LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-24-2003, 03:16 AM   #1
techchiq
Member
 
Registered: Oct 2003
Location: Western NY State
Distribution: Pink Tie 9 (Red Hat 9 clone from CheapBytes.com)
Posts: 32

Rep: Reputation: 15
HOWTO: Secure and stealth your Linux Box!


After trying firestarter and finding that Kppp (KDE's dialer) doesn't work well with it (and I have to be root to run firestarter at all, which is a pain), I have decided to drop that and I learned a bit about IPTables. I tested this all at GRC.com's Shield's Up, which does a rather nice job testing things. Here's how I stealthed my Red Hat 9 (clone) system - I have iptables installed as well as lokkit. You need to be root to do all this stuff.

NOTE That this is for desktop systems that depend on modem (dial-up) internet connections via ppp0.

Also, when I say to type something at the shell prompt, do NOT type the preceeding # as that is just there to show it's a shell prompt.

STEP 1: Going Stealth on all ports

Here's the /etc/sysconfig/iptables file content:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1055 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 1720 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 5000 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1055 -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 1720 -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 5000 -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j DROP
COMMIT

Note the line -A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP, this line is necessary because port 0 will always show up in Shield's Up as closed, but it shows up, giving away the fact you're on the internet. This line will make that port not respond. Port 0 is a U*ix "null" port that is basicall "invalid" (thus the state name). GRC.com says it's used by some programmers as a test port to test development of applications that use ports of some kind. If you test your system there and click on the 0 port link, it'll give you more information on this.

Next, type the following at the shell prompt:

#/etc/init.d/iptables restart

STEP 2: Stopping PINGS

Another nasty is pings. Here is how you can make it so that your system will not respond to pings at all. Simply edit (as root) the /etc/sysctl.conf file. Find these lines:

# Controls source route verification
net.ipv4.conf.default.rp_filter=1

Now add these two lines:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1

Next at the shell prompt type this:

#/sbin/sysctl -p

STEP 3: Masking Reverse DNS lookup

Wherever you go on the internet, you're machine name (or rather your ISP's machine name which looks like a URL path of some kind) is given out. Clever people could use that to personally identify you, I think the GRC.com site says. By not allowing your system to give this away, you further can protect your privacy. To do this, type at the shell prompt:

# echo "1" > /procs/sys/net/ipv4/ip_forward

STEP 4: Tell them off! LOL!

While this might not really be necessary if you have your system pretty well stealthed, it still might be a good measure anyway. When you boot Linux and log in, some distributions will show what distro you're using along with the Linux Kernel version. If you're using an older kernel for some reason, you definitely don't want a potential intruder to find this out! That's IF you get hacked (which they'd have to find you in the first place and if you did the above, it'd be pretty hard to find your machine on the internet!) But anyway, you can back up your /etc/issue and /etc/issue.net files, then edit the non-backups to say something like:

** WARNING!! **
This is a private closed system.
Any and all activity is logged.
** GO AWAY!! **

Or whatever to let someone who finds their way to log in to know they aren't welcome.

STEP 5: Allowing Hosts?

Lastly, you can edit your /etc/hosts.allow and /etc/hosts.deny files as so:

/etc/hosts.allow
(after the comments put the following line)
ALL:127.0.0.1

/etc/host.deny
(after the comments put the following line)
ALL:ALL

Now you're all set! You shouldn't need to reboot the computer but if for some reason things haven't yet started working the way you expected, a reboot is a good idea before trying to further diagnose things.

Hope this helps some of those out there on dial-up connections. If you're running a network, don't have Lokkit or RH9 distro, you'll have to make some changes. Hopefully this will give some basics to get started.

Last edited by techchiq; 12-24-2003 at 03:19 AM.
 
Old 12-24-2003, 03:58 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Hmmm, looks to me (but I'm no iptables guru) like that script is accepting everything that's not explicitly denied. That's rather silly... check that, it's really not smart. A firewall should be default-deny and only allow the ports you explicitly tell it to.

If anyone scans an uncommon port, they're going to see the "connection refused" from the non-listening port on your box (the response is from the port, not the firewall). While that's not particularly dangerous in and of itself, suppose a trojan had installed itself (as a user) and was running on some high port? Not good!
 
Old 12-24-2003, 09:24 AM   #3
techchiq
Member
 
Registered: Oct 2003
Location: Western NY State
Distribution: Pink Tie 9 (Red Hat 9 clone from CheapBytes.com)
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by chort
Hmmm, looks to me (but I'm no iptables guru) like that script is accepting everything that's not explicitly denied. That's rather silly... check that, it's really not smart. A firewall should be default-deny and only allow the ports you explicitly tell it to.
Could you be a bit more specific? I'm just learning this myself so I would like to know how that works out. At GRC.com it shows ports 0 - 1055 as stealth. Also the "DROP" at the end of the line means not to respond to anything coming in on those ports.

Can you give some examples, maybe, where it would only open up one port for allowing a user to browse the web, another for allowing the user to get/send email (evolution) and another for using gftp to connect and download files via anonymous ftp (no servers are running on this machine, btw)? Some examples might help me understand things a little better. The above looks like it's stealthing out certain ports (which GRC.com checks), or so I had thought. at least, it appears to.

Quote:
If anyone scans an uncommon port, they're going to see the "connection refused" from the non-listening port on your box (the response is from the port, not the firewall). While that's not particularly dangerous in and of itself, suppose a trojan had installed itself (as a user) and was running on some high port? Not good!
I can see your point. That is a concern. I'm not quite sure how to black ALL ports but the ones needed for access...? I don't want the ports needed for normal internet access (non-server use) to show up as anything but stealth, but still be usable.
 
Old 12-24-2003, 10:00 AM   #4
techchiq
Member
 
Registered: Oct 2003
Location: Western NY State
Distribution: Pink Tie 9 (Red Hat 9 clone from CheapBytes.com)
Posts: 32

Original Poster
Rep: Reputation: 15
Ok, I made some changes. How does this look? I tested some random odd ports that Shield's Up doesn't do in their port tests (but they do let you specify a port to probe) and the script below seems to stealth out ALL ports but still allowing a normal user to access the web, etc. Problem is, I couldn't just do a --dport 0:65535 for some reason because it then wouldn't access the web, etc. So I did it this way (split it up) but it still covers all ports.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:8080 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8081:65535 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:8080 -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8081:65535 --syn -j DROP
COMMIT

I tried experimenting with things like:

:INPUT DROP [0:0]

then

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 8080 -j ACCEPT

But again, I couldn't get the browser to access the internet. Of course, I'm still experimenting with ways to do this.
 
Old 12-25-2003, 01:27 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You don't want to specify which ports to drop, you're still doing that. Instead, you want to drop ALL. I'm not sure what the iptables keyword is for that, but it's probably either "all" or "ALL". Then you want to allow connections only from your own IP address, and only to IPs other than you're own, i.e. something like

block all inbound
block all outbound
source my_ip destination not my_ip allow outbound and keep state
(this is just pseudo code)

This will let you browse the web, etc (since those are all outbound connections)

If you want to run some type of server on your machine, then you would have to do something like
source any destination my_ip (only "syn" is set and destination my_service port) allow inbound and keep state

By the way, HTTP uses port 80/tcp, unless you're sending it through some proxy (in which case you need to talke to the proxy port, such as 3128, 8080, etc).
 
Old 12-25-2003, 10:06 AM   #6
poison
Member
 
Registered: Dec 2003
Location: Layer 7 =D
Distribution: Slackware, LFS, Rock Linux
Posts: 165

Rep: Reputation: 30
well...I'm no iptables guru at all...tried to understand it but failed ^^
could anybody give me a hint if the following is terrible bad ?

Code:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -P INPUT DROP   #only if the first two are succesful
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
iptables -A INPUT --protocol tcp --dport 21 -j ACCEPT
iptables -A INPUT --protocol tcp --dport 8080 -j ACCEPT
#iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
it's supposed to block all inbound connections, except for ftp, http and mutella (on port 8080) ^^
thats what it does, no ?
 
Old 12-25-2003, 02:54 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Looks right to me (iptables -P INPUT DROP is the default action), but have someone familiar with iptables confirm that for sure.
 
Old 12-25-2003, 07:23 PM   #8
techchiq
Member
 
Registered: Oct 2003
Location: Western NY State
Distribution: Pink Tie 9 (Red Hat 9 clone from CheapBytes.com)
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by poison
well...I'm no iptables guru at all...tried to understand it but failed ^^
could anybody give me a hint if the following is terrible bad ?
My question is, will it keep those ports STEALTH? That is what I'm hoping to accomplish. The idea here is to make it look like the computer doesn't exist on the internet at all, should something try to connect to that IP (ie. like there's no computer using that IP address at the moment or something). Otherwise, if I have just one port open, it gives it away that there is a computer (this one) connected to the internet.

Also, opening ports - I don't want someone to use one of them to log into the system.

I'll try this code a bit later and see how it stands up to GRC.com's probes.
 
Old 12-25-2003, 07:52 PM   #9
JimKyle
Member
 
Registered: Dec 2001
Location: Oklahoma City, OK, USA
Distribution: Xubuntu 12.04 LTS
Posts: 156

Rep: Reputation: 18
If you're not running an http or ftp server, you don't need to accept incoming packets on ports 80 and 21. Ditto for 8080. If you want to be completely stealthed, omit the last four lines of your script so that the only incoming you accept will be established packets. Of course this may foul up your ppp interface, requiring you to add some ACCEPT rules for it...

You'll find, when you do your GRC testing, that you have three ports open, which tells the world your computer exists. Removing those three ACCEPT lines will make them go away...
 
Old 12-25-2003, 08:59 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
DROP = "stealth", although you'll be easily discovered if you have at least one port open (i.e. set to ACCEPT). Even if you have "full stealth" there are still some particular nmap scans that can discover you. Don't be overly reliant on not being found. Make sure you treat any box as though it will be attacked, regardless of what firewall you have in front of it.

Last edited by chort; 12-25-2003 at 09:01 PM.
 
Old 12-25-2003, 11:03 PM   #11
sharper
Member
 
Registered: Aug 2002
Location: MN USA
Distribution: slakware 9.0
Posts: 121

Rep: Reputation: 15
Quote:
Originally posted by poison

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
iptables -A INPUT --protocol tcp --dport 21 -j ACCEPT
iptables -A INPUT --protocol tcp --dport 8080 -j ACCEPT
#iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT[/CODE]
The first and third lines are probably sufficient. If you have connection tracking those two tell iptables to drop all packets that are not in reply to an allready initiated connection. In the last four you are telling iptables to accept new connections on those ports. Aslo you are probably going to have to let in some UDP packets(for DNS) and some ICMP(time exceeded and such not). If you can lay your hands on it I found "Linux Firewalls" by Ziegler heavy going but has a lot of information about what you need to let in and what you can drop.

Last edited by sharper; 12-25-2003 at 11:06 PM.
 
Old 12-26-2003, 08:33 PM   #12
techchiq
Member
 
Registered: Oct 2003
Location: Western NY State
Distribution: Pink Tie 9 (Red Hat 9 clone from CheapBytes.com)
Posts: 32

Original Poster
Rep: Reputation: 15
Thanks for all the info, everyone. I've saved it all and will be trying things out soon.
 
Old 12-27-2003, 01:35 PM   #13
poison
Member
 
Registered: Dec 2003
Location: Layer 7 =D
Distribution: Slackware, LFS, Rock Linux
Posts: 165

Rep: Reputation: 30
thanks for the info guys...
looks like I _did_ understand it =P
now for my next enemy...sendmail ^^
 
Old 12-27-2003, 02:12 PM   #14
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
now for my next enemy...sendmail
It's good to treat Sendmail like a potential enemy, because it has been exploited so many times, chances are your Sendmail (controlled by an attacker) might some day turn on you!

Before you bother going in depth with Sendmail, I'd remove all traces of it and install a replacement, such as Postfix or Qmail. They're both much more secure.
 
Old 12-27-2003, 02:50 PM   #15
timdsmith
Member
 
Registered: Nov 2003
Location: The Colony, TX
Distribution: Slackware, Debian Etch, FreeBSD, MicroSh*t free.
Posts: 209

Rep: Reputation: 30
Here's a nice clean way to flush your existing rules and set the default policy to drop.

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

Then if you want to allow establish/related traffic in do

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT

of course you'll probably have your variables set up differently, so you'll have to adjust for that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"stealth" routing HOWTO Soulstealer Linux - Networking 9 04-18-2005 07:06 AM
making, checking secure linux box archish Linux - Security 8 05-11-2004 02:29 AM
Want to secure your linux box..then read this? blessen Linux - Security 6 03-15-2004 11:50 PM
Howto setup two stage firewall? Linux and router-in-a-box? drdirt Linux - Security 5 01-10-2004 02:51 AM
how do you set up your Linux box to route secure wifi? richard3403 Linux - Wireless Networking 0 11-15-2003 02:40 PM


All times are GMT -5. The time now is 05:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration