Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-28-2006, 04:46 AM
|
#1
|
Member
Registered: Sep 2005
Posts: 861
Rep:
|
How to secure the server and how to track down intruders?
I am using Mepis 3.4.3. In redhat, I have a way to know who logged in on the server by issuing the command "last". Why is it not working on Mepis? It seems that the /var/log/wtmp is not present. Another thing, does anyone here knows how to make a honeypot? I want to know what intruders is looking in my server and how does he attack me. Is there a log in Linux which saves all commands issued by the remote user who logged in?
|
|
|
06-28-2006, 05:46 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Another thing, does anyone here knows how to make a honeypot? I want to know what intruders is looking in my server and how does he attack me.
With all due respect, but with the results in your other thread I would think you already have enough on your hands. While not that hard, installing a honeypot w/o properly hardened host to serve it is a waste of everyone's time and effort. Please consider finishing basic host hardening for the boxen under your control before you open up another can of challenges.
Is there a log in Linux which saves all commands issued by the remote user who logged in?
There's a few (but if they're useful is another question) like the users local shell history (easy to change or delete), psacct (only general info) and syslog logfiles for security violations (editable if you got root privileges).
I'm sure I'm forgetting some, but you get the idea. To get a detailed account of what a user is doing you need to preload or wrap his/her shell with something that provides logging capabilities (for instance with rootsh), make syslog more resistant (start from init) and tamperproof (remote syslogd).
|
|
|
06-28-2006, 11:11 PM
|
#3
|
Member
Registered: Sep 2005
Posts: 861
Original Poster
Rep:
|
unSpawn,
Thanks again for replying. I tried to portscan my firewall from my home using the following command:
nmap -sV -r -P0 -O -A MyFirewallStaticIPAddress
I was so glad that It didn't show any ports opened. My problem is that I looked at the logfiles at IPCop's Snort and I found out that my Firewall's local IP address is trying to access the outside netwok with the following remarks:
(http_inspect) OVERSIZE CHUNK ENCODING
I tried to google around but can't find any interesting info. I want to be assured that no workstation within our network are trying to hack the outside network. Of course, I don't want other companies to see my IP Address trying to hack their system. But can I really avoid it?
Another problem I am experiencing right now is that our mail server is not positioned behind the firewall. It has 2 ethernet cards installed. The eth0 is connected thru the internet with a static IP and the eth1 is connected thru the local network for LAN users to quickly send and receive mails without having to be connected to the internet. Not all users in our network have internet connection but they need to connect to the mail server to send and receive mails I want to position this server behind my IPCop Firewall to become a DMZ. I understand that in IPCop, the DMZ should be complete different network from the LAN. Now, how can I allow LAN users (without internet connection) to access the Mail Server when they are in different subnet.
To illustrate:
Firewall Local IP Address 192.168.0.220
LAN Users 192.168.0.0/24 (Green Interface)
Wireless Users 192.168.2.0/24 (Blue Interface)
DMZ 192.168.3.0/24 (Orange Interface)
If I will position the Mail server on DMZ behind the firewall, how will the LAN users connect thru it if they are on different subnet? Second, do you think I should just remove the eth1 from the mail server? In such a way that the mail server will be only connected to the IPCop and not thru the local network?
The reason why I would like to position my mail server behind the firewall is that according to the mail server logfiles, users outside the network is trying to access the server and tried guessing the root password. I received 20000 lines on my /var/log/messages stating that a certain user is logging in and guessing my pass. Is this normal? One of my friends suggested to make a honeypot to track down this user. That's the reason why I ask how to. Thanks.
|
|
|
06-29-2006, 06:54 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Thanks again for replying.
Aw come on, stop thanking me: it's what we're here for. But since you do work for a company, and if you find LQ helps save your and your companies hide, a donation to LQ would be accepted with pleasure.
(http_inspect) OVERSIZE CHUNK ENCODING / I tried to google around but can't find any interesting info.
Take the Snort rule ID (sid), enter it at snort.org in the lookup tools and take it from there. AFAIK it had to do with webserver versions being vulnerable years ago.
I want to be assured that no workstation within our network are trying to hack the outside network.
Then you will need a (minimal) company policy (like an AUP, so employees know what's acceptable and can be "taken care of" for deliberately violating the policy) and you'll have to proxy, scrub and block outbound traffic. Ain't that hard, but you should definately tweak the ruleset. Snort is good but it isn't infallible meaning false positives can and will occur.
Of course, I don't want other companies to see my IP Address trying to hack their system.
That's of no use spending time on. Really, forget it. In reality, of all the people that "hide" their IP, only say one in a million has legitimate reasons to do so. I refer to stuff like ethics and life-threathening oppression not IRC, not pen-testing and not browsing teh intarweb. The way general TCP/IP connections work there's no chance to "really" [0] hide an IP address, if there would be TCP/IP simply wouldn't work.
I want to position this server behind my IPCop Firewall to become a DMZ.
Definately a good idea.
Now, how can I allow LAN users (without internet connection) to access the Mail Server when they are in different subnet.
Doesn't IPCOP have a nice GUI to make rules in so traffic from green to orange mailserver is allowed?
do you think I should just remove the eth1 from the mail server?
Yes. Gives you much more control. Say if one client gets infected by a worm you can immediately add a blocking firewall rule while you desinfect, incinerate or obliterate said client.
Is this normal?
I *really* don't know what's considered the norm these days anymore ;-p
One of my friends suggested to make a honeypot to track down this user.
OK. Here's what you could do. Step back and focus on your network as a whole. Jot down all known problems. Scan all available boxen and services and add any problems there. Now make a list of all things that could enhance host and network security or stability, redundancy etc etc. Finally make a list of what's left: the things that would be fun to play with.[1] Now try to categorise everything (and don't forget backup scenario's too) with these criteria: security risk level (or affected groups or servers or resulting in more or less critical loss), estimated time-to-fix (in hours or days), ease of fix (or dependencies or amount of preparation or testing needed).
Anything in the risk level column dictates* the priority of what must be fixed real soon now [2]. The time-to-fix column shows how long your risk will remain a risk and the other column what it takes to fix it. Play with it: try to plan fixing the three highest risks in parallel and see if the time to fix would shorten if you add more resources or could outsource some, etc, etc. Now stick to that plan.
0. Each node along the two-way communication route has knowledge of it's peers: as in usable for logging, sniffing and tracing.
1. Yes, this is a take on the old "must have, should have, could have" thing. If it works, it works.
2. Meaning everything that is not crucial sinks to the bottom of the list. I mean, what are you gonna do when the honeypot is broken into? Send a report like anyone overthere would really care?..
Last edited by unSpawn; 06-29-2006 at 07:16 AM.
Reason: //have keybd, can't type
|
|
|
06-30-2006, 10:22 AM
|
#5
|
Member
Registered: Sep 2005
Posts: 861
Original Poster
Rep:
|
Unspawn,
I've been giving donation thru a friend of mine which is more active on our community. It's not that huge amount of money but I am hoping it can help the community teach people like me to learn. Regarding the SID in snort, the (http_inspect) OVERSIZE CHUNK ENCODING on my IPCop log file doesn't have its SID. I've been using Squid for some time. Before I installed IPCop, I have squid installed (not transparent) which I need to configure every workstation's browser to point the proxy to the squid box with the port 3128. I guess its good because only web browsing is enabled. However, some executives wants to use some services such as limewire, skype and pop3 (for other email accounts that is provided by our ISP). I find it really hard to enable these services. I have not actually mastered iptables which makes it even harder to configure. But I'm doing my best to learn.
I would really like to learn how to secure the netowrk. Tried IPCop and works great with ease. I know have a DHCP, Squid (transparent), VPN, Snort. I've installed Advproxy, urlfilter and zerina's openvpn. Works great but one thing I noticed about IPCop is that after installing these packages, sometimes it became buggy in such a way that some services won't run as expected. Tried turning off the the transparent mode but still the connection is in transparent. How about you? What firewall/proxy are you using? I guess you've made a secured network with your talents.
I know you don't want me to say this again. But thank you for giving such a perfect advise. If only I'm as talented as you in designing, analyzing and configuring systems. Okay, I'm donating again..
|
|
|
07-01-2006, 04:32 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Regarding the SID in snort, the (http_inspect) OVERSIZE CHUNK ENCODING on my IPCop log file doesn't have its SID.
Uh. My mistake. Read over the "http_inspect" part (which marks it as a preprocessor in snort.conf). It's basically meant for "var HOME_NET" webservers to detect anomalies. You probably want to look at which rulesets you use for the different interfaces you handle. For instance if there are no servers in the user LAN, and when you're only serving SMTP and IMAPS in the DMZ, then scrubbing traffic for certain services could be disabled (provided you regularly scan the boxen for illegal ones) making performance a little bit "better".
some executives wants to use some services such as limewire, skype and pop3 (for other email accounts that is provided by our ISP).
POP.* should be no problem. If I where to deal with the rest I would require a management decision before activating support for opaque protocols like Skype or P2P or IM clients. IM clients can be valuable in companies when email is just too slow, but I would think there aren't that many businesses (yet) that use Skype professionally and for P2P I think no one sane can make a case. Management should be informed of the risks (ranging from infection damage to loss of efficiency to say sharing company documents), increased IT support, etc, etc decide on the necessity and sign off on it. That way, if the sh*t hits the fan they have only themselves to blame. (Then there's the priority list mentioned before...).
I find it really hard to enable these services. I have not actually mastered iptables which makes it even harder to configure. But I'm doing my best to learn.
Start by reading the IPTables Tutorial. See what the current rulesets look like, and use a testbox to test and tweak rulesets on. Then ask questions here or in the Linux Networking forum.
BTW: Okay, I'm donating again..
You already donated and LQ is grateful for that, I'm sure. The size of the donation does not really matter but the (sincerity of the) intent does. I'm not asking for donations: it's just something I mention sometimes and rather randomly. What's more, it should be clear there's no direct relationship between donations and the amount or quality of help one gets from LQ. So if it isn't your idea don't feel pressured to donate more.
Last edited by unSpawn; 07-02-2006 at 06:59 PM.
Reason: //have keybd, can't type.
|
|
|
All times are GMT -5. The time now is 09:15 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|