LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-17-2004, 10:49 PM   #1
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Rep: Reputation: 15
Talking help newbie; quick secure browsing


Hello,
I read (maybe half) the posts here and see there is plenty to learn. So far, I have copied (to a floppy) a short and sweet Iptables script, the output of netstat and nmap (using suggested switches), and a list of services running at startup (way too many). I have tried to use the Mandrake 9.1 Control Center to turn off some services and set up a firewall. The following thread is statement of the problem I have had in not being able to make the changes stick.

http://www.linuxquestions.org/questi...6&goto=newpost


The context of my pursuit here is that I would like to take the Linux connection onto the web and perhaps use the MandrakeUpdate tool for security and bug fixes and whatever else seems like a good idea and not just wheel grinding of which I am tired. But it frightens me to go on line (I have used Mozilla and the connection is working fine) without a firewall and known security risk ports open.

My analysis says that I need some one to review my "services at startup" list and be advised as to what I can shut down and how to do it with the least trouble at the command line. My idea was to just move the unneeded executables from /etc/rc.d/init.d/ to etc/tmp/ or some such parking place. Then, I would like to take the next step and place the proper executable iptables script and make it run on startup. I have other steps in mind as well gleaned from the experts in this section and would like to be mentored on this. I was hoping to have some of it done but the GUI is acting like a butthead.

Anybody game to help this Respond to this post with what command results (see paragraph one for what I have ready to go) you would like posted here and I will be grateful.

thanks in advance robertn

Last edited by robertn; 03-17-2004 at 10:57 PM.
 
Old 03-18-2004, 12:55 AM   #2
mightymouse
Member
 
Registered: Mar 2004
Posts: 31

Rep: Reputation: 15
Hmm, I dont use Mandrake so I cant offer distro specific advice. However, many of these services switched on by default will probably be running from inetd or xinetd (whichever you have). You can switch them off by just editing your /etc/[x]inetd.conf file and commenting out the ones you dont want. After that run "killall -HUP inetd" etc. The changes will be permanent and the services wont switch themselves back on at the next reboot.

As to messing with your boot scripts - Go Ahead! Its a really fun learning experiece. I suggest you back them up somewhere safe first though, incase you make any significant mistake. Mandrake may also have some GUI config tool for managing your boot scripts, so you might want to look into that.

Good luck
 
Old 03-18-2004, 02:39 PM   #3
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Original Poster
Rep: Reputation: 15
Thumbs up thanks mightymouse

I have just now returned from the link referenced here and as the update post indicates, I have solved my KDE GUI related problems; the tools are fairly easy to use once one figures out how to access them.

I do appreciate your command line suggestions and I will definitely go and look at the files you indicated. I have been playing (carefully--and not as root user, when possible) in the /etc /etc/rc.d etc/rc.d/init.d directories and it (the structure that the machine is using) starts to fall into place after a while. I like the GUI's (when they work) as it assures me that I am going to get some reasonably effective initial setup going so that my Linux setup is functional. So far, so good. I love this LinuxQuestions forum and have killed dozens of hours in here with pleasure

thanks again, robertn
 
Old 03-20-2004, 08:57 PM   #4
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Original Poster
Rep: Reputation: 15
update iptables bootscript

Having gotten the default GUI firewall tool in Mandrake 9.1 to either give me "no firewall" or "no access" to the www and having seen others post with the same problem, I returned to the bootscript approach and copied one from a forum to a file /etc.rc.d/rc.firewall* and gave it 755 permissions.

Next, I opend /etc/rc.d/rc.local and added the line "etc/rc.d/rc.firewall" without the quotes to the bottom of the file so as to run the rc.firewall executable on boot.

I turned off the GUI firewall in MCC and rebooted; I accessed the web and went to Sygate for a portscan and it looked like I had done something. Whereas before the best that was reported was that many ports were "closed" and many were open reflecting services which I have since shutdown, now I had many ports "undetected" and only 2 open ports.

The 6000 port for X11 and 631 for CUPS were vulnerable so I returned to the command line and added " -nolisten tcp" to the Xserver initialization line (See Security forum for clues to the path) and used "nmap -vv localhost" to confirm that now the only port of interest is 631 for CUPS.

The new problem is that when I tried to access the web, I was trapped inside my connection and could not get past the ISP. This is identical to the condition with any settings except "no firewall" in the GUI.

I am getting frustrated with this. Any comments from anybody?

thanks for any help robertn


ps I traced my "iptables" file to /sbin/iptables and everything looks right, but I really don't know that the script I boot is doing anything. For all I know, some default script is running from all the fiddling I have been doing with Shorewall. Hope I have not confused the reader with all this; I have certainly confused myself.
 
Old 03-21-2004, 05:35 AM   #5
mightymouse
Member
 
Registered: Mar 2004
Posts: 31

Rep: Reputation: 15
Well, copying an rc.firewall script from some forum might be a bad idea, especially if you dont know the situation its intended to be used in. If you want to use something general purpose try google for "monmotha". The best thing to do would be to simply write your own script; have a look at www.netfilter.org. In particular, the iptables-tutorial which should teach you what to do and contains a whole bunch of scripts which you could just adapt to your needs rather than have to write a new one from scratch.

Note that your rc.local entry must include the leading / to run the script: "/etc/rc.d/rc.firewall". You probably would also benefit from having some output text to the console to confirm that the script was executed succesafully. You can try:

if [ -x /etc/rc.d/rc.firewall ]; then
echo "Starting iptables firewall in file /etc/rc.d/rc.firewall...."
/etc/rc.d/rc.firewall && echo "OK"
fi

Something to keep in mind when you visit an online port scanning facility through the web is that your connection might be through your ISP's proxy server. This may mean that when you use their service to run a port scan you are actually scanning their proxy server rather than your own computer! To find your IP, have a look at the output from "ifconfig" (probably in /sbin).

You can portscan your own computer on your own by using the nmap util,ity (www.insecure.org/nmap/) on all of the IP addresses associated with the machine (again, find all of these by running ifconfig). To see what services you ahve running you can just use the "netstat" utility. The man page contains all the info on how to use it.
 
Old 03-22-2004, 09:48 PM   #6
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Original Poster
Rep: Reputation: 15
Thumbs down

MightyMouse,

TY for the reply; of course the / belongs in the command--typo in my post.

Regarding the script for displaying text, I am assuming that this is added to rc.firewall ?? Is that correct?

Thanks for the web site references, I will check them out;

Thanks for the warning about precopied scripts; the one I chose seemed to be generic with good documentation and most of it commented so one could run it piece by piece (by uncommenting things as success continued), but this is not my problem now.

I reinstalled Mandrake 9.1 as I had stepped on Xfonts due to improper shutdown (while looping due to some experiment I was trying while trying to get on the web via Linux. My GUI Shorewall is very persnickety. I am fine with reloading as it gave me an opportunity to set up partitions more beneficial to me given limited disk space.

But right back to the same problems, I tried to make Shorewall work from the GUI and "cannot locate the address "....google.com" from Mozilla which is launched with an ISP connection meaning that I have no trouble making KPPP recognize my modem and dial my ISP and connect. I am just trapped there inside the ISP's firewall, I am presuming. I try to set the "no firewall connection to the GUI and am going to just stop it from booting so I can fiddle with IPTABLES.

Question--I have an onboard ethernet card but this is just standalone desktop with no LAN; should I stop the network service and xinetd from starting on boot? I am thinking that this stuff might be confusing the GUI.

Yes I think I will do that. This is getting me frustrated, but I know I can get it to work as I have done it once already.

I am familiar with the tools "nmap -vv local host" and "netstat -pant" by reading the forum posts, maybe yours. ty again

also thanks for the warning about reading the ISP firewall, but when I had run it before, I was showing port 6000 for X and port 631 for CUPS so I figured it was my machine. Further, I learned to set Xservers to "-nolisten tcp" and it seemed to work. The CUPS config file is a little daunting and I think I will just stop CUPS for awhile as I don't print on this hookup too much.

robertn

Last edited by robertn; 03-22-2004 at 09:51 PM.
 
Old 03-26-2004, 03:27 PM   #7
robertn
Member
 
Registered: Mar 2004
Location: mid-atlantic
Distribution: mandrake 9.1 rc2
Posts: 43

Original Poster
Rep: Reputation: 15
I have sucessfully copied a "rc.firewall" script from the documentation included on my Distro (Mandrake 9.1) The HOWTO is Security Quick Start for Linux and the version is v. 1.2 2002-07-21 and all I did was copy and paste the suggested code in the IPTABLES section to my home/tmp file and made it executable (Chmod 755 /home/tmp/rc.firewall). I tested it by entering /home/tmp/rc.firewall at the command line as root and then exited root before connecting to the web. It showed all my ports blocked at the sygate free test site.

Very embarassed that this simple solution worked as I could have avoided all this typing and the efforts of those like MightyMouse who have tried to help. Thank you very much.

robertn

Last edited by robertn; 03-26-2004 at 03:52 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why does nameserver entry make browsing so quick? dcdbutler Linux - Wireless Networking 4 05-02-2005 07:28 AM
Basic things to do to make sure a server is secure? htmlcoder Linux - Security 1 03-21-2005 05:41 AM
Step by step newbie guide for encrypted /home partition? eldergod Slackware 2 11-12-2004 06:49 PM
step by step compilation for a newbie Mr.Mounsey Linux - Newbie 2 11-18-2003 01:22 PM
newbie How to install a program step by step help me waheedrafiq Linux - Software 8 08-06-2003 02:51 PM


All times are GMT -5. The time now is 01:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration