Making Your Linux Box Secure 139
pryan writes "rootprompt.org has some interesting articles on locking down a Linux box on a hostile network (read: Internet) and cloaking a Debian box so script kiddies don't find it. Check out fortress building, part 1, and part 2. For you Debian freaks (I'm wearing a Debian swirl t-shirt as I type this), check out cloaking Debian. Of course, the cloaking article is easily adaptable to other distributions. Let's lock down those boxes! "
Another great resource (NT, Linux, Solaris) (Score:3)
Its a handy little site, covers firewalls in NT and Linux, how to properly armor a NT, Solaris, or Linux install (from the perspective of Redhat, but thats easily adaptable), and for those of you that are a bit more curious, he has a "How to build a honeypot" section.
Enjoy!
Re:Wewanthackers.com has been up 50 days straight (Score:2)
Bruce
Re:http://cr.yp.to/ (Score:1)
I have to agree with you when you say that Dan's stuff is great. I just wish the guy could code so others could understand it. Not a single comment, dubious variable names, half the programs don't have any kind of -h or --help (decent web documentation though)... About the only thing he does do is formatting.
Re:GNU system philosophy (Score:1)
You can get the same capability with GNU su as follows:
chgrp wheel su
chmod 4750 su
In fact, when I was in college and had fellow CS majors using accounts on my box for development, I did that with a bunch of su related stuff.
Re:http://cr.yp.to/ (Score:2)
Re:Two easy questions to decide on most secure OS (Score:1)
Since W2K has been released (before actually, anyone remember the www.windows2000test.com test?) every script kiddie and cracker has tried to be the first to break in. I am not aware of any that have succeeded.
Besides, those older OSes have had much longer to find the holes and patch them, W2K is a baby and supposedly full of holes right? ha!
And, what false assumptions anyway? You say something but don't explain or back it up. In summary, don't be a lazy lamer.
Xinetd (Score:1)
indestructable.... LINUXGOD.NET.
I've got a slashdot idea (Score:1)
Can someone tell me how I go about getting it posted on Slashdot?
Re:SOP for my systems, when installed: (Score:1)
Moral of the story: Read man pages, folks. Don't assume that killall kills a named process on Tru64.
Re:Security != "security_from_script_kiddies" (Score:1)
We should compare notes at some point. (or I could just go set up a web page listing what people are running against me and have people comment on that)
Re:Yeah, Linux. (Score:1)
Re:Our comany firewall (Score:2)
A Dick and a Bush .. You know somebody's gonna get screwed.
Re:http://cr.yp.to/ (Score:2)
A Dick and a Bush .. You know somebody's gonna get screwed.
Re:Can "cloaking" hide from nmap -O ? (Score:1)
Mandrake v7.0 (Score:1)
Medium: httpd,inetd (and a number of other services) are running; root login allowed at console
High: no httpd,inetd; root login allowed at console
Paranoid: what is root?
And when I initially installed it as High, I couldn't figure out why, even with inetd and httpd enabled, I couldn't ftp or telnet or access the web server.
---
Please read the following backwards to reveal the true meaning:
Live not on evil
Madam, I'm Adam
Re:Eaaaaasy. Don't run inetd, masquerade out. (Score:1)
Re:Can "cloaking" hide from nmap -O ? (Score:1)
But if you subsititute tcpserver for inetd and limit ports to internal-side interface(s) then you simply won't have a port open, and nmap or anyone else won't find it. I'm not sure if cloaking is really cloaking if it just means not opening inet-side ports?
I only skimmed for now, but I'd reckon you have to alter the TCP stack in the kernel to change the SYN response, etc., to packets?? For example for a port to look totally closed to one person but not to another.
But then you would have to rely on IP to authenticate (at that stage anyway), which can be spoofed... hmm... nothing's ever easy, but these replacement servers sound interesting at least.
Re:http://cr.yp.to/ (Score:2)
-russ
In Other News: (Score:5)
ASSOCIATED PRESS - Dozens were shocked today as popular website Slashdot posted a story that had nothing to do with a corporate or governmental conspiracy.
"I'm absolutely floored" one frequent poster commented. "I mean, I was all ready to get out one of my 'damn the man' rants for karma, but it turns out it's completely offtopic for this story. I mean, I'd actually have
Many others were confused as well. Local trolls were dismayed, one going so far as to assert "I'm betting this is a slashdot conspiracy to try to lull us into a false sense of security."
