Iptables and limit particular program with destination port

C

ccto

Verified User
Joined
Feb 24, 2005
Messages
287
Location
Hong Kong
Hello all,

Is it able to use iptables to limit outgoing port 25 to be used by Exim only?

The underlying reason is that in a few circumstance, if one account is compromised (e.g. by unauthorized ftp upload), the hacker may upload a perl script to the cgi-bin folder, and that cgi will act as a mail server and use TCP/IP socket to send email directly (i.e. does not use Exim to send email)

Thank you for your kind attention.
Regards,
 
To bind to port 25 he would need root privileges. Also exim would have to be not running when he bound the socket or it wouldnt work. If he has root privileges your screwed already :)
 
He is talking about a script that sends messages, not one that act as a hijacker/trojan.

Some time ago I read about modules for iptables that can check the location of the binary creating the packet and chose a chain based on that location but I don't know their name and I never used them.

You may also want to add PHP (if CGI) or Apache (if mod_php) binaries to the whitelist because some scripts don't use mail() but direct sockets.

Anyway, I strongly suggest you do anything in your power to prevent anything like what you described from happening, because if someone can put an executable in cgi-bin/ and execute it, there are much worse things he could do instead of sending mail.
 
Thanks for your reply.

I found iptables ipt_owner module suitable, at least it can limit only the user root and mail can connect to outgoing port 25, where other user cannot.

Regards,
 
Remember that this works only if PHP is not running with user privileges. With CustomBuild this means that you can only use PHP CLI and not PHP CGI.
 
You must log in or register to reply here.
Back
Top