LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-07-2004, 05:38 AM   #1
sixth_sense
Member
 
Registered: Mar 2004
Distribution: RedHat
Posts: 99

Rep: Reputation: 15
Security suggestion needed for a NAT running on Linux.


Hi,

Plz suggest me followings:


1.How can i figure out..which ports are open on my linux box ?
2.which services are running ?
3. I have a server (which i am using as NAT-with ipchains on redhat 6.2) my users (on win box) need internet browing facility, e-mailing, ftp, irc service.
My nat is running with 2 ipaddress .. one is real another is internal...what service should i keep running and what should be turned off...for security purpose on the NAT(the linux box) ??

Thanks.
 
Old 04-07-2004, 09:26 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
1. Use the netstat -pantu command
2. Use the chkconfig --list | grep on
3. You can either let them browse directly or use a proxy like squid to get a little more control. Email, try Postfix or Qmail.
3b. Only leave on what you need. If you are providing services on it, then obviously leave those on. For a strictly NAT box, you should run absolutely zero networking services except for possibly a remote administration access like SSH (don't even think about telnet). Keep in mind that not all the daemons listed in chkconfig are true network services and you can break things by wantonly turning everything off, instead use the netstat output as a guide to what you need to turn off. It's usually a good practice to either do a minimum install or to remove unneeded applications (ie you shouldn't need an mp3 player or GIMP on a router) as they provide possible vectors for compromise (can't exploit an application that doesn't exist). You should also look into doing some kernel hardening (like grsecurity).
 
Old 04-08-2004, 01:33 AM   #3
nex6
Member
 
Registered: Apr 2004
Distribution: Ubuntu;Debain;Redhat
Posts: 46

Rep: Reputation: 16
nmap the machine from the out side.

also, ps aux as root will tell you whats running.


Nex6
 
Old 04-08-2004, 03:05 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
nmaping a router isn't necessarily going to tell you what services are on, especially if it's forwarding ports off to an internal server. To nmap, the internally forwarded traffic that is NATed is indistinguishable from services actually run on the box itself.
 
Old 04-08-2004, 11:34 AM   #5
nex6
Member
 
Registered: Apr 2004
Distribution: Ubuntu;Debain;Redhat
Posts: 46

Rep: Reputation: 16
yes thats true,


for the forward rules and such in iptables

iptables -vnL will get you all the rules, in a summary output. i havent used ipchains in a long time and never really got into ipchains that much. i went directly to iptables I am sure there is a like command for ipchains i just do not remeber what it is.

if there is lots of port forwarding and stuff, yes nmap will not be effective.


Its just part of the whole package, you need to know how the firewall/nat is setup. you also need to know what services are running and how. ...etc....


better to use many tools to get all the information you can, then be short handed.


-Nex6
 
Old 04-08-2004, 12:07 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I would agree, but with a NAT box if you are trying to identify which ports are open locally, you have to be carefull when looking at nmap output. Nmap will indeed give you more info, but I think you needed to clarify in your post how to interpret that info. If it was a stand-alone system or if you just wanted to get a feel for what the IP address looked like from the outside, I would totally agree with you.

better to use many tools to get all the information you can, then be short handed.
I would counter with "better to choose the right tool for the job"
 
Old 04-08-2004, 12:14 PM   #7
nex6
Member
 
Registered: Apr 2004
Distribution: Ubuntu;Debain;Redhat
Posts: 46

Rep: Reputation: 16
Yes, I agree maybe I was to general in my posting.


yup;

use the right tool for the right job, and cross checking never hurt anyone...





Note: Unless your a hockey player.... ::smirk::


-Nex6

Last edited by nex6; 04-08-2004 at 12:15 PM.
 
Old 04-13-2004, 04:49 AM   #8
svartrev
LQ Newbie
 
Registered: Mar 2004
Location: Cape Town, South Africa
Posts: 21

Rep: Reputation: 15
Uh, maybe I'm missing the point, but wouldn't using nmap from the outside tell you what the outside world sees, and isn't this what you want? You won't know what is actually on the FW and what is NAT'ed, but surely that won't matter? Then again, what do I know...!
 
Old 04-13-2004, 10:41 AM   #9
nex6
Member
 
Registered: Apr 2004
Distribution: Ubuntu;Debain;Redhat
Posts: 46

Rep: Reputation: 16
yes:

that is the point, but:


you need more information then that. you need all the internal nuts and bolts to
which nmap can't give you. I always try and run nmap etc.. against my firewall scripts / machines.
 
Old 04-13-2004, 11:37 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by svartrev
Uh, maybe I'm missing the point, but wouldn't using nmap from the outside tell you what the outside world sees, and isn't this what you want? You won't know what is actually on the FW and what is NAT'ed, but surely that won't matter? Then again, what do I know...!
As I understood the question, he's asking what ports are open on the linux box and which ones should you turn off. Nmaping the NAT box isn't going to tell you what services are running locally. In fact if you use nmap you won't be able to distinguish. which ones are being forwarded and which ones are on the NAT box itself. So if you just took the nmap output and tried to turn off those services you would be looking for services that are not on. So as I understood the questions, nestat or lsof would be better choices to determine which ports are open locally. You could use nmap, but some clarification is necessary on how to interpret the output (like you will need to compare the nmap output to what services are being forwarded into the LAN).
 
Old 04-13-2004, 12:55 PM   #11
nex6
Member
 
Registered: Apr 2004
Distribution: Ubuntu;Debain;Redhat
Posts: 46

Rep: Reputation: 16
when you run nmap against a machine with a firewall, your really looking for
leakage. internally run comannds like ps,lsof, lsmod etc are better to detremin whats running and such.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help needed in security ,vonarabilities ,loopholes in linux security haseebnazar Linux - Security 2 11-23-2005 08:16 PM
nat vs linux distro router for security morphodone Linux - Security 11 02-09-2005 07:57 PM
suggestion needed for IMAP/POP3 sixth_sense Linux - Networking 1 03-20-2004 08:20 AM
SEcurity Suggestion dvong3 Solaris / OpenSolaris 6 07-31-2003 12:16 PM
NAT security issues ilumin8d Linux - Security 1 05-10-2002 12:35 PM


All times are GMT -5. The time now is 11:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration