Slackware 10 security with apache & router
Good evening folks,
I gave myself a project about a week ago, and its done. I started posting questions 2 or 3 times, but eventually figured it out. This one I am stuck on. Background - I had a dual PII/266, 512MB, 2x 9.1GB SCSI Server sitting around. I installed Slackware 10 (full install) and using shilo's fantastic instructions setup an apache webserver using a dyndns.com domain. I have cable for my internet access. I have a linksys BEFSR41 router/switch/firewall. I currently have 3 computers hooked up to it. The server w/ slackware 10, MY computer running Slackware 10 (primarily) & suse 9.1 (secondly), and a win98 computer the rest of the family can't live without (games for the kids). All is well - finally, but I am uncertain about security for my computer and the win98 computer. In the router I forwarded port 80 to the IP address of the server. At work I have tested and can access the simple little index.html test page I made. I tried going to linuxquestions.org security forum, but to be honest, it is all a bit (a lot) over my head. I have always found this slackware forum to be VERY helpful and friendly - so here I am. My question reduced to its simplest form is - How can I test/make sure that the 2 other computers (and I guess the rest of the server) is safe/secure while still allowing access to the webserver (and soon to be ftp server)?? Code:
On my computer: Did I give too much information? Not enough?? Thanks a lot in advance - tw (edited & unrelated) I recieved my slackware 10 CD's today in the mail!!!! Wanted to help the cause. |
Well, nmapping localhost will scan that system only (loopback). It also seems from what the ouput is, that you have many vulnerable services open. Though you only have port 80 forwarded, it would be wise to disable all uneeded services on both computers. If someone were to exploit Apache (which can be exploited), they then can scan the network for computers within the LAN; the open services just make it easier for an attacker to exploit the computer, as it raises the number of workable exploits that can be used on the system and those within the network. No network can be 100% secure; security is an ongoing process. Not to be 100% paranoia inducing, but all your computers are vulnerable (especially the win98 pc), but as long as you practice some form of ongoing security (patches, reading bugtraq, securing running daemons, etc), you'll at least rule out the least determined attacker from exploiting your computer.
PS: Congratulations on your new system, and for supporting the community! |
coindood - thanks for the reply - all that sounds good and makes scence.
I understand the 98 computer is most at risk - nortons firewall I guess it is for that one. But on to the important computers!! :) So on my computer, which is not hosting the web/ftp server - I can close ports: (1 at a time) 22/tcp - ssh - Don't I need this for password stuff ? 25/tcp smtp - Since no email server I can close this ? 37/tcp time - I don't set the time via internet (I don't even think the time is right on my computer :) - so this is OK to close? 113/tcp auth - Correct that this is mainly for IRC? I VERY seldom use that . so OK to close? 587/tcp submission - ??? no idea 631/tcp ipp - no idea on this either What if any of these do I need to get out the the net? (www,mail,news,yahoo messanger) -tw |
tw001_tw-
First of all, I'm clad that you found the guide useful. On to your questions... Quote:
22/tcp open ssh --- As long as you don't want to ssh into this box 25/tcp open smtp --- Since you probably aren't running a mail server from this box 37/tcp open time --- Since you probably aren't running any time services from this box 68/udp open dhcpclient --- I believe that you can get rid of this, as your Router takes care of all things dhcp, but what do I know. :) 512/udp open biff --- You can ditch this if you want. It just notifies you of new mail that is coming in. 6000/tcp open X11 --- Since you probably aren't running X services remotely (I know I don't) That leaves the following open: 113/tcp open auth --- I don't know what this is. Try closing it and see if anything breaks 587/tcp open submission --- I think this is for Samba, but I could be wrong. You can try shutting that down. 631/tcp open ipp --- I believe this is for some forms of printing. You can try shutting this down, too. You can use this guide to figure out what you don't want running on your server,as well. A side note: I'm not super anal when it comes to security. You can try running a port scanner from work on your home box. You will probably find that even though these ports are open on your LAN, your router/switch/firewall is blocking them from the WAN (Internet). I'm happy enough with that. Though there are exploits for Apache (and every OTHER server that you will run on your box), I am happy with the security provided by my router/switch/firewall. Let me know if you need any help shutting some of the ports down. I will help as much as I can. Good luck, Shilo |
I think you are on the right track tw. I am a Slack boy too, and am waiting on my Slack 10 CD's in the mail as we speak! :D. I have Slack 9 and 9.1 and am eager to get ahold of 10. But that is neither here nor there. I actually had a simmilair problem and here is what I discovered, I will tell you what each of those items are in your nmap list and help you determine if you need them.
SSH - This is Secure SHell which is the most awesome remote access service I have ever used. I wish Windoze had something this nice. I use it daily but you may not need it if you aren't doing any remote administration. It basically lets you login to the shell from anywhere. SMTP - if you are not planning on running a mail server or a web server that needs SMTP access then you can close this port. I keep it open because alot of my web servers have forms and the like that need to use the SMTP for their various duties. Time- You are right on the dime there, no need to use it. Auth- This port is actually one to keep open as it authenticates for FTP, SSH, and others. Everytime I turn this off, it causes FTP and SSH to flub up. I would leave it on if I were you. Submission - I can never get this one to go away no matter what I do but it hasn't seemed to cause and security holes, especially if it is not forwarded through the router. IPP- Never seen this one, it may be part of the newer distro so unforunately my assistance is limited there. You should be able to edit the ones I mentioned by going sudo (if not root) /etc/rc.d/inetd and commenting out where those holes are located just in case you didn't know. As far as I can tell, you should have no prob getting on the net or getting others in from the net with those services changed. But always make a back up of the file to save yourself a headache! I hope I offered some insight. |
When in doubt about a port number, look at :
http://www.iana.org/assignments/port-numbers |
tw - you may want to head over to Sygate and run their port scan. I don't have a lot of experience with your situation, but I believe that this scan would be checking the ports on your router. which in my opinion is the place to start, because if you have all the unnecessary ports closed on the router, it is that much harder for someone to get to your LAN.
i don't know if this will help, but good luck. -crash |
Just to update:
On my main computer I am down to: nmap localhost 113/tcp open auth 6000/tcp open X11 and nmap -sU localhost 68/udp open dhcpclient and everything still works. I need 113/tcp for the internet, I have read conflicting reports on disabling 6000/tcp, and 68/udp is dhcp bootstrap protocol client - this is the transmit port, not the listening port so it all should be OK. I will now follow my notes and perform the same modifications on the server (leaving the ones I need for the website and ftp ON of course.) I am not one for tight security on my computer, but opening port 80 on my router made me nervous - thats what brought all this on. Once all is well - I will post a simple how-to on this thread - maybe It'll help someone else some day so they don't have to waste as much time as I did looking all this stuff up. thanks for your help everyone - and if I missed something - let me know. -tw |
Here it is:
Since most systems are different, here is a breif rundown of my system and setup. I have cable access to the internet. My cable modem is a motorola SB4101 That is connected to my Linksys BEFSR41 router w/switch & firewall I did a clean install of Slackware 10. When I ran nmap - here were the results: "nmap localhost" results in: PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 37/tcp open time 113/tcp open auth 587/tcp open submission 631/tcp open ipp 6000/tcp open X11 and "nmap -sU localhost" results in: 37/udp open time 68/udp open dhcpclient 512/udp open biff We will go 1 at a time. ======================================================== 22/tcp ssh - Since I never planning on accessing my system from anywhere except from here at my desk, I wanted this off. You can do it manually by editing /etc/rc/d/rc.inet2 Change this: # Start the OpenSSH SSH daemon: if [ -x /etc/rc.d/rc.sshd ]; then echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd" /etc/rc.d/rc.sshd start fi to this: # Start the OpenSSH SSH daemon: # UNCOMMENTED BY DEFAULT *********************************************** # if [ -x /etc/rc.d/rc.sshd ]; then # echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd" # /etc/rc.d/rc.sshd start # fi I made the # UNCOMMENTED BY DEFAULT **** line so it would be easier to find if I never need to enable it again. OR you could simply run 'pkgtool' -> setup -> services, select services and remove the 'X' in front of rc.sshd ========================================================= 25/tcp smtp - Since my computer will not be a mail server, nor will I use 'sendmail' I wanted this off too. You can do it manually by editing /etc/rc.d/rc.sendmail change this: # Start the sendmail daemon: if [ -x /etc/rc.d/rc.sendmail ]; then . /etc/rc.d/rc.sendmail start fi to this: # Start the sendmail daemon: # NEXT # LINES ORIGINALLY UNCOMMENTED ************************************** # if [ -x /etc/rc.d/rc.sendmail ]; then # . /etc/rc.d/rc.sendmail start # fi OR once again, you could do it automatically by running 'pkgtool' -> setup -> services, select services and remove the 'X' in front of rc.sendmail ========================================================= 37/tcp time - I do not update my computers time setting via the internet automatically, so I wanted this off too. This will also get rid of "37/udp open time" You can do it manually by editing /etc/inetd.conf change this: time stream tcp nowait root internal time dgram udp wait root internal to this: # COMMENTED OUT time stream tcp nowait root internal # COMMENTED OUT time dgram udp wait root internal ========================================================= 113/tcp auth - This I want. It is for authentication on the internet. You can look at the line in /etc/inetd.conf It looks like this: # Ident service is used for net authentication auth stream tcp wait root /usr/sbin/in.identd in.identd ========================================================== 587/tcp submission - This is a port for Message Submission protocol - it is part of 'send mail'. By removing sendmail, this open port is also removed from the list. ========================================================== 631/tcp ipp - This is the Internet Printing Protocol. If you use the CUPS print server, this port is opened. To disable it, 'pkgtool' -> setup -> services, select services and remove the 'X' in front of rc.cups - If you use CUPS as a print manager, keep it. ========================================================== 6000/tcp X11 - Apparently you can disable this - although I have read many conflicting reports on the issue. I use KDM as a login manager, so I am unsure how and unable to find information on how to close this port manually. any help on this issue would be nice ========================================================== 37/udp time -This is taken care of when editing the 2 lines for 37/tcp in the file /etc/inetd.conf ========================================================== 68/udp open dhcpclient - This I left open. 68/udp is dhcp bootstrap protocol client - I have yet to find good info on this. I can say that this is the transmit port, not a listening port so it all should be OK. At the current time I don't know how to disable it ========================================================== 512/udp biff - Since I don't use biff, I don't need it. You can close this port by editing our good friend /etc/inetd.conf Change this: # The comsat daemon notifies the user of new mail when biff is set to y: comsat dgram udp wait root /usr/sbin/tcpd in.comsat to this: # The comsat daemon notifies the user of new mail when biff is set to y: # COMMENTED OUT comsat dgram udp wait root /usr/sbin/tcpd in.comsat =========================================================== So thats it. Now, when I run nmap: "nmap localhost" results in: 113/tcp open auth 6000/tcp open X11 and "nmap -sU localhost" results in: 68/udp open dhcpclient I hope this helps someone. Till my next problem and/or visit... - tw |
Just a quick remark on the commenting out of rc scripts.
I find that if you admin a fairly large no. of boxes (20+) and you find that you need to activate a service that you disabled a few months ago and have since forgotten about, it is more sensible to simply change the permissions on the rc scripts, i.e. chmod 644 /etc/rc.d/rc.sshd to disable sshd, and then chmod 755 to enable it again. It is better to keep the scripts themselves as generalised as possible so that you can scp them between machines when you break stuff ;). |
I'm glad I helped you a bit! All the posters here are correct; since this is your personal computer only apache needed to be run, you need no service running on any port except apache on port 80.
Router/switch/built-in firewall protection would be sufficient in your case. Ways exist to circumvent such protections, but since this is a personal server, the potential damage inflicted to you should be only to your pride if someone (ie: common script kiddie) should decide to bypass your securities, compared to the vast financial damages inflicted upon networks. Slack is a great distro, and Slack10 should be a great release, have fun! |
Great thread! Just to toss in my two cents, you can use Shields Up from grc.com to test your firewall from the outside. My firewall script has all ports stealthed except 113, which is closed to connections. Other tests can check a Windows box as well.
(grc.com is the website of the guy (Steve Gibson) who does spinrite software for hard drives.) |
All times are GMT -5. The time now is 08:52 PM. |