LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 10 security with apache & router (https://www.linuxquestions.org/questions/slackware-14/slackware-10-security-with-apache-and-router-205593/)

tw001_tw 07-15-2004 07:54 PM

Slackware 10 security with apache & router
 
Good evening folks,

I gave myself a project about a week ago, and its done. I started posting questions 2 or 3 times, but eventually figured it out. This one I am stuck on.

Background -
I had a dual PII/266, 512MB, 2x 9.1GB SCSI Server sitting around. I installed Slackware 10 (full install) and using shilo's fantastic instructions setup an apache webserver using a dyndns.com domain. I have cable for my internet access. I have a linksys BEFSR41 router/switch/firewall. I currently have 3 computers hooked up to it. The server w/ slackware 10, MY computer running Slackware 10 (primarily) & suse 9.1 (secondly), and a win98 computer the rest of the family can't live without (games for the kids).

All is well - finally, but I am uncertain about security for my computer and the win98 computer. In the router I forwarded port 80 to the IP address of the server. At work I have tested and can access the simple little index.html test page I made.

I tried going to linuxquestions.org security forum, but to be honest, it is all a bit (a lot) over my head. I have always found this slackware forum to be VERY helpful and friendly - so here I am.

My question reduced to its simplest form is - How can I test/make sure that the 2 other computers (and I guess the rest of the server) is safe/secure while still allowing access to the webserver (and soon to be ftp server)??
Code:

On my computer:
"nmap localhost" results in:
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
37/tcp  open  time
113/tcp  open  auth
587/tcp  open  submission
631/tcp  open  ipp
6000/tcp open  X11

and "nmap -sU localhost" results in:
37/udp  open  time
68/udp  open  dhcpclient
512/udp open  biff

On the server:
"nmap localhost" results in:
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
37/tcp  open  time
80/tcp  open  http
113/tcp  open  auth
587/tcp  open  submission
6000/tcp open  X11

and "nmap -sU localhost" results in:
37/udp  open  time
68/udp  open  dhcpclient
512/udp open  bif

Any thoughts, suggestions, or directions where I should check?
Did I give too much information? Not enough??

Thanks a lot in advance - tw

(edited & unrelated)
I recieved my slackware 10 CD's today in the mail!!!! Wanted to help the cause.

coindood 07-15-2004 11:51 PM

Well, nmapping localhost will scan that system only (loopback). It also seems from what the ouput is, that you have many vulnerable services open. Though you only have port 80 forwarded, it would be wise to disable all uneeded services on both computers. If someone were to exploit Apache (which can be exploited), they then can scan the network for computers within the LAN; the open services just make it easier for an attacker to exploit the computer, as it raises the number of workable exploits that can be used on the system and those within the network. No network can be 100% secure; security is an ongoing process. Not to be 100% paranoia inducing, but all your computers are vulnerable (especially the win98 pc), but as long as you practice some form of ongoing security (patches, reading bugtraq, securing running daemons, etc), you'll at least rule out the least determined attacker from exploiting your computer.

PS:
Congratulations on your new system, and for supporting the community!

tw001_tw 07-16-2004 12:18 AM

coindood - thanks for the reply - all that sounds good and makes scence.

I understand the 98 computer is most at risk - nortons firewall I guess it is for that one. But on to the important computers!! :)

So on my computer, which is not hosting the web/ftp server - I can close ports:
(1 at a time)

22/tcp - ssh - Don't I need this for password stuff ?

25/tcp smtp - Since no email server I can close this ?

37/tcp time - I don't set the time via internet (I don't even think the time is right on my computer :) - so this is OK to close?

113/tcp auth - Correct that this is mainly for IRC? I VERY seldom use that . so OK to close?

587/tcp submission - ??? no idea

631/tcp ipp - no idea on this either

What if any of these do I need to get out the the net? (www,mail,news,yahoo messanger)
-tw

shilo 07-16-2004 01:17 AM

tw001_tw-

First of all, I'm clad that you found the guide useful. On to your questions...

Quote:

On my computer:
"nmap localhost" results in:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
37/tcp open time
113/tcp open auth
587/tcp open submission
631/tcp open ipp
6000/tcp open X11

and "nmap -sU localhost" results in:
37/udp open time
68/udp open dhcpclient
512/udp open biff
This is your computer that IS NOT a server. I don't know exactly what you are using the computer for, but I will guess that you can close the following ports without any trouble at all:

22/tcp open ssh --- As long as you don't want to ssh into this box
25/tcp open smtp --- Since you probably aren't running a mail server from this box
37/tcp open time --- Since you probably aren't running any time services from this box
68/udp open dhcpclient --- I believe that you can get rid of this, as your Router takes care of all things dhcp, but what do I know. :)
512/udp open biff --- You can ditch this if you want. It just notifies you of new mail that is coming in.
6000/tcp open X11 --- Since you probably aren't running X services remotely (I know I don't)


That leaves the following open:

113/tcp open auth --- I don't know what this is. Try closing it and see if anything breaks
587/tcp open submission --- I think this is for Samba, but I could be wrong. You can try shutting that down.
631/tcp open ipp --- I believe this is for some forms of printing. You can try shutting this down, too.

