blocking irc + botnets

curby . curby.public at
Thu Aug 4 23:59:38 CEST 2005

On 8/4/05, hbeaumont hbeaumont <ahlist at> wrote:
> I want to find a way to make sure that we have an extra layer of protection
> to make sure our servers weren't DOS'ing other boxes - even if it was
> only for a short time until an admin logged in to check the source of the
> outgoing traffic spike.

I'm a big fan of layers . =)

Even though there's only so much that netfilter can do as it generally
only looks at the lower half of the network stack, you can restrict a
lot.  For example, servers don't usually need originate much traffic
at all.  Trust and allow a few IPs for patch servers, time servers,
and DNS servers as opposed to allowing general outgoing traffic out to
ports 21,80,123,53,etc.

Log (with flood limits) dropped outbound traffic.  /dev/rob0 makes a
good point that logging is often useless.  If you have log analysis
tools that are monitored, they can possibly detect everything from
misconfigured software to malicious and mischevious users.

Something else you can do is proxy whatever small subset of external
services your servers can reach.  This can help prevent someone from
tunneling random things over port 80, for example (popular since it's
seldomly filtered).

You might also set netfilter to allow certain programs or users to go
out of certain ports.  I.e. root can go out on port 123 to synchronize
the clock, but a user cannot.  Of course, the more you restrict users,
the more unhappy they get!

More information about the netfilter mailing list