Router Hacked?

14/09/2006, 02h33

Hi Todd et al.,

After reading the Re: Urgent!!! My computer seems to be hacked, pls !!!
I was feeling smug that I was safe since I locked up ssh.

HOWEVER, I'm now much more nervous. I don't understand why I'm able to
ssh to an outside host on the standard port 22 when my router is
configured to block port 22. Could it be that my router has been
hacked?

By the way, is there a way to configure the router so that only
outgoing connections on port 22 should be allowed? That is, can
I configure the router so that only SSH connectsion FROM my internal
machine TO an outside machine are allowed through, while any
INCOMING connections on port 22 remain blocked?
--
% Randy Yates % "So now it's getting late,
%% Fuquay-Varina, NC % and those who hesitate
%%% 919-577-9882 % got no one..."
%%%% <yates@ieee.org> % 'Waterfall', *Face The Music*, ELO
http://home.earthlink.net/~yatescr

14/09/2006, 03h05

Randy Yates <yates@ieee.org> writes:

> Hi Todd et al.,
>
> After reading the Re: Urgent!!! My computer seems to be hacked, pls !!!
> I was feeling smug that I was safe since I locked up ssh.
>
> HOWEVER, I'm now much more nervous. I don't understand why I'm able to
> ssh to an outside host on the standard port 22 when my router is
> configured to block port 22.

Outbound or inbound?

Typically consumer routers (Linksys, et al) block the establishment of
incoming connections from the internet, but allow TCP flows that
originate from inside (LAN) to the outside (WAN/Internet). That'd be
a simple explanation of a stateful packet inspection (SPI) firewall,
which understands and tracks TCP connections as a whole.

A packet filtering firewall doesn't have a notion of "connections" per
se, but just individual packets. The older packet filtering firwalls
would block inbound TCP SYN requests, but wouldn't block inbound TCP
ACKs or FINs.

> Could it be that my router has been hacked?

Always possible, but the symptoms you describe are normal near as I
can tell. Egress filtering (i.e. filtering of what's outbound)
isn't common in consumer routers.

> By the way, is there a way to configure the router so that only
> outgoing connections on port 22 should be allowed?

Sure, with a router of sufficient flexibility could allow you to
construct such a tightly defined filtering policy. "Block connections
from the LAN destined for any external host, with protocol TCP,
destination port 22" would be the complete thought of such a block.

But if that's your only rule, you'd break all other internet traffic
to/from your LAN (i.e. web surfing, IM, updates, etc). tcp/80 and
tcp/443 outbound requests would be blocked, so you wouldn't get any
web requests out, for instance.

> That is, can I configure the router so that only SSH connectsion
> FROM my internal machine TO an outside machine are allowed through,
> while any INCOMING connections on port 22 remain blocked?

Your router is likely already configured as such, with the exception
that in addition to alowing outbound connections with a destination
port of tcp/22, it's allowing arbitrary outbound connections.

Best Regards,
--
Todd H.
http://www.toddh.net/

15/09/2006, 00h17

comp@toddh.net (Todd H.) writes:
> [...]
> Your router is likely already configured as such, with the exception
> that in addition to alowing outbound connections with a destination
> port of tcp/22, it's allowing arbitrary outbound connections.

Todd,

Thanks for allaying my fears and resolving my quandary - all in
one post!

Man, I feel good about ssh now! I just LOVE it!
--
% Randy Yates % "I met someone who looks alot like you,
%% Fuquay-Varina, NC % she does the things you do,
%%% 919-577-9882 % but she is an IBM."
%%%% <yates@ieee.org> % 'Yours Truly, 2095', *Time*, ELO
http://home.earthlink.net/~yatescr

15/09/2006, 03h11

Randy Yates <yates@ieee.org> writes:

> comp@toddh.net (Todd H.) writes:
> > [...]
> > Your router is likely already configured as such, with the exception
> > that in addition to alowing outbound connections with a destination
> > port of tcp/22, it's allowing arbitrary outbound connections.
>
> Todd,
>
> Thanks for allaying my fears and resolving my quandary - all in
> one post!
>
> Man, I feel good about ssh now! I just LOVE it!

It's groovy groovy good. :-) Glad to .

