Security

[Dave Andruczyk]

--- Advent Systems <adventsystems at verizon.net> wrote:

> Cyber Source & Dave Andruczyk,
>     Just want you guys to know I'm not some asshole because all the help 
> re: small network and I did not reply or thank you sooner BUT none of 
> that matters now.  You see  on the 1st I believe my system was cracked, 
> broken into, whatever you want to call it.  I'm not sure because in 
> 15-18 years of using computers I haven't had as much as a virus 
> (well,maybe 1-2).  All I know is the day before I was updating my system 
> via apt-get and It kept getting "stuck" at some site in ca. called slug 
> something.  I ......you know what, this is not the purpose of this 
> email, If anyone wants all the particulars email me off the list.
>  

 Getting "cracked" (it's not hacked, the media keeps using the wrong terms) is
never fun.  I've had it happen to myself and to servers I've managed early in
my career before I learned some more finer points in securing a system.

 
>     What are the BARE min. services and ports that need to be running 
> and what do you FC2 guys do to keep the average jerk out of your systems 
> (I know there nothing that can be done against a smart, concentrated attack)
>     As far as the small network goes I cant even think about taking my 
> machine off the windows network until I learn and understand Linux security.
>

What you need to keep running depends on your needs of your system. i.e. is it
a single machine for yourself, or a server for a group of machines, is it
behind a firewall, or is it acting as a firewall? does it require outside
access from the internet at all?  i.e. does it provide,
web/dns/ssh/telnet/ftp/mail services to the untrusted (internet) side ?

My home machine only needs to provide ssh to the internet. (so I can login from
remote) so that means I leave SSH enabled, but turn off, ftp, telnet or any
other connection method that passes passwords in cleartext.  I use a hardware
firewall, the best $69.00 I've ever spent. (A linksys WRT54G running the
enhanced linux firmware). A hardware firewall is in my opinion the better way
to go that using your desktop machine as a firewall.  The #1 reason being that
the firewall is CHEAPER and simpler to use for 99% of the users out there. For
those 1% who are doing some weird things they are probably skilled enough to
know how to handle potential security concerns.

Services that you may be able to shutdown:
- httpd (unless you are a webserver,  adelphia doesn't let you do this on a
residential account so turn it off)
- telnet (this is clear text logins,  SSH is more secure use that if you need
it) so turn telnet off
- sendmail/postfix/qmail.  Mail daemon for RECEIVING mail asa mailserver.  if
you use a mail client like kmail or webmail (yahoo/gmail/hotmail) then this
does NOT need to be running
- nfs* (nfsmount/lock/etc) these do NOT need to be turned on if you are NOT
using NFS to share files on your internal network.  In my personal case I have
these enabled,  but the firewall blocks everything except SSH so it's shielded
from the internet
 - xinetd/inetd  This is the inetd superserver that spawns programs based on
connections to certain ports.  For 99% of users these services are disabled as
they provide things that are either unneeded or insecure. The config files are
either /etc/inetd.conf or /etc/xinetd.conf and /etc/xinetd.d/*
 - cups  Printserver daemon.  IF you don't have a printer, turn this off, if
you do have a printer and you use it, turn this on,  but edit your
/etc/cups/cups.conf file to prevent access from the internet. (In my gentoo
setup it's preconfigured to allow connections from the local host only and
nothing else,  other distros may vary on their config.  runninga portscan will
show you if it's listening or not though
 - samba, windows fileserving.  if you don't serve files, turn it off,  if you
do you can enabled it but make use of the "interfaces =" config option for
/etc/samba/smb.conf read the man page on smb.conf (man smb.conf) to know what
that option will do.
- ssh , enable it if you want to login from remote,  disable it if you don't.

There are other servies that have slipped my mind,   but you will be able to
catch them with portscanning below.  On gentoo systems you can see what you
have enabled to start  by running "rc-update show" as root and it'll show all
services and what runlevel they startup in.  I believe on redhat system (7.3
was the last RH system I used). the command is "chkconfig --list" or similar.


Portscanning:
Well one tool I always use for checking my machines is "nmap" (portscanner). 
It can tell me what is listening on my box and lets me know if I left something
running that was unneeded..

To scan a machine quickly for open ports use commands like the following (read
the man page on nmap for it's myriad list of options)

nmap localhost  
My machine shows this:
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-01-09 10:13 EST
Interesting ports on localhost (127.0.0.1):
(The 1650 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
650/tcp   open  unknown
953/tcp   open  rndc
2049/tcp  open  nfs
32770/tcp open  sometimes-rpc3

Things to note:  that line above that says "The 1650 ports scanned..." menas
nmap only scanned only a subset of all possible ports.  By default it scans
"popular" port numbers.  If you had a backdoor installed its likely to be
listening on a high unregistered portnumber that nmap might MISS on a default
scan..
To do a thorough (and somewhat timeconsuming scan) run:
nmap localhost -p 1-65535
On my box this shows a couple more entries:
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-01-09 10:24 EST
Interesting ports on localhost (127.0.0.1):
(The 65523 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
650/tcp   open  unknown
953/tcp   open  rndc
2049/tcp  open  nfs
3632/tcp  open  unknown
32769/tcp open  unknown
32770/tcp open  sometimes-rpc3

Nmap run completed -- 1 IP address (1 host up) scanned in 5.434 seconds
Two new entries came up:
3632/tcp  open  unknown
32769/tcp open  unknown

The unknown part coems from nmap,  it has a database of what ports are used
from waht services and if there's no match it uses unknown.  Now to find out
what is that that is listening we need to use a different command:

run "netstat -lp |less" AS ROOT.  It helps that if you do this in xwindows and
widen your terminal so that it doesn't wrap (easier to read)

tcp        0      0 *:3632       *:*         LISTEN      8175/distccd 
udp        0      0 *:32769      *:*                     8507/rpc.statd 

So those two extra processes are just distccd (distributed C compiler daemon)
and rpc.statd (part of NFS)

By using a combination of nmap on both your internal and external addresses you
can see what is running and what you are exposing to the outside world that you
probably shouldn't be...



I have SSH, DNS, Portmap (for nfs), SAMBA, CUPS, and NFS services running 

When I scan my machine from the internet I get a complete different set of
results:
nmap mymachine.com (hostname changed to protect the innocent)

 

=====
Dave J. Andruczyk


		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail