How to test the security of your linux box?
 

We have a LAMP server here at work, we are only using it for a website. I was wondering if I needed to be concern about security and I ran nmap from my Windows machine upstairs and this is what I got:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>nmap -T Aggressive -P0 -sT -p 1-65535 10.0.3.7

Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-08-31 10:05 Eastern
Daylight Time
Interesting ports on intranet (10.0.3.7):
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3

Nmap finished: 1 IP address (1 host up) scanned in 2994.869 seconds

Is this a good procedure? or I should not bother?

You are ok as long as you know the open ports and the security settings used for those services. So if you have ftp correctly set up, you want ssh on port 22 and is correctly configured, you use smtp sendmail (this is probably the weakest point of your net) with AV software and antispam, your web server is completely secured you have nothing to worry about. The problems with ports is when you have an open port and you don't know why or what services are running there. Off course there is no guarantee against new security problems but do your best keeping your server updated.

Right now I'm just hosting a website for our intranet and using ssh. Do I need FTP and SMTP for this? Or should I close these ports, if so how do you do that??

Thanks

Something else you can do to test you security is get a vulnerability scanner. There are free ones such as Nessus. It will tell you if there are certain unpatched vulnerabilities and things of that nature. There are also pay for ones availbe from places like eeye.com

You can also search the net for securing certain things such as apache or sendmail or whatever else you are running. A bad configuration or misconfiguration will most certainly let intruders in.

Also look into setting up a firewall if you have not already. Is this going to be on the internet or just the local intranet? If it is going to be public then you definitely need to worry about security. Consider where you work. Does the company have secrets that don't need to be known or have information that shouldn't escape because of federal regualtions? Does it keep financial records of clients? If your box is insecure and it gets penetrated by a hacker smart enought to get what he wants consider your secrets gone. When that happens you might as well invite the hacker in your doors with a laptop and network cable. Don't be the weak link in security. Worry about it.

You need to search how to turn off the services. I assume you are using Ubuntu so I can't help you an that since I've never really used that. There may be something in your menu that will help you stop and keep those 2 services off.

Even though you say it is for intranet purposes, it would still be prudent to do a vulnerability scan on it.

To see what is open goto a site that offers port scanning like this one.
http://www.hackerwatch.org/probe/

It will scan your open internet address and you can have scan for certain or all ports to see what the outside world can see.

Brian1

if you just have an HTTP server and an SSH daemon, the all you need is ports 80 and 22 open... those other ports should definitely be filtered (and the unnecessary services disabled)... the tool to do this is iptables... how many interfaces does this box have?? it has a private (non-Internet) IP right?? just trying to get a better picture...

please post the output of these commands (as root):

Employees have just as great a potential of hacking the server as anyone on the internet, so you should be just as aware of the security of your box even if it is only available on the intranet.

What kind of content are you hosting on the webserver? Is it static (.htm, .html) or dynamic (.php, .asp, etc, possibly accessing a database)? If it's the latter, you will need to worry about things like SQL injection, XSS attacks, etc. You will need to make sure that your scripts are secure (eg. use a whitelist of input characters such as a-zA-Z0-9), and also use Apache's mod_security if you wish.

If it's dynamic content, you may also be interested in running a Nikto scan on the box. Check out my tutorial on this if you need some help: http://tazforum.thetazzone.com/viewtopic.php?t=3124

You should also run a Nessus scan against your box, as that will reveal most potential vulnerabilities in both the OS and its services.

Do you want to run ftp, smtp and pop3 servers on that box? If you do not, you will need to disable them, as they increase the chances of your box being compromised (as there are more routes of entry). IIRC you can do this via: System -> Administration -> Services.

HTH. If you have any more questions, just ask :)

Cheers,

-jk

root@intranet:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

root@intranet:~# netstat -an | grep "LISTEN"
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8484 /var/run/mysqld/mysqld.sock

Thanks Win32Sux

okay, this is pretty much what i had imagined... your firewall is currently disabled... i'll hook you up with a script to fix that later today, i'm heading out the door right now to take care of some stuff for my mom...

you left-out the space before the last quotation mark!!! :)

without the space, the output is totally different... it's my bad, i should have pointed-out that the space was completely intentional...

EDIT: actually, i was in a hurry at the moment and didn't realize that without the space the only difference would be that lines that read "LISTENING" would also be displayed... =/

How do I close these ports: port 21, 25 and 110 if I don't need them? Can I open them again if I do?

Thanks for your help..

I see, but the only diff. is that the last line is omitted.

Thanks and I will wait for your code. I will be here until 5PM, (New York time).

cucolin@ - See my post about disabling those services. However, while you figure that out, you can block (drop) all packets to/from those ports with the following commands (replace eth0 with the interface connected to the internet):
That will drop all packets going to and coming from those ports. I still recommend you disable the services altogether though, as they're pretty useless without a network- or internet-facing connection ;)

But do I need these services such as FTP to download updates/upgrades?? Is there a way that I can set them like in Windows that you set the services to: automatic, manual or disable. Can I set this manually, so it will start whenever I need them.

Thanks J-K9..

I don't use Ubuntu, but I believe you can go to System > Administration > Services in your menu and you can disable and stop the MTA (port 25), FTP and POP3 servers.

As far as a firewall, instead of getting a script, I suggest that you download a program that will start a firewall for you. A good one for Gnome is Firestarter. Here's some instructions on how to install and use it: http://www.fs-security.com/docs/installation.php (fs-security.com is the makers of Firestarter)

I say to use that instead of a script because many scripts that float around here do not deal with logging or limiting connections. Plus it's easier to change later if you are in deed using a GUI to administer your server.

And as for your question on FTP, what is running on your computer is a server. You are talking about using a client, which will run even if your own server is not running. Go ahead and just disable it.