On Wed, Jun 14, 2006 at 02:59:49AM +0800, W B Hacker said:
> Troy Engel wrote:
>
> > Marc Perkel wrote:
[want to block outgoing email in case he's p0wn3d]
> > 3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to any
> > machine other than the smarthost you decided on above. (see
> > http://oceanpark.com/notes/firewall_example.html)
> >
>
> Not 100% useful. MTA's *listen* (for other mx) on port 25. They
> ordinarily *send* on random ports well above 1024.
netfilter has a uid match module that allows you to write rules like:
iptables -t filter -A OUTPUT -m owner --uid-owner 0 -m state --state NEW --dport 25 -j ACCEPT
So, actually, rather useful for this sort of thing. Not precisely how I
owuld go about it (I would start by deciding what can make outbound
traffic and stop all other traffic, but YMMV). If it is a root
compromise, of course, you're screwed anyway, but a simple push over of
a php script running as a non-privileged httpd user may not kill you in
this case.
> Further, it is generally a safe assumption that any entity
> clever/patient enough to crack a shell account, can and will,
> escalate privileges, eventually to 'root'..
This is of course true, and good advice. If you are hacked, the least
of your worries is the spam coming from your machine.
--
--------------------------------------------------------------------------
| Stephen Gran | War is much too serious a matter to be |
| steve@??? | entrusted to the military. -- |
| http://www.lobefin.net/~steve | Clemenceau |
--------------------------------------------------------------------------
