This section will show some examples on how to use LIDS and Netfilter to restrict the process network access. The examples may not fit your environment.
In this section, we will provide an example to prevent worm spreading on a Apache httpd daemon. We assume you have install LIDS 2.0.3pre2 for 2.5.62 and later, and Netfilter modules.
First of all, you need to insert the necessary modules. then you can do
# lidsconf -A -o /usr/sbin -j READ # lidsconf -A -s /usr/sbin/httpd -o LIDS_SOCKET_CREATE -j DISABLE
After that, httpd itself can not connect outside and bind to any port. That will certainly stop the Apache's SSL slapper worm which propagate itself and trying to install a backdoor on the machine.
But if the http process need to connect outside, for example, it will try to connect to an database server or ad DNS server. We can use another Netfilter to control it,
# lidsconf -A -s /usr/sbin/httpd -o LIDS_SOCKET_NF_MARK 3 -j DISABLE ^------------ this rule get the process and its children capability to mark all the packet from new socket(new connection and new bind) the packets as 3. # iptables -A OUTPUT -t mangle -j MARK --set-mark 0 ^------------ this rule make the LIDS mark the packet at this stage. # iptables -A OUTPUT -d 10.0.0.1 --protocol udp --destination-port 53 -m --mark 3 -j ACCEPT ^------------ this rule enable the access to 10.0.0.1 port 53 which is a DNS server. # iptables -A OUTPUT -d 10.0.0.2 --protocol tcp --destination-port 3306 -m --mark 3 -j ACCEPT ^------------ this rule enable the access to 10.0.0.2 port 3306 which is a MySQL server. # iptables -A OUTPUT -m mark --mark 3 -j DROP ^------------ this rule drop all the packets marked as 3
Let's see what happen when a HTTP WORM coming in, the worm will try to install a backdoor on port 10999, it success since we do not prevent it, but when he try to connect to backdoor port 10999 from outside, it will fail for all the packets that backdoor generated have been marked as 3 and dropped silently by the rule when the packet go outside.
When the HTTP server try to resolve a hostname or try to send a database request to a remote database server, it can do it successfully. But when the worm trying to connection outside to port 80 and propagate, he will find out that he can not since the last netfilter rule will also drop the packet silently.
for passive mode only FTP,
# lidsconf -A -o /usr/sbin -j READ # lidsconf -A -s /usr/sbin/in.ftpd -o LIDS_SOCKET_CREATE -j DISABLE
# lidsconf -A -o /usr/sbin -j READ # lidsconf -A -s /usr/sbin/in.pop3d -o LIDS_SOCKET_CREATE -j DISABLE
following rules will allow SSH and telnet user can only connect to 10.0.0.1
# lidsconf -A -s /usr/sbin/sshd -o LIDS_SOCKET_NF_MARK 5 -j DISABLE # lidsconf -A -s /usr/sbin/in.telnetd -o LIDS_SOCKET_NF_MARK 5 -j DISABLE # iptables -A OUTPUT -t mangle -j MARK --set-mark 0 # iptables -A OUTPUT -d 10.0.0.1 22 -m --mark 5 -j ACCEPT # iptables -A OUTPUT -m mark --mark 5 -j DROP
# lidsconf -A -o /usr/sbin -j READ # lidsconf -A -s /usr/sbin/sendmail -o LIDS_SOCKET_BIND -j DISABLE