[SOLVED] how exactly does someone hack in through a port
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You hear about hacking but I'm not exactly sure how someone could hack into a server via a port.
For example, someone hacks into apache through port 80 - does that somehow leave my entire server at risk if they can get to root or would they be locked into the apache environment only?
It depends how the system is set up, and what your system is vulnerable to. This is the sort of thing that SELinux is aimed at, where the kernel monitors what a process is trying to do, and judges whether it's the sort of thing that it should permit. Hope you're still running it.
It depends how the system is set up, and what your system is vulnerable to. This is the sort of thing that SELinux is aimed at, where the kernel monitors what a process is trying to do, and judges whether it's the sort of thing that it should permit. Hope you're still running it.
To be honest, I'm not sure. I have it on my distro but not exactly sure what it monitors - I'll read some guides but is it a simple case of yum install selinux?
Say my port 80 was open and someone hacked in to apache, what risk is there of getting into root. I assume php safe mode is on and apache has standard install settings for all the folders.
SELinux is there by default on CentOS, shold be fully enabled by default. run system-config-securitylevel (or just -security..?) or getenforce to check. This is a great example of something that can be very painful to live with, with administrators having to spend a lot of time teaching the system what is not a hack attempt etc. So most people just turn it off.
SELinux is there by default on CentOS, shold be fully enabled by default. run system-config-securitylevel (or just -security..?) or getenforce to check. This is a great example of something that can be very painful to live with, with administrators having to spend a lot of time teaching the system what is not a hack attempt etc. So most people just turn it off.
getenforce says disabled
vi /etc/sysconfig/system-config-securitylevel
says:
--enabled
--port:22 tcp
I think by now the question you should ask is "How do I assess the security posture of my machine and how do I harden it properly?".
Well, yes but it's because I'm separating each service into separate questions.
I guess I could say I have the following main services:
apache
ssh
squid
I believe I have taken care of ssh with my firewall settings, passwords, separate IP, non default port number, and logwatch. I could do a lot more but I believe restricting logons to 2 per minute and with a 10+ char&num password should restrcit the chances to negligible.
How do I then check the remaining security implications of having ports 80, 8080, and 3128 open plus apache/squid security implications.
These are by far the most likely ports that someone is going to try to hack in through. The rest are DNS, ICMP, etc.
Well, yes but it's because I'm separating each service into separate questions.
I guess I could say I have the following main services:
apache
ssh
squid
I believe I have taken care of ssh with my firewall settings, passwords, separate IP, non default port number, and logwatch. I could do a lot more but I believe restricting logons to 2 per minute and with a 10+ char&num password should restrcit the chances to negligible.
How do I then check the remaining security implications of having ports 80, 8080, and 3128 open plus apache/squid security implications.
These are by far the most likely ports that someone is going to try to hack in through. The rest are DNS, ICMP, etc.
There are plenty of tools out there that you can use to scan your own systems to see what is vulnerable with one of the best being nessus and its plugins.
But they say the biggest percentage of compromises are in fact results of social engineering, so sometimes it does not even matter how secure your systems are.
There are plenty of tools out there that you can use to scan your own systems to see what is vulnerable with one of the best being nessus and its plugins.
including scanning apache and squid config files?
I'll have a look at that download...
Do I install Nessus on the Linux box and also on another computer outside of the network to test its ports plus other stuff?
Quote:
Originally Posted by centosboy
But they say the biggest percentage of compromises are in fact results of social engineering, so sometimes it does not even matter how secure your systems are.
There are plenty of tools out there that you can use to scan your own systems to see what is vulnerable with one of the best being nessus and its plugins.
You're painting half the picture with a very broad brush.
Quote:
Originally Posted by centosboy
But they say the biggest percentage of compromises are in fact results of social engineering, so sometimes it does not even matter how secure your systems are.
Cool! Who are "they"? And where do "they" say that? Pointers welcome.
I believe I have taken care of ssh with my firewall settings, passwords, separate IP, non default port number, and logwatch. I could do a lot more but I believe restricting logons to 2 per minute and with a 10+ char&num password should restrcit the chances to negligible.
Do you still log in over SSH as root user?
Do you use fail2ban or an equivalent (Failed SSH logins sticky)?
Why don't you use SSH pubkey auth?
What does Apache provide?
If it's PHP-based (and else too) did you ever invest time reading about security implications and the products docs or generic HOWTO's about securing it?
Does Apache have mod_security loaded?
What is Squid used for?
Does Squid have ACLs loaded?
For all available services, does your firewall provide rate limiting, blocking fragments and other unwanted traffic?
Quote:
Originally Posted by qwertyjjj
These are by far the most likely ports that someone is going to try to hack in through.
As far as scanning for ports with no access restrictions goes OK but saying "by far the most likely" is just making assumptions. Hardening your machine is more than just scanning for open ports with Nmap, Nessus or whatever else. I know it's in need of revamping but check out the LQ FAQ: Security references (or better: the cleaned version at http://rkhunter.wiki.sourceforge.net/SECREF).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.