Many contributors fell into the pattern of trying to form a Slashdot editorial conspiracy, but ultimately failed as the comments did not have nearly the manifesto-inspiring potential that the earlier front page stories had included.
"I was all ready to boycott this 'debian' thing they mentioned in the blurb," commented one disillusioned poster, "But then I went and read the article, and there was nothing about corporate conspiracy at all!"
While there was still theorizing by those who had not read the article, for the most part conversation was stilted and akward, with many participants struggling to figure out exactly what, if not governmental or corporate conspiracy, the article was actually about.
Our comany firewall (Score:5)
and enable a nice well secured debian based internal network.
SERVER_IP= #set this to server ip
#
# Local area network
ifconfig eth1 192.168.0.1 netmask 255.255.255.0 up
route add -net 192.168.0.0 netmask 255.255.255.0 window 16384 eth1
# S E C U R I T Y #################################################
#
# Enable syncookies and ip forward
echo 1 >
echo 1 >
#
# Let local calls through
/sbin/ipchains -A input -j ACCEPT -s 0/0 -d 0/0 -i lo
#
# External calls to 127 blocking.
/sbin/ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 -l
#
# IP MASQ Forwarding for 192.168.0.2 subnet
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.2/24 -j MASQ
#
# Modprobing
modprobe ip_masq_user
modprobe ip_masq_ftp
modprobe ip_masq_irc ports=6667,6668,6669,6670
modprobe ip_masq_raudio
modprobe ip_masq_quake ports=26000,27000,27910,27960
#
# Now block some ports we dont want people to use from outside
# block from ICMP troubled ports
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 21 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 23 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 25 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 79 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 139 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 143 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 1080 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 6000 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 12345 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 31337 -l
#
# Block ICMP flooding/pinging
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 8 -d 0/0 -l
#That's some basic stuff to be blocked. These rules will block: ftp, telnet,
#smtp, finger, netbios, imap, socks, X11, netbus and Back Orfice. It will
#also create a syslog entry as logging (-l) has been enabled. You can add or
#remove ports as you want.
# got this bit from a security listing
# Block everthing on eth0 for the following ports
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 2401
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 6000
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 515
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 752
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 1024
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 111
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 5432
Basically it blocks almost every kind of ICMP and any unwanted attempts by intruders and also blocks access to resources used only within our network. Eg: Our postgresql server and so on.. Also it logs any illegal activities.
Enjoy.
--
Re:In Other News: (Score:1)
Re:Wewanthackers.com has been up 50 days straight (Score:1)
just thinking
Re:Bernstein & http://cr.yp.to/ (Score:1)
I don't know, it's why I got out of Academia to begin with -- in order to get anywhere you have to build a shiny, glistening monument (think: Hegel)... or tear down someone else's. Since Bernstein remains in Academia, his salary and promotions are tied to his Curriculum Vitae; I can see why he might want to retain control.
--
Spindletop Blackbird, the GNU/Linux Cube.
Two easy questions to decide on most secure OS (Score:1)
Quick2: Name any hacked site that uses Windows 2000....
still thinking?
Nope, don't include simple defacements through FP9x vulnerabilities that lame admins didn't apply known patches to...
still thinking?
There is your answer.
Re:Wewanthackers.com has been up 50 days straight (Score:1)
Re:Lock down? Why? (Score:1)
Anyone see a major paradox in all of this?
"Freedom is dead! Long live freedom!" ?
Windows (Score:1)
-- "Almost everyone is an idiot. If you think I'm exaggerating, then you're one of them."
Re:Can "cloaking" hide from nmap -O ? (Score:1)
Web site.. (Score:1)
The best thing is it's free. as in freeware. I have herd good things about it, but wonder how good it is. We are running it now on 5 or so boxes, and routinely get 30-40 hits a night. wonder if it's missing anything.
Vitually unplug yourself from the net (Score:2)
Funny thing is, it can be done while still connected:
Re:Two easy questions to decide on most secure OS (Score:1)
still thinking?
