LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-11-2009, 03:18 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
how exactly does someone hack in through a port


You hear about hacking but I'm not exactly sure how someone could hack into a server via a port.
For example, someone hacks into apache through port 80 - does that somehow leave my entire server at risk if they can get to root or would they be locked into the apache environment only?
 
Old 08-11-2009, 03:35 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
It depends how the system is set up, and what your system is vulnerable to. This is the sort of thing that SELinux is aimed at, where the kernel monitors what a process is trying to do, and judges whether it's the sort of thing that it should permit. Hope you're still running it.
 
Old 08-11-2009, 03:49 PM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
It depends how the system is set up, and what your system is vulnerable to. This is the sort of thing that SELinux is aimed at, where the kernel monitors what a process is trying to do, and judges whether it's the sort of thing that it should permit. Hope you're still running it.
To be honest, I'm not sure. I have it on my distro but not exactly sure what it monitors - I'll read some guides but is it a simple case of yum install selinux?

Say my port 80 was open and someone hacked in to apache, what risk is there of getting into root. I assume php safe mode is on and apache has standard install settings for all the folders.
 
Old 08-11-2009, 03:59 PM   #4
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,085

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Quote:
I assume php safe mode is on......
Never make assumptions.
 
Old 08-11-2009, 04:00 PM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by tredegar View Post
Never make assumptions.
It is, what I meant to say was if it is on, then how else could a port be used to hack in?
 
Old 08-11-2009, 04:18 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
by finding a bug in safe mode.

SELinux is there by default on CentOS, shold be fully enabled by default. run system-config-securitylevel (or just -security..?) or getenforce to check. This is a great example of something that can be very painful to live with, with administrators having to spend a lot of time teaching the system what is not a hack attempt etc. So most people just turn it off.
 
Old 08-11-2009, 04:22 PM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
by finding a bug in safe mode.

SELinux is there by default on CentOS, shold be fully enabled by default. run system-config-securitylevel (or just -security..?) or getenforce to check. This is a great example of something that can be very painful to live with, with administrators having to spend a lot of time teaching the system what is not a hack attempt etc. So most people just turn it off.
getenforce says disabled

vi /etc/sysconfig/system-config-securitylevel
says:
--enabled
--port:22 tcp
 
Old 08-11-2009, 04:32 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
you're looking at the firewall tab for that port 22 entry. Anyway though, this wasn't a thread about SELinux, so I'll leave that for now.
 
Old 08-11-2009, 04:47 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
I think by now the question you should ask is "How do I assess the security posture of my machine and how do I harden it properly?".
 
Old 08-11-2009, 05:06 PM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
I think by now the question you should ask is "How do I assess the security posture of my machine and how do I harden it properly?".
Well, yes but it's because I'm separating each service into separate questions.
I guess I could say I have the following main services:
apache
ssh
squid

I believe I have taken care of ssh with my firewall settings, passwords, separate IP, non default port number, and logwatch. I could do a lot more but I believe restricting logons to 2 per minute and with a 10+ char&num password should restrcit the chances to negligible.

How do I then check the remaining security implications of having ports 80, 8080, and 3128 open plus apache/squid security implications.
These are by far the most likely ports that someone is going to try to hack in through. The rest are DNS, ICMP, etc.
 
Old 08-11-2009, 05:20 PM   #11
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by qwertyjjj View Post
Well, yes but it's because I'm separating each service into separate questions.
I guess I could say I have the following main services:
apache
ssh
squid

I believe I have taken care of ssh with my firewall settings, passwords, separate IP, non default port number, and logwatch. I could do a lot more but I believe restricting logons to 2 per minute and with a 10+ char&num password should restrcit the chances to negligible.

How do I then check the remaining security implications of having ports 80, 8080, and 3128 open plus apache/squid security implications.
These are by far the most likely ports that someone is going to try to hack in through. The rest are DNS, ICMP, etc.
There are plenty of tools out there that you can use to scan your own systems to see what is vulnerable with one of the best being nessus and its plugins.
But they say the biggest percentage of compromises are in fact results of social engineering, so sometimes it does not even matter how secure your systems are.
 
Old 08-11-2009, 06:27 PM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by centosboy View Post
There are plenty of tools out there that you can use to scan your own systems to see what is vulnerable with one of the best being nessus and its plugins.
including scanning apache and squid config files?
I'll have a look at that download...
Do I install Nessus on the Linux box and also on another computer outside of the network to test its ports plus other stuff?

Quote:
Originally Posted by centosboy View Post
But they say the biggest percentage of compromises are in fact results of social engineering, so sometimes it does not even matter how secure your systems are.
such as?

Last edited by qwertyjjj; 08-11-2009 at 06:30 PM.
 
Old 08-11-2009, 06:31 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by centosboy View Post
There are plenty of tools out there that you can use to scan your own systems to see what is vulnerable with one of the best being nessus and its plugins.
You're painting half the picture with a very broad brush.


Quote:
Originally Posted by centosboy View Post
But they say the biggest percentage of compromises are in fact results of social engineering, so sometimes it does not even matter how secure your systems are.
Cool! Who are "they"? And where do "they" say that? Pointers welcome.
 
Old 08-11-2009, 06:40 PM   #14
joeBuffer
Member
 
Registered: Jul 2009
Distribution: Ubuntu 9.04
Posts: 328

Rep: Reputation: 42
Social engineering isn't hacking or cracking.
 
Old 08-11-2009, 06:45 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by qwertyjjj View Post
I believe I have taken care of ssh with my firewall settings, passwords, separate IP, non default port number, and logwatch. I could do a lot more but I believe restricting logons to 2 per minute and with a 10+ char&num password should restrcit the chances to negligible.
Do you still log in over SSH as root user?
Do you use fail2ban or an equivalent (Failed SSH logins sticky)?
Why don't you use SSH pubkey auth?

What does Apache provide?
If it's PHP-based (and else too) did you ever invest time reading about security implications and the products docs or generic HOWTO's about securing it?
Does Apache have mod_security loaded?

What is Squid used for?
Does Squid have ACLs loaded?

For all available services, does your firewall provide rate limiting, blocking fragments and other unwanted traffic?


Quote:
Originally Posted by qwertyjjj View Post
These are by far the most likely ports that someone is going to try to hack in through.
As far as scanning for ports with no access restrictions goes OK but saying "by far the most likely" is just making assumptions. Hardening your machine is more than just scanning for open ports with Nmap, Nessus or whatever else. I know it's in need of revamping but check out the LQ FAQ: Security references (or better: the cleaned version at http://rkhunter.wiki.sourceforge.net/SECREF).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
well... i have no choice but to hack through the usb port patch pyenos Linux - Hardware 0 03-04-2005 04:50 AM
help with my first hack? oldstinkyfish Programming 1 11-13-2004 07:03 AM
is it possible to hack telneting at port 25? sagun_newbie Linux - Security 4 07-18-2004 07:55 PM
got hack? deepsix Linux - Software 1 09-16-2003 10:41 PM
Hack Hack anoop_chandran Linux - General 9 12-07-2001 11:38 PM


All times are GMT -5. The time now is 07:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration