lot of sense to my situation, even if 
> I have to sacrifice a little speed, unless you can give me a 
> definitive set of iptables rules which will accomplish the same thing.
> The rules you demonstrate below seem like they would suit me fine, but 
> I need to know whether they would be effective in locking out a 
> determined bit of malware (given the malware soup on my customer laptops).
> Thanks.

Unfortunately, if you give a computer any internet access, then a worm 
can do what it likes. I'd expect most ISP's to know this, and 
essentially what they are asking you is to block the users who's 
computers are infected, not an easy task. This is one of those issues 
faced by anyone who is running an ISP, and yes, if you are running a 
hotspot, you are an ISP. Bigger ISPs use lots of packet matching rules 
to identify malware and can then trace it back to the user who is 
sending it. For a smaller ISP, it's much harder. So unless Endian 
firewall can do some of that matching and blocking, its not going to help.

Probably the only way to totally block it, is to only give port 80 web 
access. So no HTTPS (SSL) web access on port 443, which rules out things 
like internet banking, secure gmail/facebook/twitter which is becoming 
the default now days. That way, all access is logged in Squid, which 
will help identify worms.

I'd be asking the ISP for all information they can provide about the 
worm, and be locking down the firewall with some of the rules I gave. 
(I'd allow HTTPS and secure IMAP and POP3). Then if the worm is still 
tunneling out, hopefully you'll see it in squid logs. I'd also run some 
things like netstat on the hotspot (and a few other tools I can't think 
of off the top of my head) which will show all connections being made 
through the Hotspot. Filter out the common domains (google, facebook, 
akami cdn, twitter, etc etc) and then compile a list of everything else 
being connected to (and where it's being connected from). You should 
hopefully be able to shrink the list down until you only see suspicious 
looking behaviour at which point you should also be able to see what 
computer (and user) it's coming from.

Depending on your country, the ISP really needs to be working with you 
to block it, not just threating to shut you down (as most "end users" 
won't be able to easily find the source of malware). Ideally you need 
from the the ports, destinations, times etc of attacks, and packet 
signatures that identify it.

Tim

Thread