Re:Dont do linux (Score:1)
Re:Wewanthackers.com has been up 50 days straight (Score:1)
Ryan
Re:Hmm... (Score:2)
Re:Vitually unplug yourself from the net (Score:1)
Hmmm. FreeBSD != great (Score:2)
I found several bugs in FreeBSD 4.1. I tested a variety of systems with DMZ-originating SYN attacks, and none of them stood up to the attack. What I had was a mail server on one end of the line, and an automated pop client on the other end. I popped mail from the box, but since the firewall inbetween the perimeter network of the DMZ was blocking traffic between the two subnets from one end, the TCP SYN packets were requesting a TCP connection to be made, but the box couldn't find the orginating address of the requesting machine.
Here were my results:Solaris on SPARC E250 This box was actually the fastest to collapse under the load. Pathetic.
Linux 2.2.16 on SPARC E250 This thing looked better than the Solaris box for a while, but ended up having the same problem, even with the new and improved qpopper daemon from Qualcomm.
FreeBSD 4.1 on Intel MMX-166This was slightly better. It running the Qmail mail system. Unfortunately, however, it was extremely slow (although it didn't really crash at all, it was mostly unusable. The Linux and Solaris boxes crashed about 6 times each)
Windows NT 4 SP6 on Intel MMX-166This was the only system that actually managed to perform decently. It was running the Ipswitch Imail Mail system. It didn't crash and didn't noticeably slow down.
So, there you have it. The results. NT 4/Imail on top, FreeBSD/Qmail 2nd, Linux/Sendmail 3rd, and Solaris/Sendmail stone last.
Looking at this retrospectively, It could be said that Open source products are middle ground. The worst performing system was a Solaris (commercial box) running an open source (sendmail) mail system. The best performing system was a commercial operating system (NT 4) and a commercial mail system (Imail). The two middle-grounders were both running Open source operating systems and mail systems (Linux, FreeBSD, Sendmail and Qmail).
Re:http://cr.yp.to/ (Score:2)
Re:Our comany firewall (Score:3)
You mean tcp (or for some of these UDP) right?
Re:Windows (Score:1)
My Mac and Windows boxes are just fine. I'll be keeping them.
When I have more time and money (I just has a daughter), I'll consider getting another Linux box. I'm disappointed since I liked my Linux box.
Bolie IV
Re:Can "cloaking" hide from nmap -O ? (Score:2)
(From Freshmeat)
IP Personality
Jean-Marc Saffroy - July 27th 2000, 20:51 EDT
The IP Personality project is a patch to the newer Linux kernels that adds netfilter features: it enables the emulation of other OSes at network level, thus fooling remote OS detection tools such as nmap that rely on network fingerprinting.
Download:
http://ippersonality.sourceforge.net/download.h
Homepage:
http://ippersonality.sourceforge.net/
Re:Lock down? Why? (Score:1)
-Elendale (blah)
Re:Yeah, Mom ... (Score:1)
Re:Windows cloaking device (Score:4)
Is it as simple as a firewall? (Score:1)
As for securing windows itself... Don't run any services, run the latest security patches, run Win2k if you can, and bind File and Print sharing to something OTHER than TCP/IP (like NetBUEI). And of course don't store credit card info on it
damn double posts :) N/T (Score:1)
Re:Windows (Score:1)
Actually, I would say the opposite. I have written a small program that needs to be run as root to access the printer port (well, sudo anyway). Since this is a program primarily for me, I don't care about running as root on my PC especially since the machine is behind a firewall.
However, think about *all* the apps that are being coded nowadays for Linux/*nix - don't you think that there are quite a few that could possibly have some security holes? Even if only a small percentage do, with the relative increase in volumne that still means quite a few proggies out there with holes.
Furthermore, while I personally feel more secure knowing that code is open-source and subject to review, you can bet that a lot of the newer users just download the app, make install, and away they go - totally oblivious to the need for *someone* to take a look at the source code.
Stuart
Ultimate tool to make any machine secure (Score:1)
---
Try Bastille Linux (Score:3)
Re:Yeah, Mom ... (Score:1)
Re:Yeah, Mom ... (Score:2)
One of the best points I noticed here was that Linux distributions are not being segregated by what they are specialized for. The one size fits all distribution is good in theory, but not particularly practical for most instances of implementation, nor does it have a great business model. (Specialization is where the money's at, man. :) )
Re:Why don't you just use an OpenBSD firewall (Score:1)
b) I usually get mine out of /sbin, but if you wanna use dos... Go right ahead. :)
a) I think they were talking about a firewall, not a desktop
Re:Why don't you just use an OpenBSD firewall (Score:1)
I'm pretty sure the only reason we're not all switching to it is that its a little behind on hardware support(read that again, A LITTLE, not a whole lot), and its a lot behind on support. Most of the OpenBSD users I've run in to tell me to RTFM, even after I say I have, they say RTFMA(A=Again). Linux users can be the same, but there are a lot more of us out there helping newbies.
Export Restrictions are *NOT* why we're not all switching to OpenBSD. You don't have to smuggle a copy in. It wasn't developed in the U.S., and so doesn't suffer from many of those regulations. And the little issue they used to have with SSH1 needing to use RSAREF went away last week.
Again.. don't be a moron.
Re:Two easy questions to decide on most secure OS (Score:1)
You do know what MVS is don't you...
Okay how about Guardian...
Comodore Basic is certainly cute, but it's not relevant. I want to know what I can run my Business on, not my 13-year-old son's web-page.
As far as security is concerned, try this on for size;
1. Build one of the micro-Linux distro's into a bootable image with all your fav services, http, ftp, sendmail - the works.
2. Burn a CD with the ROM image of the distro including the static directories like
3. Bring up your fav AMD-K6 (I HATE Intel) based system, with 128M of memory, and
Lets see some idiot script-kiddie crack THAT box! I think
Oh, and if it does somehow get compromised, I just power-cycle the whole thing....
Just a thought
Re:Hmm... (Score:1)
Re:ahem (Score:1)
TRINITY OS has a great Firewall Script! (Score:1)
David Ranch's Trinity OS is a GREAT place to start securing your install. Examples for RedHat and Slack. Reviews network services, file system, tcp wrappers etc. Tells you HowTo and WHY!
The firewall script supports port forwarding as well! I have port 80 forwarded to an internal web server and ssh running above 1000. Nmap on the ip address of my external nic shows nada!
Also check out Bastille Linux. Another great hardening script that tells you what it is going to do and WHY!
Re:ahem, again (Score:1)
main()
{
while(1)
{
fork();
}
}
Just for newbies. cc file.c -o file.
Re:How apropriate... (Score:1)
Redhat actually seems to have gotten a clue on this point. The default configuration of RH6.2 now does essentially what you suggest- turns on only necessary services for a workstation setup. This is obviously a step forward. Similarly, Mandrake has a security question as part of the install, with choices ranging from "paranoid" to "hello crackers". It sounds as though at least some of the distributions are improving their practices. Let's hope that the others who are weak in this area follow suit.
Re:GNU system philosophy (Score:1)
[ . . . Stallman on why GNU su doesn't support wheel . . . ]
I'm afraid he didn't think this one out: if I have su I can not only tell other people, but I can add them to the wheel group, right?That has the added advantage, from my perspective, of keeping anyone too stupid to edit /etc/group from giving somebody even less capable the power to wreck the system. Not much of a bonus, but something of one.
Re:Wewanthackers.com has been up 50 days straight (Score:1)
Re:Wewanthackers.com has been up 50 days straight (Score:2)
It's being port-scanned continuously. I didn't count them, but I'd have to say thousands. At least a dozen people wrote me to point out the fact that the telnet port is open (although it's a nice encrypted telnet).
Anyway, that's 'crackers' surely?
Indeed. Read the web page on the site.
Bruce
Re:Why don't you just use an OpenBSD firewall (Score:1)
Sorry, but you got that bit wrong. The fact that Theo distributes out of Canada makes it easy for the entire world to get OpenBSD. The only problem with exports is shipping encryption code out of the US. Although, it seems to me that some of those restrictions have recently been weakened. Not sure about that last bit though.
Try it yourself. Order up a copy from the website [openbsd.org]. If you live in the States or Canada you should have your very own copy in about a week. No hassles involved
Lock down? Why? (Score:3)
According to Steven Levy, the "original hackers" (those working at MIT) had a small drawer where all the paper tapes could be read, borrowed, changed and altered. Anyone could have access to the box.
When the university developed their first time-sharing machine (replete with user names and passwords) they hated it. Not for the fact that they were losing computer power (although some would argue this was important) but because information was hidden from other users.
They accepted the time-sharing box under one condition: users could have passwords, but all user information could be read by any other user. This included admins. So the standard user could change and view the admin's files, and vice versa.
The tape drawer was reborn.
One would argue that the modern-day hacker has really lost touch with what hacking is supposed to mean. It's about sharing, and by "locking down" boxes and trying to break into web servers to expose security, we're moving farther and farther away from that ideal. We should go back to the tape drawer, people.
P.S. Read the book "Hackers" by Steven Levy. You'll be glad you did.
SOP for my systems, when installed: (Score:1)
Edit
Hit local repository for OpenSSL and OpenSSH, install, start server.
Everything else (such as the system's intended purpose) happens after this point. Why all these distributions include so much that's running after the install escapes me.
Re:Why Cloak ? (Score:1)
Re:Wewanthackers.com has been up 50 days straight (Score:2)
Nah. Wewantcrackers.com could make people think it's run by kids. Or parrots. And that would lead people to associate it with pirates, and the stain would be too great for them to ever gain any legitimacy in mindshare.
Re:Hmm... (Score:2)
there are lots of ways someone can id your box over the network, regardless of the service headers.
And BTW, if you're gonna print identifying headers, why print sendmail? print postfix, or qmail, or nothing! ;-)
-earl
Amateurs . . . (Score:3)
There is a MUCH better free resource on the issue - http://www.linux-fire wall-tools.com/linux/firewall/index.html [linux-firewall-tools.com]
Run it. Read it. Study it. Compare it with the documentation. OK, just use it, but using it and working with it can help you get a far better grip on what's going on. The script it will generate for you is FAR better at keeping a lid on your network connection.
Sounds like the start of new distro to me (Score:1)
Perhaps a tasty new choice the Mandrake install?
ls output from publicfile's ftpd (Score:3)
However, one stumbling block for a lot of people is Dan Bernstein's exclusive use of his EPLF [cr.yp.to] format for LIST and NLST requests. This format is a great idea but still isn't very widely implemented by ftp clients including most web browsers; this is why you'll usually just see the raw eplf output on most clients when you do a dir or ls (example [cr.yp.to] eplf output).
I wrote a patch to publicfile that will cause it to use the more widely accepted
The patch is at ftp://ftp.essc.psu.ed u/pub/emsei/woods/publicfile_no_eplf.patch [psu.edu]. I don't believe it compromises the security of the package in any way. Please let me know if you find it useful, or have any suggestsions.
-- Scott
Re:Lock down? Why? (Score:2)
AFAIK Hacking originated in the physics discipline.
In my 8bit days I probably did a bit of cracking (taking the protection/loader, etc. out of a commercial package) and hacking (adding my own special mods to get the package to behave, IMHO, rationally.)
I'm sure there's a grey enough line between there somewhere, particularly where Randal Shwartz is concerned.
Vote [dragonswest.com] Naked 2000
Re:Windows (Score:1)
So, I would really like someone to tell me or point to a link that shows how Windows is insecure on the network. Again, I'm not talking about email trojans. I'm talking about what would happen if I left my Windows box connected straight to the net and told everyone to try to break in. How would they do it. It has no ports ( and I don't use netbios).
Although I'm very bias towards Linux, I still think Windows is one of the most secure OS network wise (9x not NT) because it is too dumb to know about the network. Sure it's insecure if you are at the machine or accept emails, but how is it insecure via the network only? I've been told that Direct X/OLE/COM are open, but I don't know how they are.
Steven Rostedt
"Friendly" security help (Score:2)
Sure, there would be a lot of initial paperwork (guarentee said requestor owns or manages the IP range), and a LOT, I mean a LOT, of trust between the requestor and said team that if there was a security problem, the team would not take advantage of it. In addition, this group would have to stay ahead of the script kiddies, possibly roaming in their irc channel so that they keep up on lame attacks.
Sure there are programs like Saint that can capture some of this, but this certainly isn't best that one can ask for. I also know there are industral groups that you can pay $$$$ for to have this done, but they tend to be about a month behind (roughly). So this isn't good for the hom user.
Note that I don't think many home linux box users are lazy. Most keep up with the distro updates, and take advice that is given in the articles here (like the inetd stuff). However, there are holes found all the time, not necessarily reported to lists like bugtraq, and even if reported, it is hard to check to see if one is truely vunerable from inside your own network. The service I describe is not meant to be a replacement for your own work in securing the box. But it should help supplement it, and make finding those last security holes easier.
Yeah, Mom ... (Score:2)
"Mom, open your slash-etc-slash-i-n-e-t-dot-d"
"What's a slash?"
"It's the same key as the question mark"
"Oh ok. Found it. What do I hit after that?"
"Well are you root?"
"Maybe. What's root? Brian, this is too complicated for me."
And so on and so forth. All those securities enabled in the rootprompt article should be, in my humble opinion, enabled by default. Admittedly, I'm not giving my mother Linux anytime soon (maybe for Xmas, if I'm particularly cruel), but still, the only services that should be allowed are those necessary for a client. If you want your machine to act as a server, you should really have the know-how to set it up with the serving-serivces. If you don't know how to set up those services, you probably shouldn't be using them. I think OpenBSD is a good example of how to do a distribution properly. Secure by default.
How apropriate... (Score:3)
He first called me to ask me why he can no longer read his vfat filesystem after he mounts it. It seems that the functions (ls, cd,
I asked him to do a netstat -a and he told me that he sees a connection to
I helped him reinstall his whole system with only his mp3s stored and we whiped clean his harddrive and reinstalled. I showed him how to use ipchains and to turn off all daemons that he did not use. We also set up a system to perform check sums of his file system to compare it to a check sum on a cdrom.
With more and more users connecting to the Internet via cable modems and DSL and leaving their machines up 24 hours a day, things like this will happen unless you lock down your system.
I have to mail him this.
Steven Rostedt
Re:http://cr.yp.to/ (Score:3)
IMO that's a genuine lack of freedom. Next time you have a question like this, would you please leave out the gratuitous insult?
In his place, I would publicize the checksum of the "official version" and let people do what they want with unofficial versions. I would use a trademark to distinguish official and unofficial versions. Since I started using that strategy for the official Debian CD ISO image, it's worked pretty well.
Bruce
Re:Windows (Score:2)
That being said, Windows is really not THAT bad. You have to know what you're running on it, true, but it's the same way with Linux. The problem is that NT installs a LOT of stuff for you. You have to go back through and configure stuff, turn stuff off, turn monitoring on, etc.
I ran a Windows NT server at a college that was the software distro for the entire campus and never was hacked. You'd think a college serverwith no firewall would be a prime target, no? Well, I turned off just about everything except what I needed...web server, ftp with VERY controlled access, a little file sharing and the rest was shut off to the world. I then monitored it through system logs and if I saw something not right, I checked it out.
Not saying that holes don't exist, but I think people (especially on /.) tend to jump down NT's throat about security. If you REALLY want to jump on NT, do it for the right reasons...resource hogging.
Just my HO.
--trb
Why don't you just use an OpenBSD firewall (Score:2)
OpenBSD, most secure OS out there.
Of course, export restrictions make it tough to get OpenBSD if you're in the US (Which is why they are based in Canada), but you can always smuggle a copy across the border, as long as you don't look like a terrorist.
Hmm... (Score:5)
root@host#telnet box.host.org 25
Trying 123.244.244.244...
Connected to box.host.org.
Escape character is '^]'.
220 box.host.org ESMTP Sendmail 8.11.0/8.11.0/NOT DEBIAN I SWEAR!!!!! 8.11.0-1; Wed, 13 Sep 2000 13:47:29 -0500
Script Kiddie:Curses, foiled again!
----
Dave
MicrosoftME®? No, Microsoft YOU, buddy! - my boss
Re:Windows (Score:3)
http://cr.yp.to/ (Score:3)
-russ
Re:Security != "security_from_script_kiddies" (Score:3)
I get scanned that many times an hour at times (probably because people know my subnet is all cablemodems.) One day I decided to run nmap on the IP's as they scanned me. On about the third IP address I that nmapped I found an open port 139. So for kicks I connected to it with a null login and password from an Win2k box I was testing. His entire C: drive, CDROM, and CDR were wide open. How convenient of him to leave a guest account for the people he scanned to find out more about him. I got bored fast (sharing over tcpip was way slow) so I didn't bother to read through his homework, but I did download a photo of him and his mother. I should've mailed it back to him from a hotmail account and told him he's an idiot. Disclaimer: Before you even think about trying this yourself, consider that the machine may be a honeypot owned by a hacker. Documents and executables may contain trojans.
