Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I've been reading up on securing ssh a little more (our server at work was hacked since a machine somewhere on the shared network had a trojan so now I've got to secure the machine better). I have read this post: http://www.linuxquestions.org/questi...=340366&page=3 and it contains mostly scripts and things to actively lock things up. I have some general questions about the hosts.allow and hosts.deny files.
I thought I had the format of hosts.deny right (from following the thread I mentioned) by using the following:
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
but it would seem that something isn't right since /var/log/messages contains the following
Feb 26 15:06:32 rhserver sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.127.116.11
Feb 26 15:06:35 rhserver sshd: warning: /etc/hosts.deny, line 10: can't verify hostname: getaddrinfo(hosting-35.120.rev.fr.colt.net, AF_INET) failed
Feb 26 15:06:35 rhserver sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=18.104.22.168 user=root
Feb 26 15:06:38 rhserver sshd: warning: /etc/hosts.deny, line 10: can't verify hostname: getaddrinfo(hosting-35.120.rev.fr.colt.net, AF_INET) failed
Feb 26 15:06:39 rhserver sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.214.171.124 user=guest
Feb 26 15:06:41 rhserver sshd: warning: /etc/hosts.deny, line 10: can't verify hostname: getaddrinfo(hosting-35.120.rev.fr.colt.net, AF_INET) failed
Feb 26 15:06:42 rhserver sshd(pam_unix): check pass; user unknown
Feb 26 15:06:42 rhserver sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=126.96.36.199
Feb 26 15:06:44 rhserver sshd: warning: /etc/hosts.deny, line 10: can't verify hostname: getaddrinfo(hosting-35.120.rev.fr.colt.net, AF_INET) failed
What did I miss to have it not deny the attempt alltogether?
Ultimately I'd like to ONLY consider local network connections from 192.168.5.0/24 and from the "dynamic" but never changing ip address that my router at home. Every attempt I've made at putting these into the hosts.allow file has ended up with a lot of lines in /var/log/messages about missing colons and such. If someone could give me an example of how I should put these into the file, it would be greatly appreciated.
Yes, I'm also reading up on iptables...I've had some recommendations to use webmin and shorewall...so I've got my reading to do on them. I've got both installed on a test machine and I can configure shorewall via webmin but it's the shorewall details that I've got to learn. This is a thread for another day...
SSHD: 192.168.5.0/24 hostname.isp.net
So your setup would basically be "that which isn't specifically allowed in host.allow is implicitly denied"
...this is what I want to do. Thanks.  how to I find a hostname (for "hostname.isp.net") if it's just a simple USR wireless router? I guess if it's always turned on and the ip address doesn't renew that I can just use an ip address...[/edit]
I'll also be looking into the allowusers and allowgroups to see if I can get it working with my users....aside from root the only users on the machine are imported with getent from a windows domain. Trying to log in with there uses is always denied and I eventually want the root to only be able to log in locally.
I think I'll have to add a couple non-ads users for maintenance and give them ssh login access. About a week ago we found out the hard way that there's a backdoor onto our network (we share an internet connection with 2 other companies in the building) and someone has a trojan or something, somewhere that is allowing people onto the network. Over the weekend someone brute-forced their way into the root account, added a couple users, dropped off a script and set it up to deny local logins...come monday we were in trouble. Luckily /home and all our data was on different drives so it didn't take long to wipe and start over but it's pretty annoying to feel powerless when stuff is going on. For now I've shut down ssh completely until I get a chance to make all the necessary changes.
This is a file server, connected to and ads domain and has encrypted passwords enabled....I suppose if someone can make it this far they can brute-force their way through a samba password too? For samba I DEFINATELY only want local network access. Let me guess:
Over the weekend someone brute-forced their way into the root account, added a couple users, dropped off a script and set it up to deny local logins...come monday we were in trouble.
I hope that you've reset any passwords that were shared with other machines.
Luckily /home and all our data was on different drives so it didn't take long to wipe and start over but it's pretty annoying to feel powerless when stuff is going on.
Make sure that you've scanned it with some kind of AV to be (relatively) sure that is clean of malware.
I suppose if someone can make it this far they can brute-force their way through a samba password too? For samba I DEFINATELY only want local network access.
Definitely, there are a number of SMB bruteforcing tools that work like Hydra, plus in general SMB isn't really designed to be a hardened internet-facing service.
Let me guess:
add to /etc/hosts.deny
and add to /etc/hosts.allow
I believe it would technically be smbd, but offhand I'm not sure whether Samba has built-in support for tcp_wrappers (aka /etc/hosts.allow/deny). That's a real gotcha with using tcp wrappers where you need to be careful. Not all applications have support built-in, so not all applications can be protected by putting entries in hosts.allow. Of course you won't get any errors as the file is parsed which can leave you falsely believing you're secure. To check, run the following as root:
ldd /path/to/smbd | grep libwrap.so
If that doesn't produce any output, then look at /etc/xinetd.d and /etc/xinetd.conf for smbd entries. If there aren't any, then likely it doesn't support tcp_wrappers.
I'll concur with some of the others; tcp_wrappers is a very handy mechanism, but it would be better to filter traffic to these ports using iptables (particularly when you are doing this for numerous services, some of which may not have tcp_wrappers support built in).
That way you don't show up on portscans and you block access attempts at the netfilter level. (Yes, in practice the two methods will probably achieve the same results, but that's my opinion.)
I know about clamav...but have never done a full system scan with it or anything. I haven't installed it on this machine yet.
Like I said, I want to do iptables but have my other hat that I wear in the office that I need to wear most of the time. I have been setting up a machine with 2nic cards and am hoping to place it between our network switch and the other switches/router that make up the infrastructure of the building. This way I'm sure that our network is our problem and shouldn't have to deal with whatever implicit/explicit weaknesses the other companies have in their setups.
Could anyone suggest a newbie friendly distro for a router box, preferably something with a good web gui to get things going quickly? I've heard of ipcop and a couple others. This router box of ours, it's a 1Ghz xeon w/ 512MB RAM and I'd like to have a total 3nics. One for our network, one going to the building infrastructure and possibly a third going to the dmz of the building router...my boss has asked if I could set something up to allow our offsite employees to get access to our scalix calendering/email server and to ftp files...we can be many timezones apart and phoning someone to email something isn't always an option. Anyway, I've got some reading to do...
IPCop and Smoothwall are 2 of the more popular "router-in-box" type distros and are pretty easy to get up and working if you have a fairly standard network structure and don't need to do complex filtering/NAT (GUIs tend to choke when it comes to the more complex iptables functions). I'd highly recommend installing it on a test network first and getting comfortable with it before deploying it live.
Most other distros usually offer a stripped-down install option that leaves off most of the non-necessary software packages and is suitable for deploying as a router/firewall as well. If you have any questions about getting a iptables firewall written, feel free to post a new thread.