Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-31-2006, 02:14 PM
|
#1
|
Member
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416
Rep:
|
How to test the security of your linux box?
We have a LAMP server here at work, we are only using it for a website. I was wondering if I needed to be concern about security and I ran nmap from my Windows machine upstairs and this is what I got:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>nmap -T Aggressive -P0 -sT -p 1-65535 10.0.3.7
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-08-31 10:05 Eastern
Daylight Time
Interesting ports on intranet (10.0.3.7):
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
Nmap finished: 1 IP address (1 host up) scanned in 2994.869 seconds
Is this a good procedure? or I should not bother?
|
|
|
08-31-2006, 02:39 PM
|
#2
|
Member
Registered: Jun 2006
Distribution: messed up debian
Posts: 250
Rep:
|
You are ok as long as you know the open ports and the security settings used for those services. So if you have ftp correctly set up, you want ssh on port 22 and is correctly configured, you use smtp sendmail (this is probably the weakest point of your net) with AV software and antispam, your web server is completely secured you have nothing to worry about. The problems with ports is when you have an open port and you don't know why or what services are running there. Off course there is no guarantee against new security problems but do your best keeping your server updated.
|
|
|
08-31-2006, 03:11 PM
|
#3
|
Member
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416
Original Poster
Rep:
|
Right now I'm just hosting a website for our intranet and using ssh. Do I need FTP and SMTP for this? Or should I close these ports, if so how do you do that??
Thanks
|
|
|
08-31-2006, 03:23 PM
|
#4
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
Something else you can do to test you security is get a vulnerability scanner. There are free ones such as Nessus. It will tell you if there are certain unpatched vulnerabilities and things of that nature. There are also pay for ones availbe from places like eeye.com
You can also search the net for securing certain things such as apache or sendmail or whatever else you are running. A bad configuration or misconfiguration will most certainly let intruders in.
Also look into setting up a firewall if you have not already. Is this going to be on the internet or just the local intranet? If it is going to be public then you definitely need to worry about security. Consider where you work. Does the company have secrets that don't need to be known or have information that shouldn't escape because of federal regualtions? Does it keep financial records of clients? If your box is insecure and it gets penetrated by a hacker smart enought to get what he wants consider your secrets gone. When that happens you might as well invite the hacker in your doors with a laptop and network cable. Don't be the weak link in security. Worry about it.
|
|
|
08-31-2006, 03:27 PM
|
#5
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
You need to search how to turn off the services. I assume you are using Ubuntu so I can't help you an that since I've never really used that. There may be something in your menu that will help you stop and keep those 2 services off.
Even though you say it is for intranet purposes, it would still be prudent to do a vulnerability scan on it.
|
|
|
08-31-2006, 03:30 PM
|
#6
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
To see what is open goto a site that offers port scanning like this one.
http://www.hackerwatch.org/probe/
It will scan your open internet address and you can have scan for certain or all ports to see what the outside world can see.
Brian1
|
|
|
08-31-2006, 04:20 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by cucolin@
Right now I'm just hosting a website for our intranet and using ssh. Do I need FTP and SMTP for this? Or should I close these ports, if so how do you do that??
|
if you just have an HTTP server and an SSH daemon, the all you need is ports 80 and 22 open... those other ports should definitely be filtered (and the unnecessary services disabled)... the tool to do this is iptables... how many interfaces does this box have?? it has a private (non-Internet) IP right?? just trying to get a better picture...
please post the output of these commands (as root):
Code:
netstat -an | grep "LISTEN "
Last edited by win32sux; 08-31-2006 at 04:37 PM.
|
|
|
08-31-2006, 04:35 PM
|
#8
|
Member
Registered: Nov 2004
Distribution: Slackware 11, Ubuntu 6.06 LTS
Posts: 700
Rep:
|
Employees have just as great a potential of hacking the server as anyone on the internet, so you should be just as aware of the security of your box even if it is only available on the intranet.
What kind of content are you hosting on the webserver? Is it static (.htm, .html) or dynamic (.php, .asp, etc, possibly accessing a database)? If it's the latter, you will need to worry about things like SQL injection, XSS attacks, etc. You will need to make sure that your scripts are secure (eg. use a whitelist of input characters such as a-zA-Z0-9), and also use Apache's mod_security if you wish.
If it's dynamic content, you may also be interested in running a Nikto scan on the box. Check out my tutorial on this if you need some help: http://tazforum.thetazzone.com/viewtopic.php?t=3124
You should also run a Nessus scan against your box, as that will reveal most potential vulnerabilities in both the OS and its services.
Do you want to run ftp, smtp and pop3 servers on that box? If you do not, you will need to disable them, as they increase the chances of your box being compromised (as there are more routes of entry). IIRC you can do this via: System -> Administration -> Services.
HTH. If you have any more questions, just ask
Cheers,
-jk
|
|
|
09-01-2006, 01:04 PM
|
#9
|
Member
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416
Original Poster
Rep:
|
root@intranet:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@intranet:~# netstat -an | grep "LISTEN"
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8484 /var/run/mysqld/mysqld.sock
Thanks Win32Sux
|
|
|
09-01-2006, 01:29 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by cucolin@
root@intranet:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
|
okay, this is pretty much what i had imagined... your firewall is currently disabled... i'll hook you up with a script to fix that later today, i'm heading out the door right now to take care of some stuff for my mom...
Quote:
root@intranet:~# netstat -an | grep "LISTEN"
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8484 /var/run/mysqld/mysqld.sock
|
you left-out the space before the last quotation mark!!!
without the space, the output is totally different... it's my bad, i should have pointed-out that the space was completely intentional...
EDIT: actually, i was in a hurry at the moment and didn't realize that without the space the only difference would be that lines that read "LISTENING" would also be displayed... =/
Last edited by win32sux; 09-01-2006 at 06:34 PM.
Reason: cuz what i said didn't make much sense
|
|
|
09-01-2006, 01:41 PM
|
#11
|
Member
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416
Original Poster
Rep:
|
How do I close these ports: port 21, 25 and 110 if I don't need them? Can I open them again if I do?
Thanks for your help..
|
|
|
09-01-2006, 01:46 PM
|
#12
|
Member
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416
Original Poster
Rep:
|
I see, but the only diff. is that the last line is omitted.
Thanks and I will wait for your code. I will be here until 5PM, (New York time).
|
|
|
09-01-2006, 01:58 PM
|
#13
|
Member
Registered: Nov 2004
Distribution: Slackware 11, Ubuntu 6.06 LTS
Posts: 700
Rep:
|
cucolin@ - See my post about disabling those services. However, while you figure that out, you can block (drop) all packets to/from those ports with the following commands (replace eth0 with the interface connected to the internet):
Code:
$ sudo iptables -A INPUT -p ALL -i eth0 --dport 21 -j DROP
$ sudo iptables -A INPUT -p ALL -i eth0 --dport 25 -j DROP
$ sudo iptables -A INPUT -p ALL -i eth0 --dport 110 -j DROP
$ sudo iptables -A OUTPUT -p ALL -i eth0 --sport 21 -j DROP
$ sudo iptables -A OUTPUT -p ALL -i eth0 --sport 25 -j DROP
$ sudo iptables -A OUTPUT -p ALL -i eth0 --sport 110 -j DROP
That will drop all packets going to and coming from those ports. I still recommend you disable the services altogether though, as they're pretty useless without a network- or internet-facing connection
|
|
|
09-01-2006, 02:15 PM
|
#14
|
Member
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416
Original Poster
Rep:
|
But do I need these services such as FTP to download updates/upgrades?? Is there a way that I can set them like in Windows that you set the services to: automatic, manual or disable. Can I set this manually, so it will start whenever I need them.
Thanks J-K9..
|
|
|
09-01-2006, 02:17 PM
|
#15
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
I don't use Ubuntu, but I believe you can go to System > Administration > Services in your menu and you can disable and stop the MTA (port 25), FTP and POP3 servers.
As far as a firewall, instead of getting a script, I suggest that you download a program that will start a firewall for you. A good one for Gnome is Firestarter. Here's some instructions on how to install and use it: http://www.fs-security.com/docs/installation.php (fs-security.com is the makers of Firestarter)
I say to use that instead of a script because many scripts that float around here do not deal with logging or limiting connections. Plus it's easier to change later if you are in deed using a GUI to administer your server.
And as for your question on FTP, what is running on your computer is a server. You are talking about using a client, which will run even if your own server is not running. Go ahead and just disable it.
|
|
|
All times are GMT -5. The time now is 08:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|