Recentely, i really don´t know how, a cracker entered on the network which i´m responsible and got informations about credit card from a person who works here. About 5 minutes later, this person got all her money stolen from the bank. Here in Brazil, banks are responsible for this, so she will have the money back from the bank.

My network works like this, there is a debian linux as a router and all the other computers access the internet by it.
The iptables rules are this (copied from webmin):

Inside LAN is 192.168.0.*
Ps.: The person was using M$ windows because there is a printer that just does not works with cups.

My questions are:

1) Are those iptables rules safe?
ps.: running apache server on port 81 and proftpd on port 2121

2) Recentely on a linux box, i downloaded a program called kguitar, and after i unzipped it, i could execute WITHOUT root giving permission. How can I stop this?

3) Is it possible to someone get access to the root´s password if this person get an ssh access as a normal user?

In my opinion no.

First of all, the credit card thing is not your fault. It is general knowledge that this sort of info is not supposed to be written down. If it is, make sure to triple encrypt and bury the disk in your back yard.

1) Your ipchains turn down only some ports on ppp0. My advise is to turn this around. Drop everything (yes, every single port from 0 to 65somethingthousand). Then open the services one by one: DNS, HTTP, etc. etc. (take a look at wikipedia for well known ports and decide what you need).
It would help to find out how the alledged cracker got into the network and what he did. Check your logs for multiple failed connection attempts and the like.
I would also advise you using NAT for more safety, not a mere gateway.

2) The behavior of this program is normal. You only need root priviledges to run a program if it manipulates non-user-owned files and directories. Most programs use the home directory of the user for storage and configs, so that's ok.

3) To my knowledge: no. Try getting root priviledges as a normal user from a console, if you cant, neither can anybody having access to a terminal, via ssh, serial line or bluetooth (or any other device).
sshd does not give up root-uid after authentification, so please make sure that you are running the latest version.

Do you have any direct evidence (or reason to think) that the cracker directly accessed your network, other than the fact that her credit card info was stolen?

Credit card fraud is *extremely* common and info can be stolen through a large number of techiniques including compromising online merchants databases and phishing scams. If your network has been penetrated, then you will likely need to take much more proactive measures than tightening your firewall, so it's important to know any additional facts.

Actually, the only evidence i have is that this person make all the bank things using that computer, and also, she bought a product on www.submarino.com.br.
I scanned this computers hd with f-prot and i didn´t find anything like trojans or something that could have done it.
Is it possible that someone is sniffering my connection?

Can you tell how to do this?

The best thing is drop or reject?

One more thing, do you guys know shields up? https://www.grc.com/x/ne.dll?rh1dkyd2 i´m using this to scan my ip.

Got this...

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

How can i stop it?

One more thing, do you guys know shields up?
Yes. It's fairly rudimentary and there are a lot better ways of scanning, such as a more extensive nmap scan from a remote machine and I'd also recommend doing some basic penetration/vuln testing with nessus. However, shields up is better than nothing if you don't have the option of doing the above.

How can i stop it?
Drop incoming icmp echo requests:
iptables -I INPUT -p icmp --icmp-type 8 -j DROP

*Note that this will prevent others from being able to ping your machine, which may or may not be desireable. The additional security gained by doing this is fairly minimal though.

Is it possible that someone is sniffering my connection?
It's possible, but not very likely. It would require compromising or manipulating your firewall or one of the upstream routers between you and that host. Using a secured connection like SSL for any type of transaction can help and should always be used.

I'd also recommend running chkrootkit and rkhunter on your linux system as an additional precaution.

There is a nice guide on how to set up NAT at http://www.aboutdebian.com/proxy.htm.

principally its best to drop (not process) anything that does not require a standard port. This way you will also disable the usage of Napster or Kazaa like software on your net, which takes up bandwith and ressources. The question on what to open is, what you server is for. Is it only a gateway for webpage viewing, does it need to carry mail through (POP3, IMAP, SMTP), ftp, telnet, ssh, dns (if you use the internet, you will definetetely need this)...
Take a look at wikipedia for the well known ports, then look at what you need and what not.

