LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-15-2007, 06:02 PM   #1
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Rep: Reputation: 15
Question running a home server , what security measures should i take


well after running smooth a few weeks , someone been poking around , seen it in my error.log

and now someone has estanblished an connection , as i speak for to long to me

tcp 0 0 10.0.0.9:1580 66.35.251.22:9000 ESTABLISHED


i'm not paranoia , but want to make shure , "evil" folks don't compromise people who ( i ask to)come on my site their pc's , through getting their MAC adress and such
I have a DHCP server



i'm busy with iptables and installed nmap, noticed arpwatch

so i'm reading ,


but what i want is some advice for a newcomer (who's proudly running a simple webserver)
 
Old 10-16-2007, 07:03 AM   #2
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Original Poster
Rep: Reputation: 15
NO love right,



i just want to say that from the last 3/4 thread/questions i posted , i only got a answer that wasn't needed,


i asked about starting a server, not even a hint , after a week i was going to give up , i woke up and the 8th day did it all myself ,
cause actually nothing is too difficult ,
read and do and learn is my method

my question is , should i keep on posting or should i just read threads on the internet and done

i know that one not always gets an answer , but i was wondering , cause lately it feels like , whatever

This is probably how i experience it and has nothing to do with others,
maybe my questions aren't clear or so


any mod can remove this post ,
just a little dissapointed



i shouldn't have started this thread, i guess , i'm better reading the threads anyway
 
Old 10-16-2007, 08:17 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm sorry to see you're disappointed. Most of the time it has nothing to do with *you*. LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to. You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now.
 
Old 10-16-2007, 09:26 AM   #4
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Original Poster
Rep: Reputation: 15
that already made me feel a little better unSpawn,

>LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to.

I know

You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now

I understand , that's why I said , it's just me, today !

and there's a lot a reading material, so i shouldn't be dissapointed



---->

thnx for the reaction



firedancer
 
Old 10-16-2007, 09:44 AM   #5
dguitar
Member
 
Registered: Jun 2005
Location: Portland, ME
Distribution: Slackware 13, CentOS 5.3, FBSD 7.2, OBSD 4.6, Fedora 11
Posts: 122

Rep: Reputation: 17
Well, here is a start that might be helpful. Port 9000 looks like it is related to something called CSlistener. The only thing I could find out about it, is might have to do with Websphere - but not really any good info out there at first glance. The IP(66.35.251.22) is owned by a company called SAVVIS, INC. (http://whois.sc will tell you that type of info)

As for Firewalls, if you are new to Linux/Networking and use a GUI for your server - Firestarter might be a good option for you. Also might want to read over the thread that is sticky'd in this section about Failed SSH attempts.

And when it comes to security Paranoia is your friend.

Hope that helps

Last edited by dguitar; 10-16-2007 at 09:45 AM.
 
Old 10-16-2007, 10:12 AM   #6
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
What services are running on your server ? Is it strictly a webserver ? FTP ? SSH ?

you could look at a solution to monitor file integrity on your server. these products will monitor your files for changes, and if they are changed it can put back the originals and notify you of the attempted change..
http://sourceforge.net/projects/tripwire/
http://www.la-samhna.de/samhain/
http://osiris.shmoo.com/


Use firestarter or Guarddog to manage your firewall. These GUI helper apps will make it easier for you to configure your firewall securely if you are unfamiliar with iptables.

fail2ban - a program that monitors your services (SSH, FTP, etc..) for failed login attempts, and then modifies firewall rules on the fly to block login attempts from malicious users.

not sure how far you want to go with this, so that's a few suggestions for you to look at.
 
Old 10-17-2007, 07:57 AM   #7
jweller
LQ Newbie
 
Registered: Sep 2003
Distribution: fedora, ubuntu, uclinux
Posts: 23

Rep: Reputation: 15
this pdf has a pretty good checklist of things to run through and lock down. It's by no means complete, but it's a pretty good start IMHO

http://www.sans.org/score/checklists...9dd1a7bb22618c
 
Old 10-17-2007, 08:14 AM   #8
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
Quote:
Originally Posted by jweller View Post
this pdf has a pretty good checklist of things to run through and lock down. It's by no means complete, but it's a pretty good start IMHO

http://www.sans.org/score/checklists...9dd1a7bb22618c
Good call. I always forget about those guides when someone asks a question like this..
 
Old 10-17-2007, 08:26 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
You can cut-out an awful lot of things just with a firewall router, immediately downstream from your cable or DSL box. Yep, the "stateful firewalls" that they provide out-of-the-box are usually quite good.

Beyond that, you need to carefully consider ... exactly what programs you intend to run on your box; exactly what ports will be used and for what purpose; and by what means an outsider might somehow be able to obtain a shell session or its equivalent on your box, however briefly.

If you take simple precautions and "simply plan," you can stop most intruders long enough to make them simply wander on in search of "easier pickings." When there are millions upon millions of systems out there that are utterly unprotected, they play the numbers.
 
Old 10-17-2007, 09:35 PM   #10
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Original Poster
Rep: Reputation: 15
Thnx guys , i had a look into iptables , cheops, Rootkit Hunter and played with the "permissions" chmod of certain directories like logs etc., just to start somewhere

Right now it's a basic webserver, but i'm thinking on , ftp, mail and other

was thinking on the GUI firestarter , see if I can apt-get that, but i'm a little familiar with linux os's , i was thinking on writing a script or so , there are many , also on this forum.







Well, about security , i've been getting stuff like this in my error.log

123.4.125.169 - [17/Oct/2007 08:56:31 -0400] [error 403] Forbidden http://bearbaby.s9.x-beat.com/ip.cgi
123.4.125.169 - [17/Oct/2007 08:56:32 -0400] [error 403] Forbidden http://bearbaby.s9.x-beat.com/ip.cgi
200.12.212.117 - [17/Oct/2007 18:23:35 -0400] [error 403] Forbidden http://localg4.techiemedia.net/env2.php

and that is not a good sign , that's the reason for my concern too, just noticed it in th log




i will check other measures like fail2ban or so


And many thanx to you, you (guys) cleared up many of my doubts,



firedancer

Last edited by firedancer; 10-17-2007 at 09:40 PM.
 
Old 10-19-2007, 12:56 PM   #11
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Original Poster
Rep: Reputation: 15
doesn't this look bad , i'm 127.0.0.1,

127.0.0.1 - [17/Oct/2007 05:17:41 -0400] [error 404] Not Found /favicon.ico
127.0.0.1 - [18/Oct/2007 17:24:42 -0400] [error 404] Not Found /images/public/cc-GPL-a.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/tbt-wheel.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/impakt.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/jetsetwilly.png





127.0.0.1 =localhost



i never tried finding these things on my server, what's up with this ,







busy securing server, hopefully i'm not too late ,


just reinstall then on the a$$!@LE THEN
 
Old 10-19-2007, 01:17 PM   #12
complich8
Member
 
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104

Rep: Reputation: 17
Getting 403's and 404's is pretty normal, and nothing to be worried about. Getting traffic from localhost is a valid concern, if and only if you are neither browsing from the webserver itself nor browsing via an ssh proxy. If you're browsing your own site from localhost, those 404's are broken links on pages.

Getting spurious requests for things that don't exist is pretty normal background noise, and nothing to panic about.

What you need to be more concerned about is vulnerable webapps (eg: old exposed versions of awstats, old versions of phpbb), exploitable versions of listening services (eg: misconfigured samba, very old apache versions, very old php versions), and weak user passwords on your sshd.
 
Old 10-19-2007, 01:32 PM   #13
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
/favicon.ico this is the icon for your site that will show up in the URL bar of the browser, or next to the bookmark for the site, IF you have created this icon and placed it on the web server. so this is definitely normal for it to be missing if you have not created one.
 
Old 10-24-2007, 10:39 AM   #14
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Original Poster
Rep: Reputation: 15
Is Bastille Front END based or what
I just had a fresh debian etch 4.01 install followed the howto setup perfect debianetch document
webserver (apache),ftp,ssh,msql, is what i have setup
I have no GUI and not thinking on adding one
is a new area for me so my questions can sound silly

but apache works ,ill have to see wether i can setup an static ip ,webredirect to url, and i trying first if i have anymore Q? i checked with IP address, I
'll post in server forum

Linux is not Mc Donalds but "I'm Loving IT"
 
Old 10-24-2007, 02:19 PM   #15
firedancer
Member
 
Registered: Apr 2007
Posts: 146

Original Poster
Rep: Reputation: 15
Question

i'm proceeding in this thread ,with these Q if I should start another pls let me know

i'm trying to install rkhunter on my (GUI'less)server ,
i'm having problems using the ./installer.sh to install the program ,and isn't that for systems with GUI , i think i read something like that , i never installed using that,

secomd questions need advice on options for installing samhain ,is the default ok ?, i'm a noob so that's why the question, i'll read ,but in the meanwhile some clarity (advice) will do

thnx in advance

firedancer
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
home server security questions luis14 Linux - Security 3 01-27-2007 08:29 AM
Questions About Wireless Security Measures Stan27 General 7 11-23-2006 04:21 AM
server behind home router. security concern? taiwf Linux - Security 4 06-08-2006 11:24 PM
addtl security measures slug420 Linux - Security 1 06-10-2005 06:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration