I have recently had a couple of clients get caught by a zero day exploit version of the Zeus rootkit/trojan which steals banking info among other things (depending on what a particular release is bundled with); see
https://zeustracker.abuse.ch/index.phpAfter having a dig around the web I found a few suggestions on how to 'automate' adding protections to a Linux system. I've taken these suggestions & hints (along with iptables help from Contribs, thank guys) & 'rolled my own' extension for SME. The process needs to download info from the above website on a daily basis & apply the new info to both iptables/masq (the firewall) as well as squid (http proxy). If either is turned off, as they may be depending on how the server is setup, deployed, & used, then there will be some protection from the other method; no protection if both are tuned off.
This whole process assumes SME is in server/gateway mode. I also assume you can make your way around the console shell.
I use Midnight Commander as my editor, you can use what works for you.
So, on with the show. I'll do a step by step:
# Create a script in /root - update_zeus_blocklists.sh
cd /root
touch update_zeus_blocklists.sh
# Edit the file & insert the following into the empty update_zeus_blocklists.sh file
#!/bin/bash
# set -x command used to force echo to screen - comment out or delete line if not required
set -x
cd /root
curl -k
https://zeustracker.abuse.ch/blocklist.php?download=iptablesblocklist > iptables_zeus_blocklist.sh
curl -k
https://zeustracker.abuse.ch/blocklist.php?download=squidblocklist > squid_zeus_blocklist.txt
chmod +x iptables_zeus_blocklist.sh
# The copy command won't delete the current squid_zeus_blocklist.txt if nothing downloaded
cp -f /root/squid_zeus_blocklist.txt /etc/squid/squid_zeus_blocklist.txt
signal-event proxy-update
/root/iptables_zeus_blocklist.sh
# Create a template fragment in /etc/e-smith/templates-custom/squid/squid.conf
mkdir -p /etc/e-smith/templates-custom/squid/squid.conf
cd /etc/e-smith/templates-custom/squid/squid.conf
touch 45Zeus_blocklist
# Edit the file & insert the following into the empty 45Zeus_blocklist file
# I add a blank line to the top of the file to make the squid.conf file easier to read
acl zeus_blocksites url_regex "/etc/squid/squid_zeus_blocklist.txt"
http_access deny zeus_blocksites
# Rebuild squid.conf
expand-template /etc/squid/squid.conf
Note - don't restart squid yet as the template fragment refers to a file we haven't yet downloaded.
# Edit /etc/rc.d/rc.local to run /root/iptables_zeus_blocklist.sh when server is started
cd /etc/rc.d
# Edit the file & add the following 2 lines at the bottom of the file
# Zeus botnet stuff
/root/iptables_zeus_blocklist.sh
This completes the intial setup, time to run the update script to get the data from the website & deploy it
/root/update_zeus_blocklists.sh
Let's check to make sure it ran as expected.
Look in /root for iptables_zeus_blocklist.sh
Look into the /etc/squid folder & there should now be a squid_zeus_blocklist.txt file
Check the end of the messages log for the proxy-update entries & the squid restart info, you should see something like:
Mar 1 00:38:42 gateway esmith::event[9103]: Processing event: proxy-update
Mar 1 00:38:42 gateway esmith::event[9103]: Running event handler: /etc/e-smith/events/actions/generic_template_expand
Mar 1 00:38:42 gateway esmith::event[9103]: expanding /etc/dhcpd.conf
Mar 1 00:38:42 gateway esmith::event[9103]: expanding /etc/crontab
Mar 1 00:38:42 gateway esmith::event[9103]: expanding /etc/httpd/conf/proxy/proxy.pac
Mar 1 00:38:43 gateway esmith::event[9103]: expanding /etc/squid/squid.conf
Mar 1 00:38:43 gateway esmith::event[9103]: expanding /etc/rc.d/init.d/masq
Mar 1 00:38:43 gateway esmith::event[9103]: generic_template_expand=action|Event|proxy-update|Action|generic_template_expand|Start|1362069522 357568|End|1362069523 489357|Elapsed|1.131789
Mar 1 00:38:43 gateway esmith::event[9103]: Running event handler: /etc/e-smith/events/actions/adjust-services
Mar 1 00:38:43 gateway esmith::event[9103]: adjusting non-supervised masq (adjust)
Mar 1 00:38:44 gateway esmith::event[9103]: adjusting supervised squid (down)
Mar 1 00:38:44 gateway esmith::event[9103]: adjusting supervised squid (restart)
Mar 1 00:38:44 gateway esmith::event[9103]: adjust-services=action|Event|proxy-update|Action|adjust-services|Start|1362069523 489535|End|1362069524 90586|Elapsed|0.601051
You can check to see if the firewall rules have been added by running
iptables -L
It will hit the OUTPUT chain & start to list out a lot of drop rules (this can be quite slow), once I see a few of these I just Ctrl/C the process. A sample looks like:
DROP all -- anywhere misro.n.masterweb.net
DROP all -- anywhere host-242-8-127-109.azdata.net
DROP all -- anywhere host-246-8-127-109.azdata.net
DROP all -- anywhere vrozetke.com
The last thing to do is to add a cron job (scheduled task) so this update process occurs every day.
I'd suggest using something like
http://wiki.contribs.org/Crontab_Manager & using this contrib for the job, otherwise add a template fragment to /etc/e-smith/templates-custom/etc/crontab to suit
cd /etc/e-smith/templates-custom/etc/
touch 99update_zeus
# Edit the file & insert the following into the empty 99update_zeus file
0 04 * * * root /root/update_zeus_blocklists.sh
This will run the script at 4am every day.
Once the template fragment has been created run:
expand-template /etc/crontab
signal-event cron-update
Thats it
Any recommendations/improvements always welcome, as are bugs or typos.
HTH
Graeme