[wplug] Sasser Worm -- protection

[Devin Lee Drew]

On May 3, 2004, at 9:43 PM, Brandon Kuczenski wrote:

> Thanks for the overview... still learning about security... For 
> example, I
> had never considered that it was my obligation as a router 
> administrator
> to block outgoing packets even if "my" machines weren't generating 
> them --
> but it makes good sense.
>

You are by no means obligated, and if there is only 1 windows box 
behind your firewall then your effort / potential public benefit ratio 
is going to be high. ;)

> If I am using IP Masquerading, then (True or False:) DROPping port-445
> packets on the FORWARD chain would NOT block them from the outside 
> world?

It can be helpful to draw things when you're considering this stuff. I 
don't have the binary answer for you here but someone else may. 
Importantly, you've got to be unambiguous about what "NOT block them 
from the outside world" means. I think that you could drop them on 
either the FORWARD or OUTPUT chain, though the FORWARD chain is 
conventionally where you have your masquerading rules. Either way, test 
it with telnet somehost.com 445 and then look at the packet filter logs 
to make sure that it is dropped. I think that you can use netcat in a 
similar way to test udp packets.

>
> What about requests coming IN from the outside world via mangled 
> packets
> for masqueraded machines?  Would it block those?  Because  the person 
> in
> question is trying to connect to her work's VPN and failing.  Would a
> FORWARD rule affect that?

If you haven't diverged too much from your distro's rules, then I 
would't worry about it. Look at the manual for your friend's VPN 
software and read about connecting through firewalls. If anything needs 
to be done, then it will tell her what she needs to request of the 
firewall admin -- who is you.

>> Have you considered running snort on your gateway?
>>
>
> Mmm?  Vat ees?

C'est un système de détection d'intrusion. Signature-basé.

cheers,

Devin