topic Re: How to isolate a machine from the network? in Operating System - Linux

How to isolate a machine from the network?

sysadmin700 — Fri, 18 Nov 2022 12:46:43 GMT

Having a linux OS installed straight onto a HPE DL580 Gen10 or similar machine so no virtualisation involved here. Let's assume the OS is compromised by a virus or whatever. How can I make sure I completely isolate that system from the network remotely.

So the logic says that I should unplug teh network cable but cannot do that remotely.

The other thing is to disable the physical network card but can't really do that through the iLO either

So what other options do I have besides powering off the machinee?

Re: How to isolate a machine from the network?

Steven Schweda — Fri, 18 Nov 2022 06:13:56 GMT

> How to isolate a machine from the network?

Define "the network". Do you mean the Internet, or the system's LAN,
or what, exactly?

> [...] completely isolate that system from the network [...]

Define "completely isolate". (And "the network".)

> [...] the logic says that I should unplug teh network cable but cannot
> do that remotely.

Do you ever want to talk to the system remotely again? If you
disable the system's link to the outside world, and you're _in_ the
outside world, then that would seem to be a one-way path.

Disclaimer: "a linux OS" is not a very detailed description of your
particular GNU/Linux distribution/version, and I don't use GNU/Linux
very much, so my GNU/Linux admin knowledge could be very stale. But,
generally, ...

If I wanted to disable some network interface with a command, then
I'd look into "ifconfig".

man ifconfig

ifconfig -a # Identify the interface of interest. "eth0"?

ifconfig eth0 down # For example.

If I wanted to leave the LAN connection as-is, but disable
communication beyond the LAN, then I might fiddle with the routing.

netstat -rn

For example, if the only interesting routes are the (implicit) route
to the LAN and the default route ("default" or "0.0.0.0" to your
router?), then I might change the default gateway from the actual router
to some address which no one is using.

route change default 127.0.0.123 # Some bogus address.

I'd expect commands like these (untested ones) to cripple some or all
of the system's network communication.

Re: How to isolate a machine from the network?

sysadmin700 — Sun, 20 Nov 2022 10:04:16 GMT

> Define "the network". Do you mean the Internet, or the system's LAN,
or what, exactly?

The system's LAN, any outside network connection from the OS

> Define "completely isolate". (And "the network".)

I mean no network packets can be sent out from that OS

> Do you ever want to talk to the system remotely again? If you
disable the system's link to the outside world, and you're _in_ the
outside world, then that would seem to be a one-way path.

Yes, access to that system could be done later by physically reaching the hardware, after the system have been contained and a restore plan has been setup depending on the threat.

> Disclaimer: "a linux OS" is not a very detailed description of your
particular GNU/Linux distribution/version, and I don't use GNU/Linux
very much, so my GNU/Linux admin knowledge could be very stale. But,
generally, ...

The linux distro is Fedora but your solution could not be valid as if that system is compormised, every network change configuration from withing the could be reverted. This is why I need a different solution/approach.

Re: How to isolate a machine from the network?

Steven Schweda — Sun, 20 Nov 2022 14:32:21 GMT

> [...] your solution could not be valid as if that system is
> compormised, every network change configuration from withing the could
> be reverted. This is why I need a different solution/approach.

If I couldn't trust any software on the system, and I couldn't
disable its network connection externally, then I'd shut it down and/or
power it off.

To what is its network interface connected? If it's connected to a
network switch or router with some management capability, then I'd work
with that. But, if you can't trust anything it does, then why leave it
running?

Re: How to isolate a machine from the network?

sysadmin700 — Wed, 23 Nov 2022 13:47:23 GMT

Because if, for example, of a ransomeware attack powering off the machine while the data is being encrypted could end in data corruption so it;s better to let it finish and isolate the machine.

Powering off the machine was my first though also but I was thinking about an alternate solution

Re: How to isolate a machine from the network?

Steven Schweda — Wed, 23 Nov 2022 18:33:10 GMT

> Because if, for example, of a ransomeware attack powering off the
> machine while the data is being encrypted could end in data corruption
> [...]

Unless I were planning to pay the ransom, I'd expect to need to
restore the system from a backup, so I wouldn't care about corrupting
data which I'd overwrite in any case.

> Powering off the machine was my first though also but I was thinking
> about an alternate solution

See "To what is its network interface connected? [...]", above.