LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-29-2013, 11:40 PM   #1
ParanoiaUser
LQ Newbie
 
Registered: Jun 2013
Posts: 13

Rep: Reputation: Disabled
How can someone hack into a linux server ?


Hi!

I have a debian linux VPS and i am wondering how would someone be able to hack into it , in what ways ?

I've asked a more knowledgeable friend and he said the only way someone would be able to get into my VPS is via FTP or SSH, are there some other ways someone can enter my machine ?

I have extremely strong passwords for all the accounts enabled and use fail2ban as well to ban SSH and FTP attackers.

I don't use apache,mysql,email accounts and update the server as often as possible.

Would appreciate if some of you guys could tell me, in what ways can my machine be compromised ?

Thanks.
 
Old 06-30-2013, 05:07 AM   #2
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,220

Rep: Reputation: 116Reputation: 116
Your friend might be right, let's check a few things:
* What firewall do you have, separate or built-in/iptables?
* How is firewall configured, what ports are open IN & OUT?
* What accounts do you have - 2 kinds:
1) Service accounts that might go out like ntp
2) User accounts - any other users have access?

Basically, there are 2 ways to hack a server:
1) Pure 'hacking' - password cracking, sql injections etc
2) 'Social' hacking - like "who has an account, let's see what we can get him to do!"

--- Adding
A few more things:
You have FTP and SSH enabled.
How are these services configured?
To start with:
Are FTP-users chrooted?
SSH should only be for admins, not for common users and no root login.
Do you allow SSH to get SFTP for users, if so how is that configured?

Last edited by pingu; 06-30-2013 at 05:10 AM. Reason: Adding
 
2 members found this post helpful.
Old 06-30-2013, 06:51 AM   #3
ParanoiaUser
LQ Newbie
 
Registered: Jun 2013
Posts: 13

Original Poster
Rep: Reputation: Disabled
Thanks for the reply!
First of i would like to say that i am very new to linux and i have close to no knowledge about it so please bear with me.
Quote:
* What firewall do you have, separate or built-in/iptables?
* How is firewall configured, what ports are open IN & OUT?
I use the built-in Iptables that came with my debian install but i have not modified any settings or rules in it.
I've run netstat -nlp to view the open ports, this is what came back:
Code:
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      829/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      12087/lighttpd
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1121/vsftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      12041/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1344/exim4
tcp        0      0 0.0.0.0:34593           0.0.0.0:*               LISTEN      841/rpc.statd
tcp        0      0 SERVER.IP:27015      0.0.0.0:*               LISTEN      23021/srcds_linux
tcp6       0      0 :::80                   :::*                    LISTEN      12087/lighttpd
tcp6       0      0 :::22                   :::*                    LISTEN      12041/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1344/exim4
udp        0      0 0.0.0.0:37691           0.0.0.0:*                           841/rpc.statd
udp        0      0 0.0.0.0:111             0.0.0.0:*                           829/portmap
udp        0      0 0.0.0.0:1017            0.0.0.0:*                           841/rpc.statd
udp        0      0 SERVER.IP:27005      0.0.0.0:*                           23021/srcds_linux
udp        0      0 SERVER.IP:27015      0.0.0.0:*                           23021/srcds_linux
udp        0      0 SERVER.IP:27020      0.0.0.0:*                           23021/srcds_linux
udp        0      0 SERVER.IP:26901      0.0.0.0:*                           23021/srcds_linux
Quote:
* What accounts do you have - 2 kinds:
1) Service accounts that might go out like ntp
2) User accounts - any other users have access?
I am the only user who has access to this server and i have the following accounts enabled: root,1user,www-data .
Found this out by looking into /etc/shadow , btw accounts listed there with * and ! tags are disabled, can not login right ?
Quote:
You have FTP and SSH enabled.
How are these services configured?
To start with:
Are FTP-users chrooted?
SSH should only be for admins, not for common users and no root login.
Do you allow SSH to get SFTP for users, if so how is that configured?
I honestly have no idea how they are configured but i will gladly take a look if you tell me where, a friend has setup the server for me.
I don't think chroot would have a big inpact in my case cause i will be the only user of this machine, as for SFTP i don't think i use that, i use normal FTP.
 
Old 06-30-2013, 07:27 AM   #4
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,220

Rep: Reputation: 116Reputation: 116
Ok, let's see now:
1) You have port 80 open and a user 'www-data'. This tells me you have apache installed, possibly running. You said you don't use it so remove it.

2) You are the only user - good, makes it easier. And no need for chroot then, correct.
One suggestion: remove FTP and use only SFTP/scp. There are lots of ftp-clients that can use SFTP, such as Filezilla.
Benefits: you remove one service, and your connections are more secure.

3) When that is done, go through your firewall rules.
I suggest you get a gui/tui-app to assist you as configuring iptables via cli is a bit tricky for a newbie. I haven't used any myself so unfortunately can't name any.

4) SSHD: Make sure root login is disabled, there's a setting "PermitRootLogin" in /etc/ssh/sshd_config, set it to "No".
You could also change port for ssh. It will reduce the amounts of "attacks" - it won't help against a determined attack but stops a lot of automated simple attacks.
Another thing to consider is that you can allow ssh login only for your user. That also makes system a tiny bit safer.
You can set it directly in /etc/ssh/sshd_config IIRC.

Now for the services to remove, you could simply uninstall them.
If you feel you want to keep them for now then just make sure they don't start automatically.
How - well, here's a little for you to investigate! ;-) If you run a desktop you probably have some configuration applications in the menu - again, never used that, all my servers are cli only.

You have port 111 open which you probably don't need. Close it - it is a security risk!
There are a few other ports I don't know about - 1017, 34593, 37691

Please post output of "iptables -L" it will show the current firewall rules.

As for accounts, accounts listed in with * and ! tag can not login, that's right.
Also accounts in /etc/passwd with false shell, like /bin/false, /usr/sbin/nologin etc.
 
2 members found this post helpful.
Old 06-30-2013, 08:33 AM   #5
ParanoiaUser
LQ Newbie
 
Registered: Jun 2013
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pingu View Post
Ok, let's see now:
1) You have port 80 open and a user 'www-data'. This tells me you have apache installed, possibly running. You said you don't use it so remove it.

2) You are the only user - good, makes it easier. And no need for chroot then, correct.
One suggestion: remove FTP and use only SFTP/scp. There are lots of ftp-clients that can use SFTP, such as Filezilla.
Benefits: you remove one service, and your connections are more secure.

3) When that is done, go through your firewall rules.
I suggest you get a gui/tui-app to assist you as configuring iptables via cli is a bit tricky for a newbie. I haven't used any myself so unfortunately can't name any.

4) SSHD: Make sure root login is disabled, there's a setting "PermitRootLogin" in /etc/ssh/sshd_config, set it to "No".
You could also change port for ssh. It will reduce the amounts of "attacks" - it won't help against a determined attack but stops a lot of automated simple attacks.
Another thing to consider is that you can allow ssh login only for your user. That also makes system a tiny bit safer.
You can set it directly in /etc/ssh/sshd_config IIRC.

Now for the services to remove, you could simply uninstall them.
If you feel you want to keep them for now then just make sure they don't start automatically.
How - well, here's a little for you to investigate! ;-) If you run a desktop you probably have some configuration applications in the menu - again, never used that, all my servers are cli only.

You have port 111 open which you probably don't need. Close it - it is a security risk!
There are a few other ports I don't know about - 1017, 34593, 37691

Please post output of "iptables -L" it will show the current firewall rules.

As for accounts, accounts listed in with * and ! tag can not login, that's right.
Also accounts in /etc/passwd with false shell, like /bin/false, /usr/sbin/nologin etc.
1) I do not use apache BUT i do use lighttpd

I am not running a desktop version, all command line.

Should i close port 111 using iptables ? not really sure if there is another way, ill probably close port 25 as well, don't have any email services setup.

As for the other open ports you've mentioned i see they are rpc.statd related, by looking at the previous log at least, after doing a bit of googleing i came up with this
Code:
DESCRIPTION

The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnomed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.
I am thinking maybe it came from my VPS provider preinstalled i am not really sure.

4) If i disable root SSH login, how will i be able to run commands such as apt-get upgrade or other root only commands ?

Here are the iptables -L you have requested:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-vsftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,f                                                                                                                                           tps,ftps-data

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  A lot of banned IP's  anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-vsftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Last edited by ParanoiaUser; 06-30-2013 at 08:39 AM.
 
Old 06-30-2013, 03:26 PM   #6
grzesiek
LQ Newbie
 
Registered: Nov 2010
Location: Poland
Distribution: Debian
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by ParanoiaUser View Post
4) If i disable root SSH login, how will i be able to run commands such as apt-get upgrade or other root only commands ?

Here are the iptables -L you have requested:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-vsftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,f                                                                                                                                           tps,ftps-data

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  A lot of banned IP's  anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-vsftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
First you login in normal user, then you login in a root. Better if you use group 'wheel'.
You have INPUT accept - it is very bad

Last edited by grzesiek; 06-30-2013 at 03:30 PM. Reason: bug
 
Old 06-30-2013, 04:53 PM   #7
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,220

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by ParanoiaUser View Post
1) I do not use apache BUT i do use lighttpd
...
Should i close port 111 using iptables ? not really sure if there is another way, ill probably close port 25 as well, don't have any email services setup.
As for the other open ports you've mentioned i see they are rpc.statd related, by looking at the previous log at least, after doing a bit of googleing i came up with this
I am thinking maybe it came from my VPS provider preinstalled i am not really sure.

4) If i disable root SSH login, how will i be able to run commands such as apt-get upgrade or other root only commands ?

Here are the iptables -L you have requested:
Lighthttpd: Sorry, my mistake. I read "webserver" where you wrote "apache".
So what do you use lighthttpd for? If it's publicly accessible then this is your primary concern.
You need to secure it tightly, we can discuss this later when we know what webservices you're running.

About "disable root SSH login"
It's as grzesiek says, let me just give some more detail:
You login as your user, then use 'su' to issue a command with root privileges.
You can also switch user permanently to root in terminal with 'su -' or 'sudo -i' (which to use depends on if system uses sudo or not. Ubuntu does per default, Debian AFAIK let's you choose during installation.)

Firewall rules:
First remove/shutdown unneeded services, then close ports with iptables. For instance, it might be that when you shutdown vsftpd then as a result port 111 is closed.
But yes, if you want to close unneeded open ports then use iptables in cli.
Now, again grzesiek is right: You have policy ACCEPT which actually means that everything not explicitly denied is allowed. This is not good.
Add INPUT rules to allow ssh & web, also allow related & established connections. Then set policy to DROP.
Before you do that, make sure you have 2 active logins in terminal so you don't accidentally lock yourself out completely.

After that you can change policy to DROP even for outgoing, this is not strictly necessary but gives extra protection.
First you need to allow things like port 53 (DNS), 123 (ntp) and other things you want accessible from inside.
Make this step the last one, and carefully check your servers services some time afterwards so everything works as it shall.
 
Old 06-30-2013, 10:54 PM   #8
ParanoiaUser
LQ Newbie
 
Registered: Jun 2013
Posts: 13

Original Poster
Rep: Reputation: Disabled
I really appreciate your help guys !

I have now blocked incoming connections to ports 111 and 25 via iptables and checked via iptables -L which now has the following lines in it:
Code:
DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc
DROP       udp  --  anywhere             anywhere            udp dpt:sunrpc
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp
DROP       udp  --  anywhere             anywhere            udp dpt:25
I use lighthttpd to host publicly accessible files online Pingu, would you like me to have a look at some specific settings in its config ?

I would like to ask you guys 2 things before i proceed with them.

1) What risk does having Root SSH login Enabled present ? I am trying to understand why would it be better to have it disabled, if someone manages to get their hands on the password/user of one of my accounts they will most definitely be able to get their hands on the root password as well cause they are protected the same way, not with the same password but if they manage to steal one of my user accounts in some way i don't see what would stop them from stealing the root login info the same way, maybe i am missing something though, thats why i ask.

2) How should i enable SFTP ? do i need to open additional ports or stuff like that also ?
 
Old 06-30-2013, 11:39 PM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
1. ssh root login:
root is a known acct name, so there will be 10000's of automated attacks trying to guess the passwd.
If you use your own login instead, they have to guess your acct name and(!) passwd, then, even if they can do that, still have to guess root's passwd.
Don't use an obvious acct name for yourself eg yourname or similar. Also, do not use an 'alternative' admin type name (like admin...)
Make both your passwd & root's very hard to guess as well.

What you can/should do is setup an ssh auth-key for yourself, instead of using a passwd to login. This makes it impossible to guess the passwd, because you're not using one.
Ideally, do passwd protect the auth-key and ensure only you have access to your client/wkstn.
http://www.techroot.be/linux/openssh...ntication.html

2. sftp and scp are part of the ssh pkg, so should not require any further pkgs and they use the same port (22).
Make sure you enable that port.
You can change the port for ssh/sftp/scp to use, but it only reduces the num of attacks. Most modern auto attacks check all the ports looking for an ssh service; not just 22.
fail2ban is good, but be careful you don't lock yourself out (very unlikely with auth-keys; you don't type them in, so you're unlikely to get it wrong.)
 
Old 06-30-2013, 11:56 PM   #10
ParanoiaUser
LQ Newbie
 
Registered: Jun 2013
Posts: 13

Original Poster
Rep: Reputation: Disabled
Thanks for the info!

