[SOLVED] how exactly does someone hack in through a port
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Do you still log in over SSH as root user?
Do you use fail2ban or an equivalent (Failed SSH logins sticky)?
Why don't you use SSH pubkey auth?
Yes, I do use root. Isn't it unlikely a hacker could get past a strong password with only 2 attempts per minutes as according to my firewall?
I will put in pubkey auth when I get round to it bt need to setup some other stuff on the server in the meantime.
Just remembered, there must be other users on my server set up by the hosting company and then of course there are apache, squid user logins. I tried AllowUsers root, dummyname in the sshd config but it locked me out completely even from using root.
Quote:
What does Apache provide?
If it's PHP-based (and else too) did you ever invest time reading about security implications and the products docs or generic HOWTO's about securing it?
Does Apache have mod_security loaded?
I couldn't fin it in the httpd.conf. However, when I tried installing the module and changing the conf, I got:
Starting httpd: [Wed Aug 12 10:12:38 2009] [warn] module security2_module is already loaded, skipping
Quote:
What is Squid used for?
Does Squid have ACLs loaded?
merely as a web proxy on port 8080 or 3128
It has acls loaded for ncsa_auth and other standard installtion.
Quote:
For all available services, does your firewall provide rate limiting, blocking fragments and other unwanted traffic?
I only have rate limiting on my ssh port.
Does it make sense to rate limit http and proxy ports? These can get a lot of multiple hits just from loading standard webpages?
I suppose I could rate limit the icmp ports - I only have allowed 8 incoming and 0 outgoing at present.
Is this all I need:
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
Is syn needed anymore? iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
Quote:
As far as scanning for ports with no access restrictions goes OK but saying "by far the most likely" is just making assumptions. Hardening your machine is more than just scanning for open ports with Nmap, Nessus or whatever else. I know it's in need of revamping but check out the LQ FAQ: Security references (or better: the cleaned version at http://rkhunter.wiki.sourceforge.net/SECREF).
I believe "hacking in through a port" is what happens in Britain when you're sick and instead of taking medicine you drink wine until you fall asleep.
Or what insomniacs in the Matrix do.
Yes, I do use root. Isn't it unlikely a hacker could get past a strong password with only 2 attempts per minutes as according to my firewall?
I will put in pubkey auth when I get round to it bt need to setup some other stuff on the server in the meantime.
From your other discussions I think that when you say you log in as root you have to distinguish if this goes for all interfaces or only for the interface that already has an iptables filter set for your management IP or range (and if you actually did set the restriction). The point is that, as opposed to pubkey auth, passwords can be cracked, that exposing the root account to the 'net increases the risk unnecessarily so and that it is not a best practice. Saying "when I get around to it" shows you have a different way of prioritizing things. However some risks are in more need to be taken care of right now.
Most of the topics below are dealt with in your other threads. It would be good if you link to it. That way discussions don't wander between threads as they will do now.
Quote:
Originally Posted by qwertyjjj
Just remembered, there must be other users on my server set up by the hosting company and then of course there are apache, squid user logins. I tried AllowUsers root, dummyname in the sshd config but it locked me out completely even from using root.
"Other users" as in human users (UID >= 500 or 1000) or system users?
Quote:
Originally Posted by qwertyjjj
I couldn't fin it in the httpd.conf.
From one of your other discussions I got you are not using a "default" Apache but some package that includes Apache among other things. Is that right? What is the package called? Was it "webkit" or something?
Quote:
Originally Posted by qwertyjjj
However, when I tried installing the module and changing the conf, I got:
Starting httpd: [Wed Aug 12 10:12:38 2009] [warn] module security2_module is already loaded, skipping
So it is loaded. Have you reviewed what rules it uses?
Quote:
Originally Posted by qwertyjjj
I only have rate limiting on my ssh port.
Does it make sense to rate limit http and proxy ports?
These can get a lot of multiple hits just from loading standard webpages?
Iptables-based rate limiting depends on what you're actually serving, how you prioritise services and resources and if those services include their own mechanisms for dealing with request floods. For instance would it be OK for the machine to be swamped in proxy requests if the main purpose of the machine is to serve web pages? (source net ACL, maxconn)
Quote:
Originally Posted by qwertyjjj
I suppose I could rate limit the icmp ports - I only have allowed 8 incoming and 0 outgoing at present. Is this all I need
// ICMP is dealt with in another thread so please link to it from here. That way discussions don't wander between threads.
I may have said it before in one of your other discussions but I don't get the idea you confidently admin your machine. Again I strongly suggest you pace things better and please read Rute, the admin docs that come with your distro and the docs for each service you're dealing with. You should know basic (admin) tasks before you manage the machine. Using a web-based panel is no substitute for required knowledge.