About that ping problem. It is fairly uncommon to try and "hide" a server by making it non-responsive to ICMP. On the contrary, this will attract attention ("look, I am trying to be invisible for some reason"). SYN attacks using ICMP are quite hard to accomplish on new servers and can be filtered out via the kernel anyway (take a look at the "SYN cookie" compile option on 2.6.15).

I'd suggest using something like Guarddog, Firestarter or Shorewall to configure iptables instead of doing it directly. Any of these should be installable using apt-get on Debian.

SYN attacks using ICMP are quite hard to accomplish on new servers and can be filtered out via the kernel anyway (take a look at the "SYN cookie" compile option on 2.6.15).

There is no such thing as a "SYN" ICMP attack. ICMP is stateless and doesn't have the equivalent of a TCP handshake. So enabling SYN cookies won't do anything for ping flood attacks (technically the TCP sequence number is what is used as the SYN cookie).

Sorry.

SYN is a state flag in TCP, that I knew. But I thought that it could be used as a synonime for DoS attacks as a whole, it never occured to me that there are no state flags in ICMP - thus the term is not applicable.

Again, sorry for that rediculous mistake ans any confusion it might have caused...

Sorry.

SYN is a state flag in TCP, that I knew. But I thought that it could be used as a synonime for DoS attacks as a whole, it never occured to me that there are no state flags in ICMP - thus the term is not applicable.

Again, sorry for that rediculous mistake ans any confusion it might have caused...

I only need ports 81 and 2121 open. So closed all the others ports. Now, i can ping sites, but when i try to navigate with lynx on the server, it don´t open any pages. When i open ports 1024 to 65500 it navigates. Can you tell me which port lynx use?

Can you explain me, in simple words, why?

lynx, as any browser, tries to contact a remote web server on port 80. if you drop this port, naturally lynx will fail to communicate. The weird thing is the range you open (below 1024 would be understandable, above however I don't get). What I think is this:

You don't start lynx as root, so it can't bind to any port below 1024 (root only!). So what it does is open a port above that, say 2221 for example. It sends the GET page request to someserver:80, that sends back the data to yourclient:2221 - but you don't permit 2221 to get through your NAT, so the answer can't get to lynx.

How to fix it:
You can use a webserver, like apache, boa or squid, to serve as a connection between the internet and your client (lynx can't use proxies though, at least I can't find out how). This would alow you to control page contents as well (no sexual contents etc. etc.). However this means more work for you and more load for your server.
The second solution. start lynx on your client. Then type "netstat -nat" on another terminal to see what ports are open. You should see the port opened by lynx for communication. Open that port in your NAT. Be advised however that if you do this and start another instance of lynx (or perhaps another version of it), it will bind to another port and it won't work again.

Again I propose you go with apache...

Why NAT?
A gateway alows everything to get in and out of your network without any special action to limit the content. It permits an outsider to contact every individual computer in your network, scan netbios and user names (check out nbtscan) via netbios-ssn, even tap your lan if he finds a week router or gets access to a computer.
What a NAT does is the following: To the outside, it appears as if there is only a single computer running, so there is no telling if it is a single workstation or a network of several hundred computers for someone on the outside. Even if he finds out that there is a LAN behind the NAT, he can not connect to it. Every connection coming in from the outside must me related to an internal connection indirectly (say ftp) or established (direct response to a request on http for example). NAT makes your LAN invisible to the outside and save to external access.

Of course you can open a doorway to connect to it, via ssh for example.

Turning an NAT into a proxy is also advisable. If someone wants a webpage, he does not have to connect to that serves to request the page. You do it for him. You thus control contents of pages, access time and so on.
You can also control bandwith usage, for example File-sharing applications can be stopped quite quickly. I'm not a control freak, personally, I don't mind if someone downloads a file or two, but if the network belongs to a company, this company pays the bill, and it is not always desirable to pay for someones amusement.

Ok, i'm really confused
When all ports (Except 81 and 2121) are blocked, any computer using nat can use lynx or any browser. But the server, where there are iptables cannot, it just doesn't open any site. ps.: Running as root!!!!

I think lynx is binding itself to eth0, not to ppp0. Could it be that the nat tables to not comply fr transmitted but only for received datagrams? Thus you forward your browser rquest to your local network, but it never leaves the LAN. That would explain the problem.

Check out man lynx, perhaps there is an option --interface or something similar, allowing you to chose what interface you bind on...