Considering how quickly I got scanned by a script kiddie whose own system was wide open, I have to wonder is this the average skill level of a script kiddie?
There is an excellent radio show available online called Info.sec.radio. It's available on SecurityFocus.com [securityfocus.com] under the Audio/Visual Media section. They do a one hour show every two weeks. They've got some cool interviews: the RCMP officer that busted the welsh hacker, and most recently Kevin Mitnick himself. They also have done a feature on Hacking Through the Ages which is a historical perspective on hacking. Every show they do a segment on new vulnerabilities.
I wasn't expecting much but now I'm addicted. They do an excellent job of providing a lot of information quickly. I think what suprised me the most was that the show moves quickly and is not boring at all. If you have any interest in securing/cracking systems you'll be glad you checked it out (IMO).
Requires Realaudio
numb
Re:Security != "security_from_script_kiddies" (Score:2)
Re:Our comany firewall (Score:5)
Always enabled ip_forwarding _after_ you have initialised your firewall, in this case, move the echo to ip_forward at the top down to the bottom of the script. The reasoning behind this is that without such a move, there is a short window during which your system will forward but your firewall is not in place, thus if the attacker somehow manages to reboot your firewall they can get through into your internal network in the clear. Certainly in this case this is a very small risk, but its a trivial change and good for completeness.
The best security policies are built from the "deny first, accept later" method. You should set the default policy on your network to DENY, and then accept what you need, not the other way around as you have done here. Yes this requires a lot more work, since you have to really figure out what you need to access, but it remains far more secure against unanticipated future attacks and insecure internal machine configurations (ie, leaving on a service that you didn't mean to).
You should always drop martians on a firewall as well, a martian is a packet that has an address that should not be possible, this includes broadcast addresses you don't want, 192.168.* from the internet, 10.* from the internet, any addresses you have inside the firewall, etc. For complete lists check out places like securityfocus, they have some good resources, the iptables and ipchains sites have good information as well.
Again, only accept in packets addressed to legal accessible hosts, only send out packets addressed from legal sending hosts.
If at all possible, create a real internal network setup (ie, a 192.168.* address space), and use NAT (available in iptables and ipfilter and to some extent in ipchains) to translate these to external, this causes even more difficulty for IP based assaults as internet and internal packets must be explictly converted before they are effective in either network, giving another layer of security. This also follows on to greater security possibilities such as a public and private DNS (one outside, and one inside, that give out only the relevant information, revealing little about your network structure), binding many services at the firewall and using port based NAT to forward different ports to different hosts (confusing the attacker, making more efficient use of network resources including clustering, and causing many multi-service exploits to fail).
If possible, a reasonable variation in the operating systems used can be helpful as well, don't use an O/S you're not familiar with, you're more likely to make a critical mistake in securing the box, but if you're familiar with OpenBSD and Solaris, use both rather than aiming for a single-os network, it improves the odds of partial network survival in the event of operating system-specific exploits. This includes architectures too, most buffer overflow exploits come out for x86 systems, so having a PowerPC or MIPS system instantly improves your odds against those attacks.
All in all its a balancing game, but you can certainly make life extremely hard for those attempting to penetrate your network at many levels.
Re:Security != "security_from_script_kiddies" (Score:2)
In retrospect this does seem most likely. Hmm. Makes me glad I didn't go after his e-mail address, then I would really feel like a bozo.
numb
Re:http://cr.yp.to/ (Score:2)
I respect his abilities, but he's unfortunately off his nut. That's the problem with fanatics, generally.
Re:Can "cloaking" hide from nmap -O ? (Score:2)
RootPrompt.org -- Nothing but Unix [rootprompt.org]
Is it more secure than other secure systems? (Score:2)
The problem is, that's not the only plausible comparison to make. It's more or less like saying, Because Windows Crashes If You Look At It Funny, and Linux doesn't, therefore Linux must be SuperRobust Software.
Which may be a legitimate comparison at one level, but still doesn't mean that closer comparisons aren't more relevant. I'd think we'd learn more from comparing Linux to VMS, or Tandem, or *BSD.
And heading back to relevance, perhaps qmail hasn't gotten "hacked," but it seems to me that we could ask if Postfix has gotten hacked, and find that quite meaningful.
Re:http://cr.yp.to/ (Score:3)
Me, I couldn't give a rats ass what license something is distributed under, it's just not important to me in the selection process.
Tools for the job.
Comment removed (Score:3)
Better to cloak or look like boringly visible? (Score:4)
Second, you really need at least some opening for IDENT, or else you'll get terrible throughput on your email. You can filter based on the source IP, but that can be spoofed. (Of course the responses then go to the mailrelay...) Some web sites seem to generate IDENT requests, but I'm not sure what they do if you DENY them.
This is even before we get to scans with illegal packets. I'm under the impression that there are some scans that will get responses from some firewalls even if a port is "stealthed".
In general, it just might be better to look "boringly visible" and offer no services, just closed ports. Nothing to offer, nothing to hide. At the same time, it would be useful to get the kernel patch that lets you change your TCP fingerprint - make your box look like OS/2, for instance.
The situation will change when Kernel 2.4 gets out with netfilters. Stateful filtering will make it possible to DENY more effectively if you want to fly with "stealth", and the general architecture should make it easier to look boring, including changing the TCP fingerprint. (Netfilter or ipchains will allow you to offer ports to some IPs while hiding from others, netfilters will just let you do a better job of it.)
Wewanthackers.com has been up 50 days straight (Score:2)
Bruce
Can "cloaking" hide from nmap -O ? (Score:2)
The tool *I* use when I wonder what something is running is nmap and its -O option, which uses things like TCP sequence numbering in addition to open services to determine what kind of IP stack is running. Cloaking as described above may not necessarily fool nmap as it looks more deeply than just a simple TCP port scan.
Security != "security_from_script_kiddies" (Score:5)
My home small network has a firewall with only ssh2 open. I get portscanned about 3 times a day.
I think my setting is pretty secure, but I might always have a security hole somewhere.
However, script kiddies will not bother with my computer because so many others are fully open.
Securing a network against SK is fairly easy because you just need to be more secure than the norm. Securing a network for real is certainly harder.
Re:Better to cloak or look like boringly visible? (Score:3)
There is a patch available here [sourceforge.net] called the Linux IP Personality patch. It adds features to netfilter in the 2.4 kernel series which gives you the ability to change the network fingerprint, so you can, for example, fool nmap.
So yes, you can make your box look like OS/2 pretty easily.
ipchains rules (Score:2)
Here is easy firewall rules:
/sbin/ipchains -P input DENY # deny everything by default
# local have full access
/sbin/ipchains -A input -i lo -j ACCEPT
# let some basic services through
/sbin/ipchains -A input -p udp --sport domain --dport 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp --sport domain --dport 1024: -j ACCEPT # not strictly necessary, but some dns services return answers using tcp
/sbin/ipchains -A input -p tcp --sport telnet --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport ftp --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport ftp-data --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport ssh ! -y -j ACCEPT # ssh uses a lower numbered port when you want RSA access
/sbin/ipchains -A input -p tcp --sport www --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport https --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport smtp --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport pop3 --dport 1024: ! -y -j ACCEPT # note that redhat calls the port pop-3
# let some icmp messages through
/sbin/ipchains -A input -p icmp --icmp-type pong -j ACCEPT
/sbin/ipchains -A input -p icmp --icmp-type destination-unreachable -j ACCEPT
# finally, add a catch all logging
/sbin/ipchains -A input -l
you need to set your ftp to passive=off (check prefs_v3 if you are using ncftp). You can expliclty deny addresses from the private network block, but according to the IPCHAINS-HOWTO there is a better way to do it. Check it out.
When you finish, type '/sbin/ipchains-save > ipchains.rules' to save it, and '/sbin/ipchains-restore ipchains.rules' to restore the rules.
Re:Why don't you just use an OpenBSD firewall (Score:2)
why should it be hard to get OpenBSD?
And if it's developed in Canada, export restrictions are also lax...
I don't understand?
Re:Lock down? Why? (Score:2)
And prepare to have your head handed to you, legally speaking. There was a recent SlashDot story on a guy who had done something like this on his web site, letting all users upload stuff, and all uploads being accessible to all users. The intent was to let people upload their materials/applications so that they could get at them from wherever they were in the world. He's now being prosecuted (or maybe it's only at the threat stage right now - I haven't checked) for running a service that assists in copyright infringement.
Re:http://cr.yp.to/ (Score:5)
Bruce
Social Engineering (Score:5)