|
Firewalls - IPTABLES and Honeypots
My questions are as follows:
1 - If I do not have any services running like sshd, telnet,ftp, and etc.. , I have patched up everything, I setup iptables as my firewall and I block everything from the oustide in except for established, new and etc connections how would a cracker break into my linux system. I guess a better way to put in would be, how could the box be compromised and could some one give me an example? 2nd - I wanted to setup a honeypot at home and learn from it. What area of my network would I set this up, possible in its own DMZ? |
If you want a good introduction to Linux security check out the Linux Security HOWTO. A great book you could purchase to start with would be Hacking Linux Exposed by Brian Hatch.
These are books on how to prevent script kiddies from cracking your box with the most often used and simple attacks: they barely skim the surface. Security is a HUGE subject - involving knowledge of a very large number of subjects.. Might want to check here too to get an idea of what is going on out there... http://www.securityfocus.com/ or here http://neworder.box.sk There are many other great sites out there, a quick google search will turn up tons of info. hope this helped, jrtayloriv |
1. running no services at all - nothing listening at any ports - and you probably needent have a firewall at all. The firewall you describe is quite good anyway.
Even so, you will probably be running icmp (like folk can ping you and stuff) and so on (there used to be a DNS attack involving repeated pings). Your firewall will allow packets from established connections(?) - so once you have established a connection, that site can send what it likes (or sites redirected to). And, of course, there are always trojans and so forth in your e-mail. What people do with your system depends on the system. Most common use seems to be to use it to attack someone else. 2. How you set this up depends on wha you hope to acheive. If you just want to see how fast someone compromises you, you'd give the honeypot a network of it's own and check it from a secured machine which isn't always on that net (and has it's own super restrictive firewall). The references given you are good solid standards. |
jrtayloriv,
I really like the refs. in your sig block, 2 suggestions:[list=1][*]Make URL's live -- i.e. real links. Sig blocks will accept the url tags, but will not parse URL's automatically.[*]Update http://www.icon.co.za/~psheer/book/index.html.gz -- it now refers to http://rute.2038bug.com/index.html, which in turn refers to http://rute.2038bug.com/index.html.gz, which works when entered directly, at least in Konqueror.[/list=1]Both would save time for folks interested in them. |
I have that book Hacking Linux exposed. It is a good book but that doesnt anwser my questions. My understanding from that book is a cracker can crack into your box physically and through bugs in program, poor passwords, and etc.. Ok that fine but let say for example I have a legion of pitbulls surround my machines at all times and I have all the bootup passwords, bios passwords and lilo and grep passwords which would cover the the physical part and I have anti spoofing,DDOS,ICMP turned off on my firewall then lets say for example I have no remote services chkconfig off sshd off and etc.. then how would one bypass the firewall and get into the machine?
|
well if you havent any service running on your machine then your machine cant be hacked.
at the most, some one can flood icmp,tcp,udp traffic to your machine, and it can eat up the resources of your machine. |
I do understand thanks.
|
The thing here is to make sure that you are running no servics at all. To make sure of this, do
$ netstat -antp to see which TCP services/ports are bound (and, in your case, exposed) as well as which binaries are associated with each. A stock system can have 8-10 different daemons binding to ports. Now compare this with a remote portscan... $ nmap -s$ <IP> ... to see what the world sees as your network profile. most flooding attacks can be blocked at the kernel level, as well as intercepted by iptables. |
I will do so. thanks now what about the honeypot should I put that on its own DMZ?
|
| All times are GMT -5. The time now is 08:35 PM. |