LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-25-2003, 01:39 PM   #1
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
If I had a compromised machine...


Hi guys,
This is a total imaginary situation but I'm very curious to know this.
Imagine a LinuxBox working as a gateway with firewall, IDS and so on.
The client is a micro$hit windows machine which is running a vulnerable client program such as a P2P application.
The firewall has all the FORWARD and the -state established settings to make the thing work. Here comes my question:
theory says in this way an attacker would be able to attack my client machine using overflows exploits etc.
Excluding iptables bugs and access to administration services by the client, would it be possible to compromise the gateway?
In other words, does forwarding keep the gateway safe?
Thank you!
 
Old 11-26-2003, 02:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
What runs on the gateway itself?
How freely do you allow the client access to the gw's admin features?
 
Old 11-27-2003, 07:41 AM   #3
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
There was a problem with NAT in linux <= 2.4.21 if I remember correctly.
 
Old 11-27-2003, 09:34 AM   #4
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Original Poster
Rep: Reputation: 15
Quote:
What runs on the gateway itself?
Well, the firewall, DCHP server, web server, that's it. No proxy or mail stuff.
Quote:
How freely do you allow the client access to the gw's admin features?
no admin features at all.
 
Old 11-27-2003, 11:13 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Well, the firewall, DCHP server, web server, that's it.
We'll assert you properly configured the firewall (allowing only non-server non-syn UDP, TCP and partial ICMP back in, access to MICROS~1 services blocked), if it is, and you're not running additional apps to add/del routing or fw rules like portsentry or Guardian, and if you're not keeping a close eye on logging, then, if you haven't partitioned a separate /var, and if you're logging on the fw itself, and if you have enough LOG target rules, the only thing we can hope for is to flood logging and try to fill up diskspace to the point where nothing gets logged anymore. If that itself doesnt break things, it should give us at least the security nothing gets written to logs. Of course it's unknown how much space you got, so it's not something to try unless really desperate/bored, still it's a possibility.
We'll also assert you properly configured HDCPd and that it's only running on the LAN side, meaning it's not accessable from the outside, hence not vulnerable to outside attacks.
For the webserver, what's the name and version? What features does it have? What interaction is allowed? Does it use PHP? CGI scripts? Any default installation scripts left? Any scripts that give us extended info of the system itself?


no admin features at all.
Weird. Cuz in your initial post you wrote "Excluding iptables bugs and access to administration services by the client". Sure there are no administration services running on the gw? Telnetd, Sshd, webmin, any other GUI?


As an exception, there's something you could run for me on the gw. I developed it just for situations like these and it should help detect a lot of crap, but you'll have to trust me. If you do, email me (you got my address already) and I'll send you the URI where to pick it up, just tell me what distribution (Debian, isn't it?) and kernel you're running. FWIW, I've been a moderator for years if that means something on the credentials side, and I usually don't send apps to people. And of course it'll be GPG-signed and all sources are included.
 
Old 11-27-2003, 02:27 PM   #6
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by unSpawn
[i]As an exception, there's something you could run for me on the gw. I developed it just for situations like these and it should help detect a lot of crap, but you'll have to trust me. If you do, email me (you got my address already) and I'll send you the URI where to pick it up, just tell me what distribution (Debian, isn't it?) and kernel you're running. FWIW, I've been a moderator for years if that means something on the credentials side, and I usually don't send apps to people. And of course it'll be GPG-signed and all sources are included.
I'm pretty curious now, hint hint
 
Old 11-27-2003, 03:02 PM   #7
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Original Poster
Rep: Reputation: 15
Nice description of the situation unSpawn!
Quote:
We'll also assert you properly configured HDCPd and that it's only running on the LAN side, meaning it's not accessable from the outside, hence not vulnerable to outside attacks.
Exactly.
Reguarding the web server, it is: Apache/1.3.26 Server (as Debian Woody suggests) with PHP4 support but no cgi support. Plus, the document root has been chrooted. The modules loaded are minimal. There is only a PHP scripts that returns the ppp0's IP address.

Quote:
Weird. Cuz in your initial post you wrote "Excluding iptables bugs and access to administration services by the client".
I said so for being general. Since this case is (partially) ideal, let's say there are not administration tools. No telnet or webmin and no even ssh. In reality it just has a ssh access with one-time-pad 16bytes password and additional RSA authentication.

I'd like to help you unSpawn, I'll email you soon so we can discuss about this
 
Old 11-28-2003, 10:57 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
I'd like to help you unSpawn, I'll email you soon so we can discuss about this
//FWIW, this was a trick up my sleeve to see if TheIrish would catch the bait and could be persuaded into running something on the GW. I bailed out (trust abuse issue), we discussed what I was trying to do, and he passed the test cuz he said he'd never run something that wasn't from security.debian. Congrats. It's good to see ppl with a healthy dose of paranoia and discipline! (I hope that goes for you too Iceman47)

Point is, who and what can you trust? In essence: not many and not much. Do not automagically trust something at face value, don't install binaries but compile yourself, use GPG signed sources from "known good" repositories, and always ask for second opinions if unsure. just to make sure ppl understand: only on VERY RARE occasions I would send my fellow LQ members applications, if I need to send something it will be URI's most of the time. I don't "advertise" stuff, anything I send will always be run and verified by myself and isn't sent w/o agreement of the receiving party.


I said so for being general. (...) In reality it just has a ssh access with one-time-pad 16bytes password and additional RSA authentication.
It's not much in terms of "trust", but I hope you restricted network access to some "known good" IP's you'll be working from and account access to an unprivileged one?


As for Apache/PHP, if they're up to date, properly configured and run as lesser-privileged user and with minimal features, then (as far as sparse details allow) I'd say you got that covered.
 
Old 11-28-2003, 12:10 PM   #9
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Original Poster
Rep: Reputation: 15
As I said in a private email to unspawn, when the binary is not certified (this means, not coming from *.debian.org), I only install from sources and this happens very rarely. Being a programmer more then a sysadmin, I can quite well understand what goes on in a source.
Quote:
t's not much in terms of "trust", but I hope you restricted network access to some "known good" IP's you'll be working from and account access to an unprivileged one?
Come on! IT is obvious I restricted the access to a known good IP. In fact, in my real network I have a Mac who works as a console. The check is made on IP, MAC Address and which Network Interface Card receives the data. By the way, the gateway has 3 interfaces used for: LAN, WAN, CONSOLE. In this way I can't do remote administration, but hell, I don't need it.
Quote:
As for Apache/PHP, if they're up to date, properly configured and run as lesser-privileged user and with minimal features, then (as far as sparse details allow) I'd say you got that covered.
Always up-to-date, with Debian upgrades... this means only-stable releases. Finally, the config should be as minimal as possible, and working correctly.

PS: almost forget... if you're asking yourself, YES, I'm paranoic

Last edited by TheIrish; 11-28-2003 at 12:16 PM.
 
Old 11-28-2003, 02:31 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Come on! IT is obvious I restricted the access to a known good IP.
Well, forgive me for asking, OK?

PS: almost forget... if you're asking yourself, YES, I'm paranoic
Welcome to the club :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Machine compromised, now have ports opened tvn Linux - Security 4 09-21-2005 04:04 AM
Machine compromised, now have ports opened tvn Fedora 1 09-13-2005 06:30 PM
Compromised machine delling81 Linux - Security 3 04-05-2005 11:20 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM


All times are GMT -5. The time now is 04:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration