Security suggestion needed for a NAT running on Linux.

sixth_sense · 04-07-2004, 04:38 AM

Hi,

Plz suggest me followings:

1.How can i figure out..which ports are open on my linux box ?
2.which services are running ?
3. I have a server (which i am using as NAT-with ipchains on redhat 6.2) my users (on win box) need internet browing facility, e-mailing, ftp, irc service.
My nat is running with 2 ipaddress .. one is real another is internal...what service should i keep running and what should be turned off...for security purpose on the NAT(the linux box) ??

Thanks.

Capt_Caveman · 04-07-2004, 08:26 AM

1. Use the netstat -pantu command
2. Use the chkconfig --list | grep on
3. You can either let them browse directly or use a proxy like squid to get a little more control. Email, try Postfix or Qmail.
3b. Only leave on what you need. If you are providing services on it, then obviously leave those on. For a strictly NAT box, you should run absolutely zero networking services except for possibly a remote administration access like SSH (don't even think about telnet). Keep in mind that not all the daemons listed in chkconfig are true network services and you can break things by wantonly turning everything off, instead use the netstat output as a guide to what you need to turn off. It's usually a good practice to either do a minimum install or to remove unneeded applications (ie you shouldn't need an mp3 player or GIMP on a router) as they provide possible vectors for compromise (can't exploit an application that doesn't exist). You should also look into doing some kernel hardening (like grsecurity).

nex6 · 04-08-2004, 12:33 AM

nmap the machine from the out side.

also, ps aux as root will tell you whats running.

Nex6

Capt_Caveman · 04-08-2004, 02:05 AM

nmaping a router isn't necessarily going to tell you what services are on, especially if it's forwarding ports off to an internal server. To nmap, the internally forwarded traffic that is NATed is indistinguishable from services actually run on the box itself.

nex6 · 04-08-2004, 10:34 AM

yes thats true,

for the forward rules and such in iptables

iptables -vnL will get you all the rules, in a summary output. i havent used ipchains in a long time and never really got into ipchains that much. i went directly to iptables I am sure there is a like command for ipchains i just do not remeber what it is.

if there is lots of port forwarding and stuff, yes nmap will not be effective.

Its just part of the whole package, you need to know how the firewall/nat is setup. you also need to know what services are running and how. ...etc....

better to use many tools to get all the information you can, then be short handed.

-Nex6

Capt_Caveman · 04-08-2004, 11:07 AM

I would agree, but with a NAT box if you are trying to identify which ports are open locally, you have to be carefull when looking at nmap output. Nmap will indeed give you more info, but I think you needed to clarify in your post how to interpret that info. If it was a stand-alone system or if you just wanted to get a feel for what the IP address looked like from the outside, I would totally agree with you.

better to use many tools to get all the information you can, then be short handed.
I would counter with "better to choose the right tool for the job"

nex6 · 04-08-2004, 11:14 AM

Yes, I agree maybe I was to general in my posting.

yup;

use the right tool for the right job, and cross checking never hurt anyone...

Note: Unless your a hockey player.... ::smirk::

-Nex6

svartrev · 04-13-2004, 03:49 AM

Uh, maybe I'm missing the point, but wouldn't using nmap from the outside tell you what the outside world sees, and isn't this what you want? You won't know what is actually on the FW and what is NAT'ed, but surely that won't matter? Then again, what do I know...!

nex6 · 04-13-2004, 09:41 AM

yes:

that is the point, but:

you need more information then that. you need all the internal nuts and bolts to
which nmap can't give you. I always try and run nmap etc.. against my firewall scripts / machines.

Capt_Caveman · 04-13-2004, 10:37 AM

Quote:

Originally posted by svartrev
Uh, maybe I'm missing the point, but wouldn't using nmap from the outside tell you what the outside world sees, and isn't this what you want? You won't know what is actually on the FW and what is NAT'ed, but surely that won't matter? Then again, what do I know...!

As I understood the question, he's asking what ports are open on the linux box and which ones should you turn off. Nmaping the NAT box isn't going to tell you what services are running locally. In fact if you use nmap you won't be able to distinguish. which ones are being forwarded and which ones are on the NAT box itself. So if you just took the nmap output and tried to turn off those services you would be looking for services that are not on. So as I understood the questions, nestat or lsof would be better choices to determine which ports are open locally. You could use nmap, but some clarification is necessary on how to interpret the output (like you will need to compare the nmap output to what services are being forwarded into the LAN).

nex6 · 04-13-2004, 11:55 AM

when you run nmap against a machine with a firewall, your really looking for
leakage. internally run comannds like ps,lsof, lsmod etc are better to detremin whats running and such.