In my opinion proper server management should start before the installation by knowing the machines purpose, how it should interact with others and where it fits in the network. Offering the information makes things more efficient for all of us. Configuring a new server should start by shielding it from network access while performing your postinstall assessment of the machine, removing, installing and configuring the OS before adding and hardening publicly accessable networked services and before exposing it to the 'net. Doing things the other way around by offering you "just" run Apache, OpenSSH and Squid will get you there in the end but it will take way more effort to properly harden the machine and without checklist the chance you do not address everything you should is rather large. You are free to proceed and do as you like but I would suggest you take a step back and check if what you have accomplished right now is what you should aim to.
Last edited by unSpawn; 08-12-2009 at 07:53 AM.
Reason: //more *is* more...
I've only the machine a few days so I'm essentially hardening it at the moment - I take all your points but it's somewhat of a learning curve for me as well. I took the option that before learning about ssh keys I would do as much as I could to immediately lock down 99% of ssh and I took that to be rate limiting connections to 2 per minute and having a very strong password. I do intend on making it stronger but the rest has turned to my server installations at present.
I intend this to be primarily a squid server so I could further rate limit http requests.
I have rate limited ICMP requests as follows (but I'll put in the other thread)
Code:
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d 88.xxx.xxx.xxx -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 88.xxx.xxx.xxx -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
I've only the machine a few days so I'm essentially hardening it at the moment - I take all your points but it's somewhat of a learning curve for me as well.
Ok, so with tiger, I am getting a lot of
The ./scripts/check_passwd script will not be run since it is owned by a user (1000) different than the one running Tiger (0)
Do I need to chmod the folder to root?
system users
other users
Can any of these get in through ssh?
Though the UID doesn't need to be less than $GID_MIN, system users have will usually be locked out using an inert shell like 'nologin' or 'false'. The "admin" account I don't know but the name is such that you definately want to know what it can do.
Quote:
Originally Posted by qwertyjjj
Ok, so with tiger, I am getting a lot of
The ./scripts/check_passwd script will not be run since it is owned by a user (1000) different than the one running Tiger (0)
Do I need to chmod the folder to root?
Wether you build RPM's or untar a tarball it's always good to do it as unprivileged user as it will help keep you from harm, inspect contents, chown if necessary, then let root move or use it.
Though the UID doesn't need to be less than $GID_MIN, system users have will usually be locked out using an inert shell like 'nologin' or 'false'. The "admin" account I don't know but the name is such that you definately want to know what it can do.
Wether you build RPM's or untar a tarball it's always good to do it as unprivileged user as it will help keep you from harm, inspect contents, chown if necessary, then let root move or use it.
So, login as a different user and the you change to root and chown the entire folder? The problem is that most packages install themselves all over the place don't they?
So, login as a different user and the you change to root and chown the entire folder?
No, what I mean is that untarring as unprivileged user (since you log in as unprivileged user anyway, right?) will make all tarball contents be owned by the current user. After that you let root do its thing.
Quote:
Originally Posted by qwertyjjj
The problem is that most packages install themselves all over the place don't they?
Installing is something completely different because this will almost always involve writing to locations only root can write to. However it's good to note that because you value your systems integrity and run a matured package management system it is preferable to install OS+release-specific packages over just about any tarball you can lay your hands on.
No, what I mean is that untarring as unprivileged user (since you log in as unprivileged user anyway, right?) will make all tarball contents be owned by the current user. After that you let root do its thing.
Installing is something completely different because this will almost always involve writing to locations only root can write to. However it's good to note that because you value your systems integrity and run a matured package management system it is preferable to install OS+release-specific packages over just about any tarball you can lay your hands on.
Not yet I don't because I tried adding AllowUsers and my logon to SSH and it locked that user and also root.
Is it because you might have something dodgy in the tar that you wouldn't want root permissions?
Not yet I don't because I tried adding AllowUsers and my logon to SSH and it locked that user and also root.
Please post the URI of your SSH thread and maybe we can speed this up.
Quote:
Originally Posted by qwertyjjj
Is it because you might have something dodgy in the tar that you wouldn't want root permissions?
Think of it as a precaution, a safeguard. Sure you expect (application source) tarballs to include a leading directory named like the tarball and sure you could remember to first move to a safe directory and remember to explicitly "-C " things but making assumptions and having to remember too much makes for nice pitfalls. Add lack of concentration, deadlines, stress and sleep deprevation for a better recipe for disaster. Unlike not logging in as root some best practices can't be prevented (easily), like building packages as unprivileged user this is one of those discipline things.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.