Operating System - Linux
1839312 Members
3241 Online
110138 Solutions
New Discussion

How to isolate a machine from the network?

 
sysadmin700
Visitor

How to isolate a machine from the network?

Having a linux OS installed straight onto a HPE DL580 Gen10 or similar machine so no virtualisation involved here. Let's assume the OS is compromised by a virus or whatever. How can I make sure I completely isolate that system from the network remotely.

So the logic says that I should unplug teh network cable but cannot do that remotely.

The other thing is to disable the physical network card but can't really do that through the iLO either

So what other options do I have besides powering off the machinee?

5 REPLIES 5
Steven Schweda
Honored Contributor

Re: How to isolate a machine from the network?

> How to isolate a machine from the network?

   Define "the network".  Do you mean the Internet, or the system's LAN,
or what, exactly?

> [...] completely isolate that system from the network [...]

   Define "completely isolate".  (And "the network".)

> [...] the logic says that I should unplug teh network cable but cannot
> do that remotely.

   Do you ever want to talk to the system remotely again?  If you
disable the system's link to the outside world, and you're _in_ the
outside world, then that would seem to be a one-way path.

   Disclaimer: "a linux OS" is not a very detailed description of your
particular GNU/Linux distribution/version, and I don't use GNU/Linux
very much, so my GNU/Linux admin knowledge could be very stale.  But,
generally, ...

   If I wanted to disable some network interface with a command, then
I'd look into "ifconfig".

      man ifconfig

      ifconfig -a   # Identify the interface of interest.  "eth0"?

      ifconfig eth0 down   # For example.

   If I wanted to leave the LAN connection as-is, but disable
communication beyond the LAN, then I might fiddle with the routing.

      netstat -rn

   For example, if the only interesting routes are the (implicit) route
to the LAN and the default route ("default" or "0.0.0.0" to your
router?), then I might change the default gateway from the actual router
to some address which no one is using.

      route change default 127.0.0.123   # Some bogus address.

   I'd expect commands like these (untested ones) to cripple some or all
of the system's network communication.

sysadmin700
Visitor

Re: How to isolate a machine from the network?

 Define "the network".  Do you mean the Internet, or the system's LAN,
or what, exactly?

The system's LAN, any outside network connection from the OS

Define "completely isolate".  (And "the network".)

I mean no network packets can be sent out from that OS

Do you ever want to talk to the system remotely again?  If you
disable the system's link to the outside world, and you're _in_ the
outside world, then that would seem to be a one-way path.

Yes, access to that system could be done later by physically reaching the hardware, after the system have been contained and a restore plan has been setup depending on the threat.

> Disclaimer: "a linux OS" is not a very detailed description of your
particular GNU/Linux distribution/version, and I don't use GNU/Linux
very much, so my GNU/Linux admin knowledge could be very stale.  But,
generally, ...

The linux distro is Fedora but your solution could not be valid as if that system is compormised, every network change configuration from withing the could be reverted. This is why I need a different solution/approach.

 

Steven Schweda
Honored Contributor

Re: How to isolate a machine from the network?

> [...] your solution could not be valid as if that system is
> compormised, every network change configuration from withing the could
> be reverted. This is why I need a different solution/approach.

   If I couldn't trust any software on the system, and I couldn't
disable its network connection externally, then I'd shut it down and/or
power it off.

   To what is its network interface connected?  If it's connected to a
network switch or router with some management capability, then I'd work
with that.  But, if you can't trust anything it does, then why leave it
running?

sysadmin700
Visitor

Re: How to isolate a machine from the network?

Because if, for example, of a ransomeware attack powering off the machine while the data is being encrypted could end in data corruption so it;s better to let it finish and isolate the machine.

Powering off the machine was my first though also but I was thinking about an alternate solution

Steven Schweda
Honored Contributor

Re: How to isolate a machine from the network?

> Because if, for example, of a ransomeware attack powering off the
> machine while the data is being encrypted could end in data corruption
> [...]

   Unless I were planning to pay the ransom, I'd expect to need to
restore the system from a backup, so I wouldn't care about corrupting
data which I'd overwrite in any case.

> Powering off the machine was my first though also but I was thinking
> about an alternate solution

   See "To what is its network interface connected? [...]", above.