LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-19-2006, 06:12 AM   #1
stormrider_may
Member
 
Registered: Sep 2005
Distribution: Debian
Posts: 304

Rep: Reputation: 30
How safe is linux? need help with a server


Recentely, i really donīt know how, a cracker entered on the network which iīm responsible and got informations about credit card from a person who works here. About 5 minutes later, this person got all her money stolen from the bank. Here in Brazil, banks are responsible for this, so she will have the money back from the bank.

My network works like this, there is a debian linux as a router and all the other computers access the internet by it.
The iptables rules are this (copied from webmin):

Code:
Incoming packets (INPUT)

Drop	If state of connection is INVALID			

Reject	If protocol is TCP and input interface is ppp0 and destination port is 0:80			

Accept	If protocol is TCP and input interface is ppp0 and destination port is 2120:2121

Reject	If protocol is TCP and input interface is ppp0 and destination port is 82:65500			


Packets after routing (POSTROUTING)
	
Masquerade	If source is 192.168.0.0/255.255.255.0 and output interface is ppp0
Inside LAN is 192.168.0.*
Ps.: The person was using M$ windows because there is a printer that just does not works with cups.

My questions are:

1) Are those iptables rules safe?
ps.: running apache server on port 81 and proftpd on port 2121

2) Recentely on a linux box, i downloaded a program called kguitar, and after i unzipped it, i could execute WITHOUT root giving permission. How can I stop this?

3) Is it possible to someone get access to the rootīs password if this person get an ssh access as a normal user?
 
Old 01-19-2006, 06:34 AM   #2
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 270

Rep: Reputation: 31
In my opinion no.

First of all, the credit card thing is not your fault. It is general knowledge that this sort of info is not supposed to be written down. If it is, make sure to triple encrypt and bury the disk in your back yard.

1) Your ipchains turn down only some ports on ppp0. My advise is to turn this around. Drop everything (yes, every single port from 0 to 65somethingthousand). Then open the services one by one: DNS, HTTP, etc. etc. (take a look at wikipedia for well known ports and decide what you need).
It would help to find out how the alledged cracker got into the network and what he did. Check your logs for multiple failed connection attempts and the like.
I would also advise you using NAT for more safety, not a mere gateway.

2) The behavior of this program is normal. You only need root priviledges to run a program if it manipulates non-user-owned files and directories. Most programs use the home directory of the user for storage and configs, so that's ok.

3) To my knowledge: no. Try getting root priviledges as a normal user from a console, if you cant, neither can anybody having access to a terminal, via ssh, serial line or bluetooth (or any other device).
sshd does not give up root-uid after authentification, so please make sure that you are running the latest version.

Last edited by ichrispa; 01-19-2006 at 06:45 AM.
 
Old 01-19-2006, 07:17 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Do you have any direct evidence (or reason to think) that the cracker directly accessed your network, other than the fact that her credit card info was stolen?

Credit card fraud is *extremely* common and info can be stolen through a large number of techiniques including compromising online merchants databases and phishing scams. If your network has been penetrated, then you will likely need to take much more proactive measures than tightening your firewall, so it's important to know any additional facts.
 
Old 01-19-2006, 07:53 AM   #4
stormrider_may
Member
 
Registered: Sep 2005
Distribution: Debian
Posts: 304

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Capt_Caveman
Do you have any direct evidence (or reason to think) that the cracker directly accessed your network, other than the fact that her credit card info was stolen?
Actually, the only evidence i have is that this person make all the bank things using that computer, and also, she bought a product on www.submarino.com.br.
I scanned this computers hd with f-prot and i didnīt find anything like trojans or something that could have done it.
Is it possible that someone is sniffering my connection?

Quote:
Originally Posted by ichrispa
I would also advise you using NAT for more safety, not a mere gateway.
Can you tell how to do this?

Quote:
Originally Posted by ichrispa
Your ipchains turn down only some ports on ppp0. My advise is to turn this around. Drop everything (yes, every single port from 0 to 65somethingthousand).
The best thing is drop or reject?
 
Old 01-19-2006, 08:05 AM   #5
stormrider_may
Member
 
Registered: Sep 2005
Distribution: Debian
Posts: 304

Original Poster
Rep: Reputation: 30
One more thing, do you guys know shields up? https://www.grc.com/x/ne.dll?rh1dkyd2 iīm using this to scan my ip.

