bytron

Registered
Jun 27, 2006
4
0
151
On several occasions, over the last three weeks, a couple of our users have been denied access to our cpanel server, for example, MS Outlook reports that it is unable to connect to the service, and ping requests are dropped.

When I investigated, I started by looking at the rules applied to iptabels. To my surprise, iptables was not running (GULP).

The following is the output, of a status request, using the service command:

root> service iptables status
Firewall is stopped.

I restarted the firewall:

root> service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]

Once the firewall was restarted the users access resumed. Then after a while the users are yet again denied access. I'm a little concerned about security now and not sure what to check to see why the firewall keeps stopping. On whm the following statement has recently appeared:

Security Notice:
There are several known Linux kernel exploits which may allow local privilege escalation. These exploits have become commonplace in recent weeks and can be avoided by ensuring that your kernel is updated to the latest available version. While cPanel will help ensure your system services and software are up to date, kernel updates are outside the scope of cPanel. Kernels with known vulnerabilities include, but are not limited to, 2.6.9-22 and 2.6.9-34. Please check your running kernel for updates periodically. This will help ensure the overall integrity of your server and data.


This panics me a little more as the kernel I am on is

Linux spoof.domain.uk 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 i386 GNU/Linux.

How can I find out whether I have been a victim of the above security breach?
 

bytron

Registered
Jun 27, 2006
4
0
151
more information

I have managed to find a little extra detail.. Iptables keeps automatically blocking one of my remote user:

iptables -L --line-numbers | grep -i <remote user>
10 DROP all -- <remoteuser.spoof.o.uk> anywhere
10 DROP all -- anywhere <remoteuser.spoof.o.uk>


A restrted of iptables fixes this, however a fex hours later the rule re-appears. Can anyone explin how iptable builds this list and is it possible to whitelist known hosts?

Thanks