--
Todd H.
http://www.toddh.net/

14/09/2006, 02h33	#1
Randy Yates Messages: n/a Hébergeur:	Router Hacked? Hi Todd et al., After reading the Re: Urgent!!! My computer seems to be hacked, pls !!! I was feeling smug that I was safe since I locked up ssh. HOWEVER, I'm now much more nervous. I don't understand why I'm able to ssh to an outside host on the standard port 22 when my router is configured to block port 22. Could it be that my router has been hacked? By the way, is there a way to configure the router so that only outgoing connections on port 22 should be allowed? That is, can I configure the router so that only SSH connectsion FROM my internal machine TO an outside machine are allowed through, while any INCOMING connections on port 22 remain blocked? -- % Randy Yates % "So now it's getting late, %% Fuquay-Varina, NC % and those who hesitate %%% 919-577-9882 % got no one..." %%%% <yates@ieee.org> % 'Waterfall', Face The Music, ELO http://home.earthlink.net/~yatescr

14/09/2006, 03h05	#2
Todd H. Messages: n/a Hébergeur:	Re: Router Hacked? Randy Yates <yates@ieee.org> writes: > Hi Todd et al., > > After reading the Re: Urgent!!! My computer seems to be hacked, pls !!! > I was feeling smug that I was safe since I locked up ssh. > > HOWEVER, I'm now much more nervous. I don't understand why I'm able to > ssh to an outside host on the standard port 22 when my router is > configured to block port 22. Outbound or inbound? Typically consumer routers (Linksys, et al) block the establishment of incoming connections from the internet, but allow TCP flows that originate from inside (LAN) to the outside (WAN/Internet). That'd be a simple explanation of a stateful packet inspection (SPI) firewall, which understands and tracks TCP connections as a whole. A packet filtering firewall doesn't have a notion of "connections" per se, but just individual packets. The older packet filtering firwalls would block inbound TCP SYN requests, but wouldn't block inbound TCP ACKs or FINs. > Could it be that my router has been hacked? Always possible, but the symptoms you describe are normal near as I can tell. Egress filtering (i.e. filtering of what's outbound) isn't common in consumer routers. > By the way, is there a way to configure the router so that only > outgoing connections on port 22 should be allowed? Sure, with a router of sufficient flexibility could allow you to construct such a tightly defined filtering policy. "Block connections from the LAN destined for any external host, with protocol TCP, destination port 22" would be the complete thought of such a block. But if that's your only rule, you'd break all other internet traffic to/from your LAN (i.e. web surfing, IM, updates, etc). tcp/80 and tcp/443 outbound requests would be blocked, so you wouldn't get any web requests out, for instance. > That is, can I configure the router so that only SSH connectsion > FROM my internal machine TO an outside machine are allowed through, > while any INCOMING connections on port 22 remain blocked? Your router is likely already configured as such, with the exception that in addition to alowing outbound connections with a destination port of tcp/22, it's allowing arbitrary outbound connections. Best Regards, -- Todd H. http://www.toddh.net/

15/09/2006, 00h17	#3
Randy Yates Messages: n/a Hébergeur:	Re: Router Hacked? comp@toddh.net (Todd H.) writes: > [...] > Your router is likely already configured as such, with the exception > that in addition to alowing outbound connections with a destination > port of tcp/22, it's allowing arbitrary outbound connections. Todd, Thanks for allaying my fears and resolving my quandary - all in one post! Man, I feel good about ssh now! I just LOVE it! -- % Randy Yates % "I met someone who looks alot like you, %% Fuquay-Varina, NC % she does the things you do, %%% 919-577-9882 % but she is an IBM." %%%% <yates@ieee.org> % 'Yours Truly, 2095', Time, ELO http://home.earthlink.net/~yatescr

15/09/2006, 03h11	#4
Todd H. Messages: n/a Hébergeur:	Re: Router Hacked? Randy Yates <yates@ieee.org> writes: > comp@toddh.net (Todd H.) writes: > > [...] > > Your router is likely already configured as such, with the exception > > that in addition to alowing outbound connections with a destination > > port of tcp/22, it's allowing arbitrary outbound connections. > > Todd, > > Thanks for allaying my fears and resolving my quandary - all in > one post! > > Man, I feel good about ssh now! I just LOVE it! It's groovy groovy good. :-) Glad to . -- Todd H. http://www.toddh.net/

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email