My passwords are very strong so if they try to get in by guessing, i wish them luck lol.

I have fail2ban set to permanently ban after 2 failed attempts, i have a dynamic IP so even if i lock myself out i can just reconnect and get a new IP or login from my phone and reset the ban.

To give you a general idea of how the passwords on all my accounts look i have generated 3 new ones with the same rules as an example:
Code:
MY#=Y%v}Be@f"leGbNjg=-C&j%X,AW
&9R^US0o[Ifi*EHk+5Eep%ft-31CMr
ho/-Kw`]tb%R2f)}4#cG=Gw{O.<+ET
I will proceed switching to SFTP in the following hours, i will not use a auth-key for now though but thanks for the suggestion! (seems more complex and i have trust in the passwords+fail2ban limiting the login attempts to 2/IP)

I will disable root login in the very near future as-well.

EDIT: I have tested out SFTP now, works! Will be using only SFTP from now on.

Last edited by ParanoiaUser; 07-01-2013 at 12:04 AM.
 
Old 07-01-2013, 12:01 AM   #11
evo2
Senior Member
 
Registered: Jan 2009
Location: Japan
Distribution: Debian
Posts: 4,822

Rep: Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022
Hi,

as Chris says, set up public/private key authentication for ssh. You should then explicitly disable password authentication in your /etc/ssh/ssd_config:
Code:
PasswordAuthentication no
otherwise although you many not be using a password, attackers still can.

Since you don't have physical access to the machine you should be very careful when doing this so that you don't lock yourself out. Eg make sure your private key is backed up somewhere safe.

Cheers,

Evo2.
 
Old 07-01-2013, 06:48 AM   #12
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,051

Rep: Reputation: 954Reputation: 954Reputation: 954Reputation: 954Reputation: 954Reputation: 954Reputation: 954Reputation: 954
Probably the most-common attack vector, I think, is through "system management" software such as Plesk. People buy virtual-servers on the Internet that are "already conveniently set-up" and simply start using them. These systems not only have a bunch of unused services running (unknown to the user, who's not paying attention), but also afford much too much privileges to the management-software. Ignorance and haste breed opportunities ... and, really, I don't mean to sound harsh when saying that.
 
Old 07-01-2013, 07:30 AM   #13
ParanoiaUser
LQ Newbie
 
Registered: Jun 2013
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
Probably the most-common attack vector, I think, is through "system management" software such as Plesk. People buy virtual-servers on the Internet that are "already conveniently set-up" and simply start using them. These systems not only have a bunch of unused services running (unknown to the user, who's not paying attention), but also afford much too much privileges to the management-software. Ignorance and haste breed opportunities ... and, really, I don't mean to sound harsh when saying that.
Extremely happy with my VPS seller though, been using them for about half a year, got them recommended by a friend who's been using them for 1 year and a half, never had downtime or any problems whatsoever.

As far as the management-software goes if you can tell me where to look for pre-installed stuff that is on my machine i will gladly post a list for you to have a look at, my eyes are not trained for this, i will probably not be able to spot what is a security risk and whats not, its better if someone more knowledgeable than me does.

I will gladly post a list of all my installed programs or management tools from the vendor's website, just tell me what you want to see and where will i find it .
 
Old 07-01-2013, 02:53 PM   #14
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,275

Rep: Reputation: 61
There has been some good suggestions posted here, one thing that wasn't mentioned is log files. These are an admins best friend, I would add a program called logwatch, which will parses the log files and looking for anything and then email someone with the results. Or even just going through the log files manually can help to see whats been hitting the server, maybe a preamble to an attack can be spotted.

For more security have the log files sent to another server if possible, if the sever becomes comprimised, then the log files will most likely be useless to you, there one of the first things that are erased or altered if someone gains access to the server.
 
Old 07-01-2013, 07:43 PM   #15
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
As with sundialsvcs, I agree that you should learn to use the server purely from the cli and remove (or at least disable any gui management tools like plesk, webmin etc).
You may have to ask the VPS provider to remove it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Someone attempting to hack my server? tiger.woods Linux - Security 10 12-09-2009 08:16 PM
I really need help. Looks like everybody is trying to hack my apache server stormrider_may Linux - Security 2 02-23-2006 06:32 PM
Is my mail server been hack? cojo Linux - Security 2 12-03-2005 06:04 PM
Tryed to hack your own server lately? Kanon Linux - Security 11 01-18-2005 04:50 AM


All times are GMT -5. The time now is 09:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration