Security
Advent Systems
adventsystems at verizon.net
Sun Jan 9 22:50:01 EST 2005
Holy smokes Dave, THANK YOU this is what I needed to get started. I'm on
it right now.
Bob Randal
Dave Andruczyk wrote:
>--- Advent Systems <adventsystems at verizon.net> wrote:
>
>
>
>>Cyber Source & Dave Andruczyk,
>> Just want you guys to know I'm not some asshole because all the help
>>re: small network and I did not reply or thank you sooner BUT none of
>>that matters now. You see on the 1st I believe my system was cracked,
>>broken into, whatever you want to call it. I'm not sure because in
>>15-18 years of using computers I haven't had as much as a virus
>>(well,maybe 1-2). All I know is the day before I was updating my system
>>via apt-get and It kept getting "stuck" at some site in ca. called slug
>>something. I ......you know what, this is not the purpose of this
>>email, If anyone wants all the particulars email me off the list.
>>
>>
>>
>
> Getting "cracked" (it's not hacked, the media keeps using the wrong terms) is
>never fun. I've had it happen to myself and to servers I've managed early in
>my career before I learned some more finer points in securing a system.
>
>
>
>
>> What are the BARE min. services and ports that need to be running
>>and what do you FC2 guys do to keep the average jerk out of your systems
>>(I know there nothing that can be done against a smart, concentrated attack)
>> As far as the small network goes I cant even think about taking my
>>machine off the windows network until I learn and understand Linux security.
>>
>>
>>
>
>What you need to keep running depends on your needs of your system. i.e. is it
>a single machine for yourself, or a server for a group of machines, is it
>behind a firewall, or is it acting as a firewall? does it require outside
>access from the internet at all? i.e. does it provide,
>web/dns/ssh/telnet/ftp/mail services to the untrusted (internet) side ?
>
>My home machine only needs to provide ssh to the internet. (so I can login from
>remote) so that means I leave SSH enabled, but turn off, ftp, telnet or any
>other connection method that passes passwords in cleartext. I use a hardware
>firewall, the best $69.00 I've ever spent. (A linksys WRT54G running the
>enhanced linux firmware). A hardware firewall is in my opinion the better way
>to go that using your desktop machine as a firewall. The #1 reason being that
>the firewall is CHEAPER and simpler to use for 99% of the users out there. For
>those 1% who are doing some weird things they are probably skilled enough to
>know how to handle potential security concerns.
>
>Services that you may be able to shutdown:
>- httpd (unless you are a webserver, adelphia doesn't let you do this on a
>residential account so turn it off)
>- telnet (this is clear text logins, SSH is more secure use that if you need
>it) so turn telnet off
>- sendmail/postfix/qmail. Mail daemon for RECEIVING mail asa mailserver. if
>you use a mail client like kmail or webmail (yahoo/gmail/hotmail) then this
>does NOT need to be running
>- nfs* (nfsmount/lock/etc) these do NOT need to be turned on if you are NOT
>using NFS to share files on your internal network. In my personal case I have
>these enabled, but the firewall blocks everything except SSH so it's shielded
>from the internet
> - xinetd/inetd This is the inetd superserver that spawns programs based on
>connections to certain ports. For 99% of users these services are disabled as
>they provide things that are either unneeded or insecure. The config files are
>either /etc/inetd.conf or /etc/xinetd.conf and /etc/xinetd.d/*
> - cups Printserver daemon. IF you don't have a printer, turn this off, if
>you do have a printer and you use it, turn this on, but edit your
>/etc/cups/cups.conf file to prevent access from the internet. (In my gentoo
>setup it's preconfigured to allow connections from the local host only and
>nothing else, other distros may vary on their config. runninga portscan will
>show you if it's listening or not though
> - samba, windows fileserving. if you don't serve files, turn it off, if you
>do you can enabled it but make use of the "interfaces =" config option for
>/etc/samba/smb.conf read the man page on smb.conf (man smb.conf) to know what
>that option will do.
>- ssh , enable it if you want to login from remote, disable it if you don't.
>
>There are other servies that have slipped my mind, but you will be able to
>catch them with portscanning below. On gentoo systems you can see what you
>have enabled to start by running "rc-update show" as root and it'll show all
>services and what runlevel they startup in. I believe on redhat system (7.3
>was the last RH system I used). the command is "chkconfig --list" or similar.
>
>
>Portscanning:
>Well one tool I always use for checking my machines is "nmap" (portscanner).
>It can tell me what is listening on my box and lets me know if I left something
>running that was unneeded..
>
>To scan a machine quickly for open ports use commands like the following (read
>the man page on nmap for it's myriad list of options)
>
>nmap localhost
>My machine shows this:
>Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-01-09 10:13 EST
>Interesting ports on localhost (127.0.0.1):
>(The 1650 ports scanned but not shown below are in state: closed)
>PORT STATE SERVICE
>22/tcp open ssh
>53/tcp open domain
>111/tcp open rpcbind
>139/tcp open netbios-ssn
>445/tcp open microsoft-ds
>631/tcp open ipp
>650/tcp open unknown
>953/tcp open rndc
>2049/tcp open nfs
>32770/tcp open sometimes-rpc3
>
>Things to note: that line above that says "The 1650 ports scanned..." menas
>nmap only scanned only a subset of all possible ports. By default it scans
>"popular" port numbers. If you had a backdoor installed its likely to be
>listening on a high unregistered portnumber that nmap might MISS on a default
>scan..
>To do a thorough (and somewhat timeconsuming scan) run:
>nmap localhost -p 1-65535
>On my box this shows a couple more entries:
>Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-01-09 10:24 EST
>Interesting ports on localhost (127.0.0.1):
>(The 65523 ports scanned but not shown below are in state: closed)
>PORT STATE SERVICE
>22/tcp open ssh
>53/tcp open domain
>111/tcp open rpcbind
>139/tcp open netbios-ssn
>445/tcp open microsoft-ds
>631/tcp open ipp
>650/tcp open unknown
>953/tcp open rndc
>2049/tcp open nfs
>3632/tcp open unknown
>32769/tcp open unknown
>32770/tcp open sometimes-rpc3
>
>Nmap run completed -- 1 IP address (1 host up) scanned in 5.434 seconds
>Two new entries came up:
>3632/tcp open unknown
>32769/tcp open unknown
>
>The unknown part coems from nmap, it has a database of what ports are used
>from waht services and if there's no match it uses unknown. Now to find out
>what is that that is listening we need to use a different command:
>
>run "netstat -lp |less" AS ROOT. It helps that if you do this in xwindows and
>widen your terminal so that it doesn't wrap (easier to read)
>
>tcp 0 0 *:3632 *:* LISTEN 8175/distccd
>udp 0 0 *:32769 *:* 8507/rpc.statd
>
>So those two extra processes are just distccd (distributed C compiler daemon)
>and rpc.statd (part of NFS)
>
>By using a combination of nmap on both your internal and external addresses you
>can see what is running and what you are exposing to the outside world that you
>probably shouldn't be...
>
>
>
>I have SSH, DNS, Portmap (for nfs), SAMBA, CUPS, and NFS services running
>
>When I scan my machine from the internet I get a complete different set of
>results:
>nmap mymachine.com (hostname changed to protect the innocent)
>
>
>
>=====
>Dave J. Andruczyk
>
>
>
>__________________________________
>Do you Yahoo!?
>Read only the mail you want - Yahoo! Mail SpamGuard.
>http://promotions.yahoo.com/new_mail
>
>
>
More information about the nflug
mailing list