Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My office computer is on institutional LAN and I access the internet through a proxy server. Is it possible for miscreants on this LAN to hack my computer? If yes, what should I do to prevent this? Can I secure my computer using iptable rules? Thanks for your help.
Read the sticky threads, especially the last two (security references and failed SSH login attempts).
Is it possible for malware to transmit through the proxy to your computer? Yes. The basic idea of a proxy is just that. If you send a proxy for you to grab a rattlesnake, your proxy will still get bit (but you won't). A proxy is a middle system that is between your client and the server. It regulates things, or at least keeps you from being directly affected by bad activity. Now, most proxies can perform multiple roles (such as blocking content). I have no idea how your proxy is configured, but aggressive proxies aren't actually ideal to end-users. Most corporate proxies tend to shield the user from known attacks, as well as corporate policy type stuff (such as porn). They are basically designed to do enough shielding to prevent compromise, but also allow enough leverage for the employee to do their job (which usually involves things such as intranet and/or WANs...and other security layers help, such as corporate VPN access, and AV, etc).
Better yet, since it's your office computer and within the office network, let your office's security team deal with such things. I don't know how big your company is, but if its big, then you're not going to be able to do much, security-wise. If its a small company with a small team, talk with them anyways. They'll either help you by giving you guidance, tell you that they'll take care of everything, or at least tell you not to mess with anything.
My view is if you TRUST the LAN, and it is not accessible from the internet directly (NAT), then there is no need to worry to much about setting firewall rules.
Even with very strict rules, a system can be compromised because of an uncarefull user. You can get full access to a firewalled/proxyed computer via a reverse ssh tunnel for instance. I have seen similar and legitimate uses of this via web services.
As far as local stuff goes, turn off any services/servers you don't use.
You can verify running services with "netstat -ltu" for example.
You can also use the following script to get started. This doesn't prevent traffic sniffing even remotely if one of the computers on the LAN is already hacked. If you don't trust the LAN, you can set up a SOCKS proxy via ssh. You can then tunnel your traffic (encrypted) from a SOCKS client such as firefox to a remote gateway.
#!/bin/bash
iptables -X
iptables -F
iptables -X -t nat
iptables -F -t nat
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
# DHCP leases
iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
# Accept SSH connections (open to all since auth via public keys only)
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 30/minute -j LOG --log-prefix "iptables:drop " --log-level 7
# Prevent port forwarding on your host
echo 0 > /proc/sys/net/ipv4/ip_forward
It depends on the distro. In Debian you can do this three ways.
invoke-rc.d service_name stop
/etc/init.d service_name stop
service service_name stop
Unless you have a good reason, you should shutdown your web server which is accessible.
Note that if you reboot, the service will restart and you iptables rules are not loaded anymore.
My view is if you TRUST the LAN, and it is not accessible from the internet directly (NAT), then there is no need to worry to much about setting firewall rules.
If he can't trust his work's LAN, which is work computer is on, IMO, that's a corporate issue. Companies usually don't give their users privileged access (at least in the places where I've worked, they don't, unless they are admins).
Also, relying solely on NAT alone (as you're suggesting above) is NOT a satisfactory security practice. Trust alone (or even association with NAT) isn't going to cut it. On a home LAN, you *might* get away with that, but a firewall is essential anywhere else.
If he can't trust his work's LAN, which is work computer is on, IMO, that's a corporate issue. Companies usually don't give their users privileged access (at least in the places where I've worked, they don't, unless they are admins).
Also, relying solely on NAT alone (as you're suggesting above) is NOT a satisfactory security practice. Trust alone (or even association with NAT) isn't going to cut it. On a home LAN, you *might* get away with that, but a firewall is essential anywhere else.
Of course not using a firewall is bad security practice. But if the user doesn't know how or mis-configures his firewall, it's the same thing. iptables isn't a tool for basic users either. This is why I emphasized on running services which could lead private files exposed, or a vector of attack. At the end of the day, if there is nothing listening, what is there to firewall?
Of course not using a firewall is bad security practice. But if the user doesn't know how or mis-configures his firewall, it's the same thing. iptables isn't a tool for basic users either. This is why I emphasized on running services which could lead private files exposed, or a vector of attack. At the end of the day, if there is nothing listening, what is there to firewall?
The user stated that he's in an office environment; the user stated he accesses the internet through a proxy server; he stated concern about unauthorized activity; he asked if he can secure his computer using iptables:
Quote:
My office computer is on institutional LAN and I access the internet through a proxy server. Is it possible for miscreants on this LAN to hack my computer? If yes, what should I do to prevent this? Can I secure my computer using iptable rules? Thanks for your help.
NAT has nothing to do with any of his questions, so I fail to see why you provided that.
While he/she asked about iptables, my concern is that he/she might not be authorized (or have the credentials) to enable iptables (or even enable/disable services).
We should ensure that we're offering assistance to posters that won't get them in trouble and that is sufficient for their needs (based on the information they provided). But I'm still wondering how NAT alone is supposed to help him, regardless of how one replies about how complex iptables is. I've seen many many places have security issues because they relied solely on NAT. Then again, I've seen places in trouble because they thought a firewall was enough, but this is one user, so this carries low weight for this particular matter.
