Server aholed after ASL update?

[aslus maximus]

Hi,

I did an ASL update the other day and now clamscan reports 3 virus in the ASL update gzip? I think my server has been aholed again?

/var/asl/tmp/waf_rules/50_asl_rootkits.conf: Atomicorp.PHP.Mysql.Database.Stealer.20110427183604.UNOFFICIAL FOUND
ERROR: Can't remove file '/var/asl/tmp/waf_rules/50_asl_rootkits.conf'.

/var/asl/updates/modsec-201303041714.tar.gz: Atomicorp.PHP.Mysql.Database.Stealer.20110427183604.UNOFFICIAL FOUND
ERROR: Can't remove file '/var/asl/updates/modsec-201303041714.tar.gz'.

/var/asl/rules/modsec/50_asl_rootkits.conf: Atomicorp.PHP.Mysql.Database.Stealer.20110427183604.UNOFFICIAL FOUND
ERROR: Can't remove file '/var/asl/rules/modsec/50_asl_rootkits.conf'.

[mikeshinn]

You should never scan that directory (/var/asl), its always going to trigger false positives.

[aslus maximus]

ohh right.

With the latest update about a week ago, the kernel doesn't boot. A module for the hard disk is not complied into the kernel or as a module by the looks of it? I think a module like that needs to be compiled into the kernel from memory, but it's been quite as few years since I compiled a kernel. There server run sata disks and it's a few years old but the ASL kernel should still support it? If not where can I download the kernel source for the latest ASL kernel so I can compile it into the kernel?
Thanks

[scott]

its in the kernel-devel package

[hostingguy]

aholed?

[aslus maximus]

Hacked It was last week and they deleted my ads and keywords table from the database server. Jealous competition I guess

Anyway, I instaledl the kernel-dev package a while back and could not find the asl kernel. I was looking around in /usr/src and found a redhat dir with some standard kernels in it and another one I think was just name kernels. I could not find a config file the the ASL PAE kernel? Is it compiled from the standard redhat one or something? Where would I find the ASL PAE kernel config?

Also I have another problem with the ASL firewall flushing all my rules after WAF updates? I don't have the plesk firewall installed, just ASL, but I can't see any command to save rules I set in ASL, no asl-firewall save either, so I use iptables to save my rules but they don't reload most of the time. Is there anyway to save my ASL rules? I looked in /etc/asl/firewall/running.fw and my rules are in there but ASL doesn't seem to load saved rules from there. Where is it loading them from?

Thanks.

[mikeshinn]

Also I have another problem with the ASL firewall flushing all my rules after WAF updates?

Do you mean network firewall rules? Or WAF, HIDS, etc. rules?

I use iptables to save my rules but they don't reload most of the time.

Don't do that. That is guaranteed to break your firewall. Heres what you need to do to fix your system, as using two firewall management tools to manage your firewall is going to bork your firewall completely.

Step 1) Disable iptables

chkconfig --del iptables

Step 2) Flush out whatever ASL has saved, which is going to include all the borked up iptables-save rules as well

rm /etc/asl/firewall/running.fw

Step 3) Make sure ASL is up to date

aum -uf

Step 4) If you are not using Virtuozzo or OpenVZ, make sure you have FW_DROP_INVALID set to yes.

https://www.atomicorp.com/wiki/index.ph ... OP_INVALID

If you are using Virtuozzo or OpenVZ, you generally need to disable that. VZ's support for netfilter is unfortunately very limited (it doesnt support LOG something either, its a hot mess)

Step 5) Reset the firewall

asl -s -f

Step 6) Add in your custom rules from the ASL firewall management GUI

https://www.atomicorp.com/wiki/index.php/ASL_firewall

Is there anyway to save my ASL rules?

ASL will do this automatically, but if you use iptables-save thats going to break everything. Dont use it, ever.

I looked in /etc/asl/firewall/running.fw and my rules are in there but ASL doesn't seem to load saved rules from there. Where is it loading them from?

From the database. Some of the rules absolutely should never be saved to a file, shuns for example. Doing that means they would never expire, as iptables-save has no concept of dynamic rules.

[hostingguy]

Is there an advantage to using the ASL firewall over something like CSF or APF?

[mikeshinn]

Thanks for the question.

Is there an advantage to using the ASL firewall over something like CSF or APF?

At least three:

1) Third party firewall management tools are not supported with ASL. They will likely break shuns, and CSF is known to cause all kinds of havoc if anything else tries to add in iptables rules (i.e. shuns). So using another tool to manage your firewall is definitely not recommended.

2) The ASL firewall does everything those management tools do, so you dont need them.

3) ASL does more, way more than those tools. Plus, APF and CSF arent firewalls, they are just scripts that execute iptables. Thats not to put them down, but to simply point out thats what they are. ASL includes enhancements to the actual firewalling code in the Linux kernel, netfilter, so ASL is a real firewall not just a wrapper for iptables. And because we enhance the Linux firewall, we can do all sorts of things CSF and APF can not (because they dont control the kernel).

Heres just a partial list of things the ASL firewall does that APF and CSF do not:

The ASL kernel provides a special dynamic stealth module for the firewall, thats always on. It matches packets coming to unserved TCP and UDP ports. On severs where users are allowed to run their own servers, and the administrator doesn't know which ports are going to be used for the servers, the kernel automatically handles hiding closed ports from an attacker. For these systems, using a default target of DROP would not work, you need something dynamic like the stealth module to do it.

ASL uses advanced firewall management tools, including ipset in addition to iptables. These advanced tools allow us to load large IP sets in a fraction of the time it takes iptables, which makes geoblocking and large blacklists also less resource intensive, and of course faster to load.

The ASL kernel includes the advanced xtable addons (these are kernel enhancements), that allow us to do all sorts of things with iptables that simple wrappers can not. For example, we can tarpit a connection, which causes the attack to waste network resources attacking a box thats just ignoring it. (we keep sending fake keep alives basically). We're going to be adding in all sorts of new options to use these kernel enhancements, from port knocking, to crazy counter measures for port scans, DOS attacks and other mischief. None of this can be done with iptables alone, it requires kernel enhancements that you will only find in ASL.

The ASL kernel gives you the ability to put users into classes that define what they can do with the network. They can be isolated so they can not act as a server (listening for incoming connections), or so they can not act as a client (sending outbound connections), or they can preventing from having any network access as that user. See this section of the documentation, including all the SOCKET_* options.

https://www.atomicorp.com/wiki/index.ph ... SOCKET_ALL

The ASL kernel includes advanced countermeasures against resource exhaustion attacks on the stack itself, iptables (and therefore APF and CSF) can not do this, these are kernel level enhancements.

The ASL firewall will detect the UID and GID of unauthorized outbound connections, to help you identify the source.

The ASL firewall detects real port scans, not just simple connect() scans to a port as CSF does. ASL certainly does that, but it also detects advanced port scans, such as stealth scans, XMAS tree and others, neither CSF nor APF do this, and ASL will shun attackers using these techniques in a more intelligent manner.

ASL itself understands the different between a real malicious portscan, and a non-malicious connection. For example, if you only allow connections to SSL IMAP and POP, you probably dont want to shun a customer accidentally connecting to ports 110 and 143 (as many consumer devices will connect to these first when setting up emails accounts, such as Apples iPhone and iPad). But if an attacker hits those ports, you do want to block them. ASL is smart enough to notice the different and will forgive legitimate cases, whereas other tools such as CSF (if configured to block "port scans") arent advanced enough, and will just add an iptables rule to block a legitimate customer.

And of course ASL itself is WAY more than just a firewall. CSF and APF of course can not stop application level attacks, web attacks, they cant detect malicious code, detect suspicious activity, lock down the system, prevent intrusions or anything else but configure iptables rules. CSF and APF are just scripts to setup iptables rules.

Theres more, I apologize I cant get to all of them now, as I have to run but hopefully this helps answer your question.

[hostingguy]

Does any of this depend on the usage of the ASL Kernel?

[mikeshinn]

Does any of this depend on the usage of the ASL Kernel?

As described above, some of them do, but not all of them. In no case does ASL do less than CSF or APF, it always does more than either of them. And thats because ASL is way more than just a firewall.

[hostingguy]

Ok, so the bottom line then is that no matter if we use the ASL kernel or not, you would recommend the usage of the ASL Firewall module.

[aslus maximus]

Yep I'll do that. I think I messed up the asl install again when I did a clam scan and it deleted 55 files. I forgot to exclude /var/asl/ I think the box is backdoored again as my admin email passwords keep changing for no reason.

Here is a pic of my firewall rules. I did it with the easy mode and just edited them afterwards with asl to only allow my ip's. I'm not really a heavy duty server head or network guy. My training is in web design and wanna be web dev. Everything about servers I know, which is not all that much, I've had to learn the hard way. LOL

I think I need to reinstall asl or everything again. Oh joy of joys

[mikeshinn]

OK, I see whats going on. You can not modify any chains with ASL- in their name. Please see the firewall documentation at the link below:

https://www.atomicorp.com/wiki/index.ph ... ll_manager

Also, you dont have to allow connections to port 20. Pretty much any Linux kernel should include the FTP helper modules, which will handle opening any ports FTP needs. The only port you need to allow for FTP is 21. Everything else the kernel can handle.

If you are using a kernel that cant handle FTP, then get a better kernel - fast.

[mikeshinn]

Oh, and for port 30000, you dont need to add a rule. Just see this post which will allow you to define a access control list for the ASL web console:

https://www.atomicorp.com/forums/viewto ... f=3&t=6447

For anyone thats wondering, if you dont use the ACL feature, port 30000 should automatically be open.