LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-20-2001, 12:59 AM   #1
hypokondriak
LQ Newbie
 
Registered: Sep 2001
Distribution: Red Hat 7.1 + Gnome
Posts: 6

Rep: Reputation: 0
possibly a dumb question about ipchains


I just installed Red Hat 7.1 a few days ago which I though was supposed to have the 2.4 kernel. I configured my firewall to 'high' and opened up ftp for my ftp server through the /usr/sbin/setup utlity.

I ran a port scan on myself and only the ftp and an X11 - port 6000 were open.

1) Is this method of a firewall safe/secure?

2) If iptables replace ipchains in 2.4, why is RedHat 7.1 still using ipchains? (it updates ipchains after running the setup util)

3) What is X11 and what is it doing with port 6000?

Thank You
 
Old 09-20-2001, 02:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
It is not *supposed* to. It *has* kernel-2.4.2. Rpm's for 2.4.3 are available from your local mirror, else get the source for the latest (greatest?) 2.4.9

1. I never heard of compromising a server tru handling/exploiting ipchains, so Im defaulting to the opinion ipchains itself is "safe" to run (if your rules are blocking the right stuff, ok), it doesn't have security features itself.
I don't know what ftpd you're running. It might be safe or unsafe to run, depending on make, version, patchlevel and how it's deployed (daemon account, chroot/jail, root/sys/anonymous accounts, writes, traffic limiting). What it at least definately *isn't* is secure, ftp sends login/password combo's in cleartext.

2. RTM, Iptables is ready to start, it only needs you to change your choice from chains to tables (and rules). There where enuff tools during the RH install to facilitate GUI editing of the firewall(IIRC).

3. X11 is the XFree Server. Port 6000/TCP is the first port opened when the X Server starts to listen for traffic from other hosts, each additional concurrent session increments the number by one(IIRC). Unless a user binds X to use another port (:1) starting it at 6000 is an indication a (root)login is going on, which is nice for scans :-].
There's 3 things you can do make things a bit more safe: I. use xhost to deny traffic to your X Server from other hosts (xhost -), II. add a chains/tables rule denying external traffic from connecting to the TCP/6000:6063 range, III. start X like "startx -- -nolisten tcp" to have X not listening to traffic on that port.

HTH
 
Old 09-20-2001, 08:06 AM   #3
hypokondriak
LQ Newbie
 
Registered: Sep 2001
Distribution: Red Hat 7.1 + Gnome
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
1. I never heard of compromising a server tru handling/exploiting ipchains, so Im defaulting to the opinion ipchains itself is "safe" to run (if your rules are blocking the right stuff, ok), it doesn't have security features itself.
I don't know what ftpd you're running. It might be safe or unsafe to run, depending on make, version, patchlevel and how it's deployed (daemon account, chroot/jail, root/sys/anonymous accounts, writes, traffic limiting). What it at least definately *isn't* is secure, ftp sends login/password combo's in cleartext.
I am running ProFTPd 1.2.1 (which I believe is the latest). I am not sure how it is deployed - my guess would be by the root account. I have removed anonymous access, ftp account, and removed many of the uneeded 'default' accounts created by RH. I also have everything denied in the 'hosts.deny' file and only ip address ranges of those I have given accounts to in my 'hosts.allow' file (I have to use ranges since not all users have static ip's). I might be incorrect in thinking this (due to being a newbie), but I think I have gotten my FTP as secure as possible.

Quote:
2. RTM, Iptables is ready to start, it only needs you to change your choice from chains to tables (and rules). There where enuff tools during the RH install to facilitate GUI editing of the firewall(IIRC).
How do I check to see which version of the kernel I have, and how would I change from IPCHAINS to IPTABLES? I am not really worried about security with IPCHAINS,... just being a newbie I would rather focus on learning what I will be using in the years to come.

Quote:
3. X11 is the XFree Server. Port 6000/TCP is the first port opened when the X Server starts to listen for traffic from other hosts, each additional concurrent session increments the number by one(IIRC). Unless a user binds X to use another port (:1) starting it at 6000 is an indication a (root)login is going on, which is nice for scans :-].
There's 3 things you can do make things a bit more safe: I. use xhost to deny traffic to your X Server from other hosts (xhost -), II. add a chains/tables rule denying external traffic from connecting to the TCP/6000:6063 range, III. start X like "startx -- -nolisten tcp" to have X not listening to traffic on that port.
Sorry for another 'newbie' question, but my x starts automatically - what file do i need to edit so I can have it start with the '-- -nolisten tcp' option?

Finally, do you know a good current 'amoring your system' type source so I don't have to ask so many questions here? Everything I have found is for Red Hat 5.2 and it looks like most of the things they were suggesting to correct were either moved or have been corrected by the newer version.

Thank You
 
Old 09-21-2001, 05:22 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
1. Good work to secure your ftpd usage!
Now. Start up your ftpd. Log in. Now issue "ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*" w/o quotes. If you're on 1.2.1, any rc, but I guess rc3 definately, your ftpd will have a mental breakdown due to globbing. Gotta upgrade.

A lot of daemons can be configured to "step down", they will use the root account to bind themselves to a privileged port below 1024, and then transfer themselves to their own less privileged account, like sendmail for instance uses the mail account. If you want to play it safer, look into that. You could also use chroot or jail to place the service in a "sandbox" type of environment where it would behave shielded off from the rest of the box. mind you, this isnt unbreakable.

2. kernel version is either tru "uname", or "cat /proc/version".
I know theres a script outthere thats sposed to convert ipchains scripts to iptables, but to understand it thouroughly I guess I better go tru the conversion manually using the iptables howto at http://people.unix-fu.org/andreasson/index.html.
If you look in /etc/rc.d/init.d you'll see the SYSV script to start iptables. To start either change the links manuallly in your runlevel, using tksysv or linuxconf.

3. Dont be sorry. In many disciplines/trades/fields Im a newbie too. I mean, my understanding of Nucleic acids and neurotransmitters like L-dopamine is almost nill, my access pass for the Death Star never came tru (hell, I only needed *one* lousy shot), and operating a Comanche seems to be different from what Novalogic tries to teach me :-]

You'll need to find "startx" which I spose is in /usr/X11/bin and change the startup parameters, or change the parameters in the script that supplies parameters to startx, which will be under /etc/X11/(xdm/?)


Ok, you want resources so you dont have to post, but remember asking here not only benefits you, but everyone else that reads these posts.
Ive compiled my list of references a while ago, so theres lotsa stuff inhere you might not be interested in at this point, maybe later on, HTH:

Basic references:
- AUSCERT UNIX Computer Security Checklist (Version 1.1) www.cert.org/tech_tips/AUSCERT_checklist1.1
- Steps for Recovering from a UNIX or NT System Compromise www.cert.org/tech_tips/root_compromise.html
In fact read the whole of http://www.cert.org/tech_tips/
- The CIT Computer Security Handbook: www.cit.nih.gov/security/handbook.html
- Aging stuff from Phrack, good to read back to be sure, like "Unix System Security Issues" www.fc.net/phrack/files/p18/p18-7.html
- SEI stuff like www.sei.cmu.edu/publications/lists.html handling IDS
- Intrusion Detection and Network Auditing on the Internet www.infosyssec.net/infosyssec/intdet1.htm

Top it off with some reading material on security:
- Security tips: www.cert.org/tech_tips/ and www.cert.org/security-improvement/, http://www.securityportal.com/resear...xsecurity.html
- Top ten vulnerabilities: www.sans.org/topten.htm and http://www.cert.org/present/cert-ove...ends/index.htm
- Firewalling: www.infosyssec.net/infosyssec/firew1.htm, www.linux-firewall-tools.com/linux/
- Securing Xwindows: http://www.uwsg.indiana.edu/usail/ex...d/xsecure.html

Basic Linux references:
http://www.sans.org/infosecFAQ/linux/linux_list.htm
- the LASG or Linux Administrators Security Guide (linuxdoc.org)
- Securing Optimizing Linux RH Edition(1)
*Linuxsecurity.com have a Quickreference pdf card.
Post-Installation Security Procedures (Linuxjournal)
- The Linux-PAM System Administrators' Guide
- A Short Course on Systems Administration and Security Under Unix(1)
- Basics on firewalling: www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
- Basic introduction to building ipchains rules: www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
- Explanation of the Ipchains logformat: logi.cc/linux/ipchains-log-format.php3
- Ipchains log decoder: dsl081-056-052.dsl-isp.net/dmn/decoder/decode.php
- The Iptables HOW-TO: http://people.unix-fu.org/andreasson/index.html

Some allround knowledge/mailinglist sites
Neohapsis archives: http://www.neohapsis.com
Linux Gazette: http://www.linuxgazette.com
Experts exchange: http://www.experts-exchange.com

Or, if ure just cruisin for links, try n read something else, search/visit these places/ppl that mean something: Sans, cert, auscert, lance spitz, dugsong, loki, robert graham, dave dittrich, wietse venema, fyodor, mixter, monark to name but a few.

Also note O'Reilly has a myriad of books which, unfortunately for them, can also be found online, just search for "O'reilly and bookshelf", "o'reilly reference bookshelf" or "o'reilly cd bookshelf".
 
Old 09-21-2001, 10:46 AM   #5
hypokondriak
LQ Newbie
 
Registered: Sep 2001
Distribution: Red Hat 7.1 + Gnome
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for all your help - I'm glad I have finally found a place where my questions get answered (I have found the irc a very difficult place to get answers at).

The only way linux can take over Windows is if we make sure all users who convert stick with it.

One more question - I have read in a couple places about how setting up an 'external' machine for logging is great for security (you lock everything down on the server except allowing your mahcines to write log files - this makes a somewhat 'hacker proof' log source). Have you heard about this and would it be effective?

The reason I ask is because I have an old Pentium 50mhz collecting dust - I thought this might be a good chance to install a different distribution than red hat (possible slackware or debian) and set this up just for logging.

Just an opinion thing..
 
Old 09-22-2001, 06:20 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
Well, sometimes I try to help out in some #linux channels, but most of the time there's too much background noise.

Linux won't "take over" from Wintendo. Real conversion is only for those who see it benefits them. Need some real life examples?

Syslog can be done remote, ok. Now what if the intruder cuts off syslog? Or netseds the logs? Btw, there's an enhanced version which cryptographically garbles logs called "secure syslog" (freshmeat.net). Tho I doubt if remote logging will make a difference in a small home setup. IMO, youd better invest time in active/ passive detection with apps like Snort and Aide or Tripwire.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possibly the dumbest question I would ever expect to ask pyrael Linux - General 9 11-22-2005 05:52 AM
Possibly a dumb question keeper70 Linux - Newbie 2 07-28-2005 09:14 AM
Possibly a silly browser question... ladyath Linux - General 2 12-10-2004 12:02 AM
stupid question possibly... derekn Linux - Networking 1 11-03-2004 10:42 AM
grep (possibly regex) question. mwtheobald Linux - Newbie 1 08-17-2002 03:05 PM


All times are GMT -5. The time now is 02:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration