Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys,
This is a total imaginary situation but I'm very curious to know this.
Imagine a LinuxBox working as a gateway with firewall, IDS and so on.
The client is a micro$hit windows machine which is running a vulnerable client program such as a P2P application.
The firewall has all the FORWARD and the -state established settings to make the thing work. Here comes my question:
theory says in this way an attacker would be able to attack my client machine using overflows exploits etc.
Excluding iptables bugs and access to administration services by the client, would it be possible to compromise the gateway?
In other words, does forwarding keep the gateway safe?
Thank you!
Well, the firewall, DCHP server, web server, that's it.
We'll assert you properly configured the firewall (allowing only non-server non-syn UDP, TCP and partial ICMP back in, access to MICROS~1 services blocked), if it is, and you're not running additional apps to add/del routing or fw rules like portsentry or Guardian, and if you're not keeping a close eye on logging, then, if you haven't partitioned a separate /var, and if you're logging on the fw itself, and if you have enough LOG target rules, the only thing we can hope for is to flood logging and try to fill up diskspace to the point where nothing gets logged anymore. If that itself doesnt break things, it should give us at least the security nothing gets written to logs. Of course it's unknown how much space you got, so it's not something to try unless really desperate/bored, still it's a possibility.
We'll also assert you properly configured HDCPd and that it's only running on the LAN side, meaning it's not accessable from the outside, hence not vulnerable to outside attacks.
For the webserver, what's the name and version? What features does it have? What interaction is allowed? Does it use PHP? CGI scripts? Any default installation scripts left? Any scripts that give us extended info of the system itself?
no admin features at all.
Weird. Cuz in your initial post you wrote "Excluding iptables bugs and access to administration services by the client". Sure there are no administration services running on the gw? Telnetd, Sshd, webmin, any other GUI?
As an exception, there's something you could run for me on the gw. I developed it just for situations like these and it should help detect a lot of crap, but you'll have to trust me. If you do, email me (you got my address already) and I'll send you the URI where to pick it up, just tell me what distribution (Debian, isn't it?) and kernel you're running. FWIW, I've been a moderator for years if that means something on the credentials side, and I usually don't send apps to people. And of course it'll be GPG-signed and all sources are included.
Originally posted by unSpawn [i]As an exception, there's something you could run for me on the gw. I developed it just for situations like these and it should help detect a lot of crap, but you'll have to trust me. If you do, email me (you got my address already) and I'll send you the URI where to pick it up, just tell me what distribution (Debian, isn't it?) and kernel you're running. FWIW, I've been a moderator for years if that means something on the credentials side, and I usually don't send apps to people. And of course it'll be GPG-signed and all sources are included.
We'll also assert you properly configured HDCPd and that it's only running on the LAN side, meaning it's not accessable from the outside, hence not vulnerable to outside attacks.
Exactly.
Reguarding the web server, it is: Apache/1.3.26 Server (as Debian Woody suggests) with PHP4 support but no cgi support. Plus, the document root has been chrooted. The modules loaded are minimal. There is only a PHP scripts that returns the ppp0's IP address.
Quote:
Weird. Cuz in your initial post you wrote "Excluding iptables bugs and access to administration services by the client".
I said so for being general. Since this case is (partially) ideal, let's say there are not administration tools. No telnet or webmin and no even ssh. In reality it just has a ssh access with one-time-pad 16bytes password and additional RSA authentication.
I'd like to help you unSpawn, I'll email you soon so we can discuss about this
I'd like to help you unSpawn, I'll email you soon so we can discuss about this
//FWIW, this was a trick up my sleeve to see if TheIrish would catch the bait and could be persuaded into running something on the GW. I bailed out (trust abuse issue), we discussed what I was trying to do, and he passed the test cuz he said he'd never run something that wasn't from security.debian. Congrats. It's good to see ppl with a healthy dose of paranoia and discipline! (I hope that goes for you too Iceman47)
Point is, who and what can you trust? In essence: not many and not much. Do not automagically trust something at face value, don't install binaries but compile yourself, use GPG signed sources from "known good" repositories, and always ask for second opinions if unsure. just to make sure ppl understand: only on VERY RARE occasions I would send my fellow LQ members applications, if I need to send something it will be URI's most of the time. I don't "advertise" stuff, anything I send will always be run and verified by myself and isn't sent w/o agreement of the receiving party.
I said so for being general. (...) In reality it just has a ssh access with one-time-pad 16bytes password and additional RSA authentication.
It's not much in terms of "trust", but I hope you restricted network access to some "known good" IP's you'll be working from and account access to an unprivileged one?
As for Apache/PHP, if they're up to date, properly configured and run as lesser-privileged user and with minimal features, then (as far as sparse details allow) I'd say you got that covered.
As I said in a private email to unspawn, when the binary is not certified (this means, not coming from *.debian.org), I only install from sources and this happens very rarely. Being a programmer more then a sysadmin, I can quite well understand what goes on in a source.
Quote:
t's not much in terms of "trust", but I hope you restricted network access to some "known good" IP's you'll be working from and account access to an unprivileged one?
Come on! IT is obvious I restricted the access to a known good IP. In fact, in my real network I have a Mac who works as a console. The check is made on IP, MAC Address and which Network Interface Card receives the data. By the way, the gateway has 3 interfaces used for: LAN, WAN, CONSOLE. In this way I can't do remote administration, but hell, I don't need it.
Quote:
As for Apache/PHP, if they're up to date, properly configured and run as lesser-privileged user and with minimal features, then (as far as sparse details allow) I'd say you got that covered.
Always up-to-date, with Debian upgrades... this means only-stable releases. Finally, the config should be as minimal as possible, and working correctly.
PS: almost forget... if you're asking yourself, YES, I'm paranoic
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.