What it means is that the OP might be required to gain a basic understanding of iptables. It's not THAT difficult to understand. You don't have to utilize or even know the full range of options to use iptables as a basic host-based firewall.
I haven't seen the poster respond much to this, so I'm wondering if he/she is running into any of the issues I mentioned above.
I've seen many many places have security issues because they relied solely on NAT. Then again, I've seen places in trouble because they thought a firewall was enough
That's why I said:
Quote:
Originally Posted by KuimFieg
Even with very strict rules, a system can be compromised because of an uncarefull user. You can get full access to a firewalled/proxyed computer via a reverse ssh tunnel for instance
Look, I'm not religious about systematically using a firewall (in a NATed environment). I think it all depends on the situation. In rng's case most of the running services listen on the loopback interface so based on his netstat output, please explain why iptables would improve his security.
I essentially think a computer is as safe as the user is.
Kindly comment on following rules; are they adequate? I need to access the internet mainly for browsing only.
-----------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT
iptables -t mangle --policy INPUT ACCEPT
iptables -t mangle --policy FORWARD DROP
iptables -t mangle --policy POSTROUTING ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
-------------
Thanks.
You still haven't made it clear if this is a personal computer you are using on a corporate network, or a corporate computer on the corporate network. If it is a corporate owned computer the best thing to do is leave security up to the company. Imagine if you do make some changes, and that somehow accidentally creates a vulnerability on the computer, you are now responsible.
That said those rules look ok for the most part, if not a little restrictive. Keep in mind that even browsing the web will sometimes send traffic to ports other than 80 and 443 (flash for example can use higher ports, I don't recall specifically which off hand). Also what about mail server access via POP or IMAP?
As mentioned you should also make sure you don't have any extra services running if you don't need them. From your netstat output you have a web server listening on 80 and 443, why? If this is a web server you need an exception in the firewall. If it is for local development you should be fine if you access via localhost only, otherwise you would need an exception based on the IP of your network connected interface. If you don't intend to run a web server, why is it installed and running? This shouldn't be the case for a default install, so if you didn't setup this service it might point to someone else having set this up.
computerErik: Many thanks for your comments. This is a personal computer on institutional network. I was trying to work with ubuntu linux (dual boot) and was installing various applications since default installed system and support is for windows only. Subsequent to posting above netstat output I read elsewhere and used the command 'netstat -pav' and I found that apache2 was running; I removed it from synaptic. In addition, postgres and exim4 were running with LISTEN ports; I do not know if removing them would be harmful to general working of ubuntu and so I added killall commands in rc.local file. Now they do not appear. Currently, I am only getting cupsd, avahi-daemon and dhclient. Removing cupsd causes problems in printing and killall does not remove avahi-daemon- it just appears with a different number; I believe dhclient is for internet connection. I certainly do not want any unnecessary programs to run and most certainly I want avoid vulnerabilities of any kind. If these are possible I would like to revert back to original system and use default installed windows setup only. That is why I wanted to put iptables rules where only web browsing is possible and nothing else. I am only using web-based mail. In windows, I use application-based firewalls such as zonealarm but for linux these are not available. I will appreciate very much if you would guide me in making this linux system safe and secure to work.
Regarding iptables, you shouldn't have to worry about the nat and mangle tables (under "normal circumstances")
If you define a DROP policy on a specific chain, anything not matching your rules will be dropped at the "end of the list" so there's no need to specify this twice.
Regarding netstat output : any services LISTENing on "localhost" or "127.x.x.x" means it won't be accessible to others on the network, only from you pc.
You should probably look into a program named "firestarter", it's a gui for iptables which will make thing easier for you. It allows you to see what's being blocked and what's going trough as well.
KuimFieg: Many thanks for your comments on iptables. I read that following rules will help in safety but it was not explained how. Can you explain:
iptables -A INPUT -d 255.255.255.255/32 -i eth1 -j DROP
iptables -A INPUT -d 192.168.1.255/32 -j DROP
iptables -A INPUT -s 224.0.0.0/8 -j DROP
iptables -A INPUT -d 224.0.0.0/8 -j DROP
iptables -A INPUT -s 255.255.255.255/32 -j DROP
iptables -A INPUT -d 0.0.0.0/32 -j DROP
iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
iptables -A OUTPUT -s 255.255.255.255/32 -j DROP
iptables -A OUTPUT -d 0.0.0.0/32 -j DROP
Also when do I need to put in following rules mentioned by you in your earlier post above; when the ip address is dynamically obtained or otherwise also.
# DHCP leases
iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
Also the limit in iptables INPUT has been mentioned differently in different sources. Why did you choose value of 30:
iptables -A INPUT -m limit --limit 30/minute -j LOG --log-prefix "iptables:drop " --log-level 7
Regarding firestarter, I have tried it but I need to put output as "permissive" to see web pages from internet.
Also what is this line on netstat output: " udp 0 0 * : bootpc *:* "
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.