How was the machine compromised? If it was hacked via www, dns, smtp, ssh or snmpd then blocking all ports but these won't help at all.

The FreeBSD Handbook [freebsd.org...] is an excellent resource. In particular, you probably want to look at [freebsd.org...]

This is a public server with a public IP. The services that I don't want running, aren't running, but I would like to deny all access to any other port other than the ones for the services that I mentioned. Also all the programs are up to date, and the kernel is as well.

I haven't found exactly how they hacked my server. I do know that they are running irc perl scripts with the nobody account and that they are using a few server ports to do it. I'm assuming that they the hackers gained access through a cgi script on our server because they are running programs with the same account "nobody" that the cgi scripts and apache uses.

Basically, my feeling is that if they can't open up any other ports on the server other than the ones specific for the programs needed. That do you think?

This is what I've got so far. I took what you gave me and combined it with some other examples that people sent me, as well as the online examples too. Please let me know what you think, and if I'm missing anything important as to what I was originally trying to go for.

#################################################
# IPFW Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush

#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag

#################################################
# Stateful Rules
#################################################
$cmd check-state
$cmd allow tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any

#################################################
# Incoming/Outgoing Services
#################################################
$cmd allow tcp from any to any 22 setup keep-state
$cmd allow tcp from any to any 25 setup keep-state
$cmd allow tcp from any to any 53 setup keep-state
$cmd allow udp from any to any 53 keep-state
$cmd allow tcp from any to any 80 setup keep-state
$cmd allow tcp from any to any 110 setup keep-state
$cmd allow udp from any to any 161 keep-state
$cmd allow udp from any to any 27015 keep-state

#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any

I'm assuming that they the hackers gained access through a cgi script on our server because they are running programs with the same account "nobody" that the cgi scripts and apache uses.

As George Cooper already pointed out, it's great that you're setting up your firewall, but if you install the same scripts that you believe were compromised last time, then the same thing is going to happen, and you'll have your box 0wn3d again.

All of these rules are OK, but a few things:
You're still letting anyone connect to SSH, POP, SNMP, and whatever 27015 is (counter-Strike?).

You need to ask yourself who needs ssh access and why. If it's just you, and pretty much only from home, (or whatever), then limit incoming SSH connections to that IP. Or, conversely, if you might be travelling around everywhere, set up some VPN system or even easier, setup SSH on port 31022 or something crazy.

Again, who needs POP3 access? Can you limit it? Can you also use POP3/S (995) instead?

And why oh why does anyone on the outside world need SNMP? Can you limit it by IP?

Counter-strike I guess if fine if you're running a public server.

These rules are OK. But they still don't solve the underlying problem you were trying to beat, which was stopping outgoing connections to random ports on other hosts. Yes, you've stopped them from running an IRC bot and connecting to 6667 on remote hosts (not listed in the allow, and then everything is denied), but they can still:

SSH to another box, or run some kind of ssh scanning tool (allow any to any 22)
Spam the hell out of someone (allow any to any 25)
mount a DoS, or request a million pages on another site (allow any to any 80)
err.. check their email? (allow any to any 110)
Do SNMP scans of other networks (a useful thing way back, don't know if it still gleans much information) (allow any to any 161)

Basically you need to limit your incoming a bit better, and block your outgoing for anything that isn't 100% necessary.

Usually the way a firewall is built is "deny everything", then when someone complains, or something doesn't work, then allow the most restrictive rule possible. (Need incoming SSH? Ok, what IP?).

I should mention as well that you should only be making these restrictive changes when you're right next to the box in question. Changing FW rules remotely has meant a few 3am mad dashes to the co-location to reset the rules. :)

Another nifty idea, too, which I've tried to implement, but didn't quite work out for me in FreeBSD, is to use port knocking. It can be very useful to allow an admin remote access without having SSH listening for all incoming connections.

MM

MM,

You make very good points, but I do use hosts.allow to only allow access for specific hosts/IPs to use the daemons that I mentioned. I believe that the hosts.allow is good second line of defense to the firewall.

Of course I still need to find out which script was used to hack my server in the first place. But I needed to find out how to firewall my non-hacked servers in the meantime.

Regards,

Dan