You can use this guide to figure out what you don't want running on your server,as well.

A side note: I'm not super anal when it comes to security. You can try running a port scanner from work on your home box. You will probably find that even though these ports are open on your LAN, your router/switch/firewall is blocking them from the WAN (Internet). I'm happy enough with that. Though there are exploits for Apache (and every OTHER server that you will run on your box), I am happy with the security provided by my router/switch/firewall.

Let me know if you need any help shutting some of the ports down. I will help as much as I can.

Good luck,

Shilo

ne21 07-16-2004 01:19 AM

I think you are on the right track tw. I am a Slack boy too, and am waiting on my Slack 10 CD's in the mail as we speak! :D. I have Slack 9 and 9.1 and am eager to get ahold of 10. But that is neither here nor there. I actually had a simmilair problem and here is what I discovered, I will tell you what each of those items are in your nmap list and help you determine if you need them.

SSH - This is Secure SHell which is the most awesome remote access service I have ever used. I wish Windoze had something this nice. I use it daily but you may not need it if you aren't doing any remote administration. It basically lets you login to the shell from anywhere.

SMTP - if you are not planning on running a mail server or a web server that needs SMTP access then you can close this port. I keep it open because alot of my web servers have forms and the like that need to use the SMTP for their various duties.

Time- You are right on the dime there, no need to use it.

Auth- This port is actually one to keep open as it authenticates for FTP, SSH, and others. Everytime I turn this off, it causes FTP and SSH to flub up. I would leave it on if I were you.

Submission - I can never get this one to go away no matter what I do but it hasn't seemed to cause and security holes, especially if it is not forwarded through the router.

IPP- Never seen this one, it may be part of the newer distro so unforunately my assistance is limited there.

You should be able to edit the ones I mentioned by going sudo (if not root) /etc/rc.d/inetd and commenting out where those holes are located just in case you didn't know.

As far as I can tell, you should have no prob getting on the net or getting others in from the net with those services changed. But always make a back up of the file to save yourself a headache!

I hope I offered some insight.

keefaz 07-16-2004 06:43 AM

When in doubt about a port number, look at :
http://www.iana.org/assignments/port-numbers

Crashbox 07-16-2004 10:20 AM

tw - you may want to head over to Sygate and run their port scan. I don't have a lot of experience with your situation, but I believe that this scan would be checking the ports on your router. which in my opinion is the place to start, because if you have all the unnecessary ports closed on the router, it is that much harder for someone to get to your LAN.

i don't know if this will help, but good luck.

-crash

tw001_tw 07-16-2004 10:12 PM

Just to update:

On my main computer I am down to:

nmap localhost
113/tcp open auth
6000/tcp open X11

and
nmap -sU localhost
68/udp open dhcpclient


and everything still works. I need 113/tcp for the internet, I have read conflicting reports on disabling 6000/tcp, and 68/udp is dhcp bootstrap protocol client - this is the transmit port, not the listening port so it all should be OK.

I will now follow my notes and perform the same modifications on the server (leaving the ones I need for the website and ftp ON of course.)

I am not one for tight security on my computer, but opening port 80 on my router made me nervous - thats what brought all this on.

Once all is well - I will post a simple how-to on this thread - maybe It'll help someone else some day so they don't have to waste as much time as I did looking all this stuff up.

thanks for your help everyone - and if I missed something - let me know.

-tw

tw001_tw 07-16-2004 11:41 PM

Here it is:

Since most systems are different, here is a breif rundown of my system and setup.

I have cable access to the internet.
My cable modem is a motorola SB4101
That is connected to my Linksys BEFSR41 router w/switch & firewall

I did a clean install of Slackware 10.

When I ran nmap - here were the results:

"nmap localhost" results in:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
37/tcp open time
113/tcp open auth
587/tcp open submission
631/tcp open ipp
6000/tcp open X11

and "nmap -sU localhost" results in:
37/udp open time
68/udp open dhcpclient
512/udp open biff

We will go 1 at a time.
========================================================
22/tcp ssh - Since I never planning on accessing my system from anywhere except
from here at my desk, I wanted this off.

You can do it manually by editing /etc/rc/d/rc.inet2

Change this:
# Start the OpenSSH SSH daemon:
if [ -x /etc/rc.d/rc.sshd ]; then
echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
/etc/rc.d/rc.sshd start
fi

to this:
# Start the OpenSSH SSH daemon:
# UNCOMMENTED BY DEFAULT ***********************************************
# if [ -x /etc/rc.d/rc.sshd ]; then
# echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
# /etc/rc.d/rc.sshd start
# fi


I made the # UNCOMMENTED BY DEFAULT **** line so it would be easier to find if I never
need to enable it again.

OR you could simply run 'pkgtool' -> setup -> services, select services and remove the
'X' in front of rc.sshd

=========================================================
25/tcp smtp - Since my computer will not be a mail server, nor will I use 'sendmail'
I wanted this off too.

You can do it manually by editing /etc/rc.d/rc.sendmail

change this:
# Start the sendmail daemon:
if [ -x /etc/rc.d/rc.sendmail ]; then
. /etc/rc.d/rc.sendmail start
fi

to this:
# Start the sendmail daemon:
# NEXT # LINES ORIGINALLY UNCOMMENTED **************************************
# if [ -x /etc/rc.d/rc.sendmail ]; then
# . /etc/rc.d/rc.sendmail start
# fi

OR once again, you could do it automatically by running
'pkgtool' -> setup -> services, select services and remove the 'X' in front of rc.sendmail

=========================================================
37/tcp time - I do not update my computers time setting via the internet automatically, so
I wanted this off too. This will also get rid of "37/udp open time"

You can do it manually by editing /etc/inetd.conf

change this:
time stream tcp nowait root internal
time dgram udp wait root internal

to this:

# COMMENTED OUT time stream tcp nowait root internal
# COMMENTED OUT time dgram udp wait root internal


=========================================================

113/tcp auth - This I want. It is for authentication on the internet.

You can look at the line in /etc/inetd.conf

It looks like this:

# Ident service is used for net authentication
auth stream tcp wait root /usr/sbin/in.identd in.identd

==========================================================

587/tcp submission - This is a port for Message Submission protocol - it is part of
'send mail'. By removing sendmail, this open port is also removed from the list.

==========================================================

631/tcp ipp - This is the Internet Printing Protocol. If you use the CUPS print server,
this port is opened.

To disable it, 'pkgtool' -> setup -> services, select services and remove
the 'X' in front of rc.cups - If you use CUPS as a print manager, keep it.

==========================================================
6000/tcp X11 - Apparently you can disable this - although I have read many conflicting reports
on the issue. I use KDM as a login manager, so I am unsure how and unable to find information
on how to close this port manually.
any help on this issue would be nice

==========================================================

37/udp time -This is taken care of when editing the 2 lines for 37/tcp in
the file /etc/inetd.conf

==========================================================

68/udp open dhcpclient - This I left open. 68/udp is dhcp bootstrap protocol client - I
have yet to find good info on this. I can say that this is the transmit port, not a
listening port so it all should be OK. At the current time I don't know how to disable it

==========================================================
512/udp biff - Since I don't use biff, I don't need it.

You can close this port by editing our good friend /etc/inetd.conf

Change this:

# The comsat daemon notifies the user of new mail when biff is set to y:
comsat dgram udp wait root /usr/sbin/tcpd in.comsat

to this:

# The comsat daemon notifies the user of new mail when biff is set to y:
# COMMENTED OUT comsat dgram udp wait root /usr/sbin/tcpd in.comsat

===========================================================
So thats it. Now, when I run nmap:

"nmap localhost" results in:
113/tcp open auth
6000/tcp open X11

and
"nmap -sU localhost" results in:
68/udp open dhcpclient


I hope this helps someone. Till my next problem and/or visit... - tw

fskmh 07-17-2004 07:23 AM

Just a quick remark on the commenting out of rc scripts.
I find that if you admin a fairly large no. of boxes (20+) and you find that you need to activate a service that you disabled a few months ago and have since forgotten about, it is more sensible to simply change the permissions on the rc scripts, i.e. chmod 644 /etc/rc.d/rc.sshd to disable sshd, and then chmod 755 to enable it again.
It is better to keep the scripts themselves as generalised as possible so that you can scp them between machines when you break stuff ;).

coindood 07-17-2004 08:10 PM

I'm glad I helped you a bit! All the posters here are correct; since this is your personal computer only apache needed to be run, you need no service running on any port except apache on port 80.

Router/switch/built-in firewall protection would be sufficient in your case. Ways exist to circumvent such protections, but since this is a personal server, the potential damage inflicted to you should be only to your pride if someone (ie: common script kiddie) should decide to bypass your securities, compared to the vast financial damages inflicted upon networks.

Slack is a great distro, and Slack10 should be a great release, have fun!

sigma957 08-16-2004 09:20 AM

Great thread! Just to toss in my two cents, you can use Shields Up from grc.com to test your firewall from the outside. My firewall script has all ports stealthed except 113, which is closed to connections. Other tests can check a Windows box as well.

(grc.com is the website of the guy (Steve Gibson) who does spinrite software for hard drives.)


All times are GMT -5. The time now is 08:52 PM.