HPE Community
Operating System - Linux
1828541 Members
2700 Online
109980 Solutions
New Discussion

How to isolate a machine from the network?

 
sysadmin700
Visitor

‎11-16-2022 08:18 AM - last edited on ‎11-18-2022 04:46 AM by

‎11-16-2022 08:18 AM - last edited on ‎11-18-2022 04:46 AM by

How to isolate a machine from the network?

Having a linux OS installed straight onto a HPE DL580 Gen10 or similar machine so no virtualisation involved here. Let's assume the OS is compromised by a virus or whatever. How can I make sure I completely isolate that system from the network remotely.

So the logic says that I should unplug teh network cable but cannot do that remotely.

The other thing is to disable the physical network card but can't really do that through the iLO either

So what other options do I have besides powering off the machinee?

0 Kudos
Reply
5 REPLIES 5
Steven Schweda
Honored Contributor

‎11-17-2022 10:12 PM - edited ‎11-17-2022 10:13 PM

‎11-17-2022 10:12 PM - edited ‎11-17-2022 10:13 PM

Re: How to isolate a machine from the network?

> How to isolate a machine from the network?

   Define "the network".  Do you mean the Internet, or the system's LAN,
or what, exactly?

> [...] completely isolate that system from the network [...]

   Define "completely isolate".  (And "the network".)

> [...] the logic says that I should unplug teh network cable but cannot
> do that remotely.

   Do you ever want to talk to the system remotely again?  If you
disable the system's link to the outside world, and you're _in_ the
outside world, then that would seem to be a one-way path.

   Disclaimer: "a linux OS" is not a very detailed description of your
particular GNU/Linux distribution/version, and I don't use GNU/Linux
very much, so my GNU/Linux admin knowledge could be very stale.  But,
generally, ...

   If I wanted to disable some network interface with a command, then
I'd look into "ifconfig".

      man ifconfig

      ifconfig -a   # Identify the interface of interest.  "eth0"?

      ifconfig eth0 down   # For example.

   If I wanted to leave the LAN connection as-is, but disable
communication beyond the LAN, then I might fiddle with the routing.

      netstat -rn

   For example, if the only interesting routes are the (implicit) route
to the LAN and the default route ("default" or "0.0.0.0" to your
router?), then I might change the default gateway from the actual router
to some address which no one is using.

      route change default 127.0.0.123   # Some bogus address.

   I'd expect commands like these (untested ones) to cripple some or all
of the system's network communication.

0 Kudos
Reply
sysadmin700
Visitor

‎11-20-2022 02:04 AM

‎11-20-2022 02:04 AM

Re: How to isolate a machine from the network?

 Define "the network".  Do you mean the Internet, or the system's LAN,
or what, exactly?

The system's LAN, any outside network connection from the OS

Define "completely isolate".  (And "the network".)

I mean no network packets can be sent out from that OS

Do you ever want to talk to the system remotely again?  If you
disable the system's link to the outside world, and you're _in_ the
outside world, then that would seem to be a one-way path.

Yes, access to that system could be done later by physically reaching the hardware, after the system have been contained and a restore plan has been setup depending on the threat.

> Disclaimer: "a linux OS" is not a very detailed description of your
particular GNU/Linux distribution/version, and I don't use GNU/Linux
very much, so my GNU/Linux admin knowledge could be very stale.  But,
generally, ...

The linux distro is Fedora but your solution could not be valid as if that system is compormised, every network change configuration from withing the could be reverted. This is why I need a different solution/approach.

 

0 Kudos
Reply
Steven Schweda
Honored Contributor

‎11-20-2022 06:32 AM

‎11-20-2022 06:32 AM

Re: How to isolate a machine from the network?

> [...] your solution could not be valid as if that system is
> compormised, every network change configuration from withing the could
> be reverted. This is why I need a different solution/approach.

   If I couldn't trust any software on the system, and I couldn't
disable its network connection externally, then I'd shut it down and/or
power it off.

   To what is its network interface connected?  If it's connected to a
network switch or router with some management capability, then I'd work
with that.  But, if you can't trust anything it does, then why leave it
running?

0 Kudos
Reply
sysadmin700
Visitor

‎11-23-2022 05:47 AM

‎11-23-2022 05:47 AM

Re: How to isolate a machine from the network?

Because if, for example, of a ransomeware attack powering off the machine while the data is being encrypted could end in data corruption so it;s better to let it finish and isolate the machine.

Powering off the machine was my first though also but I was thinking about an alternate solution

0 Kudos
Reply
Steven Schweda
Honored Contributor

‎11-23-2022 10:33 AM

‎11-23-2022 10:33 AM

Re: How to isolate a machine from the network?

> Because if, for example, of a ransomeware attack powering off the
> machine while the data is being encrypted could end in data corruption
> [...]

   Unless I were planning to pay the ransom, I'd expect to need to
restore the system from a backup, so I wouldn't care about corrupting
data which I'd overwrite in any case.

> Powering off the machine was my first though also but I was thinking
> about an alternate solution

   See "To what is its network interface connected? [...]", above.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.