Got this...

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

How can i stop it?
 
Old 01-19-2006, 05:21 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
One more thing, do you guys know shields up?
Yes. It's fairly rudimentary and there are a lot better ways of scanning, such as a more extensive nmap scan from a remote machine and I'd also recommend doing some basic penetration/vuln testing with nessus. However, shields up is better than nothing if you don't have the option of doing the above.

How can i stop it?
Drop incoming icmp echo requests:
iptables -I INPUT -p icmp --icmp-type 8 -j DROP

*Note that this will prevent others from being able to ping your machine, which may or may not be desireable. The additional security gained by doing this is fairly minimal though.

Is it possible that someone is sniffering my connection?
It's possible, but not very likely. It would require compromising or manipulating your firewall or one of the upstream routers between you and that host. Using a secured connection like SSL for any type of transaction can help and should always be used.

I'd also recommend running chkrootkit and rkhunter on your linux system as an additional precaution.

Last edited by Capt_Caveman; 01-19-2006 at 05:25 PM.
 
Old 01-22-2006, 09:46 AM   #7
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 270

Rep: Reputation: 31
There is a nice guide on how to set up NAT at http://www.aboutdebian.com/proxy.htm.

principally its best to drop (not process) anything that does not require a standard port. This way you will also disable the usage of Napster or Kazaa like software on your net, which takes up bandwith and ressources. The question on what to open is, what you server is for. Is it only a gateway for webpage viewing, does it need to carry mail through (POP3, IMAP, SMTP), ftp, telnet, ssh, dns (if you use the internet, you will definetetely need this)...
Take a look at wikipedia for the well known ports, then look at what you need and what not.

About that ping problem. It is fairly uncommon to try and "hide" a server by making it non-responsive to ICMP. On the contrary, this will attract attention ("look, I am trying to be invisible for some reason"). SYN attacks using ICMP are quite hard to accomplish on new servers and can be filtered out via the kernel anyway (take a look at the "SYN cookie" compile option on 2.6.15).
 
Old 01-22-2006, 10:44 PM   #8
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 51
I'd suggest using something like Guarddog, Firestarter or Shorewall to configure iptables instead of doing it directly. Any of these should be installable using apt-get on Debian.
 
Old 01-22-2006, 10:50 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
SYN attacks using ICMP are quite hard to accomplish on new servers and can be filtered out via the kernel anyway (take a look at the "SYN cookie" compile option on 2.6.15).

There is no such thing as a "SYN" ICMP attack. ICMP is stateless and doesn't have the equivalent of a TCP handshake. So enabling SYN cookies won't do anything for ping flood attacks (technically the TCP sequence number is what is used as the SYN cookie).
 
Old 01-23-2006, 06:56 AM   #10
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 270

Rep: Reputation: 31
Sorry.

SYN is a state flag in TCP, that I knew. But I thought that it could be used as a synonime for DoS attacks as a whole, it never occured to me that there are no state flags in ICMP - thus the term is not applicable.

Again, sorry for that rediculous mistake ans any confusion it might have caused...

Last edited by ichrispa; 01-23-2006 at 06:58 AM.
 
Old 01-23-2006, 06:56 AM   #11
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 270

Rep: Reputation: 31
Sorry.

SYN is a state flag in TCP, that I knew. But I thought that it could be used as a synonime for DoS attacks as a whole, it never occured to me that there are no state flags in ICMP - thus the term is not applicable.

Again, sorry for that rediculous mistake ans any confusion it might have caused...
 
Old 01-23-2006, 01:40 PM   #12
stormrider_may
Member
 
Registered: Sep 2005
Distribution: Debian
Posts: 304

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by ichrispa
There is a nice guide on how to set up NAT at http://www.aboutdebian.com/proxy.htm.

principally its best to drop (not process) anything that does not require a standard port. This way you will also disable the usage of Napster or Kazaa like software on your net, which takes up bandwith and ressources. The question on what to open is, what you server is for. Is it only a gateway for webpage viewing, does it need to carry mail through (POP3, IMAP, SMTP), ftp, telnet, ssh, dns (if you use the internet, you will definetetely need this)...
Take a look at wikipedia for the well known ports, then look at what you need and what not.

About that ping problem. It is fairly uncommon to try and "hide" a server by making it non-responsive to ICMP. On the contrary, this will attract attention ("look, I am trying to be invisible for some reason"). SYN attacks using ICMP are quite hard to accomplish on new servers and can be filtered out via the kernel anyway (take a look at the "SYN cookie" compile option on 2.6.15).
I only need ports 81 and 2121 open. So closed all the others ports. Now, i can ping sites, but when i try to navigate with lynx on the server, it donīt open any pages. When i open ports 1024 to 65500 it navigates. Can you tell me which port lynx use?

Quote:
Originally Posted by ichrispa
I would also advise you using NAT for more safety, not a mere gateway.
Can you explain me, in simple words, why?

Last edited by stormrider_may; 01-23-2006 at 01:44 PM.
 
Old 01-25-2006, 02:21 PM   #13
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 270

Rep: Reputation: 31
lynx, as any browser, tries to contact a remote web server on port 80. if you drop this port, naturally lynx will fail to communicate. The weird thing is the range you open (below 1024 would be understandable, above however I don't get). What I think is this:

You don't start lynx as root, so it can't bind to any port below 1024 (root only!). So what it does is open a port above that, say 2221 for example. It sends the GET page request to someserver:80, that sends back the data to yourclient:2221 - but you don't permit 2221 to get through your NAT, so the answer can't get to lynx.

How to fix it:
You can use a webserver, like apache, boa or squid, to serve as a connection between the internet and your client (lynx can't use proxies though, at least I can't find out how). This would alow you to control page contents as well (no sexual contents etc. etc.). However this means more work for you and more load for your server.
The second solution. start lynx on your client. Then type "netstat -nat" on another terminal to see what ports are open. You should see the port opened by lynx for communication. Open that port in your NAT. Be advised however that if you do this and start another instance of lynx (or perhaps another version of it), it will bind to another port and it won't work again.

Again I propose you go with apache...

Why NAT?
A gateway alows everything to get in and out of your network without any special action to limit the content. It permits an outsider to contact every individual computer in your network, scan netbios and user names (check out nbtscan) via netbios-ssn, even tap your lan if he finds a week router or gets access to a computer.
What a NAT does is the following: To the outside, it appears as if there is only a single computer running, so there is no telling if it is a single workstation or a network of several hundred computers for someone on the outside. Even if he finds out that there is a LAN behind the NAT, he can not connect to it. Every connection coming in from the outside must me related to an internal connection indirectly (say ftp) or established (direct response to a request on http for example). NAT makes your LAN invisible to the outside and save to external access.

Of course you can open a doorway to connect to it, via ssh for example.

Turning an NAT into a proxy is also advisable. If someone wants a webpage, he does not have to connect to that serves to request the page. You do it for him. You thus control contents of pages, access time and so on.
You can also control bandwith usage, for example File-sharing applications can be stopped quite quickly. I'm not a control freak, personally, I don't mind if someone downloads a file or two, but if the network belongs to a company, this company pays the bill, and it is not always desirable to pay for someones amusement.

Last edited by ichrispa; 01-25-2006 at 02:44 PM.
 
Old 01-25-2006, 02:46 PM   #14
stormrider_may
Member
 
Registered: Sep 2005
Distribution: Debian
Posts: 304

Original Poster
Rep: Reputation: 30
Ok, i'm really confused
When all ports (Except 81 and 2121) are blocked, any computer using nat can use lynx or any browser. But the server, where there are iptables cannot, it just doesn't open any site. ps.: Running as root!!!!
 
Old 01-31-2006, 06:07 AM   #15
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 270

Rep: Reputation: 31
I think lynx is binding itself to eth0, not to ppp0. Could it be that the nat tables to not comply fr transmitted but only for received datagrams? Thus you forward your browser rquest to your local network, but it never leaves the LAN. That would explain the problem.

Check out man lynx, perhaps there is an option --interface or something similar, allowing you to chose what interface you bind on...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Server - How and how safe? Jorek Linux - Networking 9 10-27-2005 05:12 PM
Is it safe to show server stats? six6 Linux - Security 3 08-05-2005 12:31 PM
how safe it is to use linux/window in one hd ngan_yine Linux - Hardware 3 10-11-2004 03:58 PM
win98 Server, as safe as it gets ;-) browny_amiga General 12 06-26-2003 08:04 AM
setting up a safe and secure server/router Ciccio Linux - Security 3 04-25-2003 10:46 PM


All times are GMT -5. The time now is 08:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration