LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-31-2006, 02:14 PM   #1
cucolin@
Member
 
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416

Rep: Reputation: 31
Question How to test the security of your linux box?


We have a LAMP server here at work, we are only using it for a website. I was wondering if I needed to be concern about security and I ran nmap from my Windows machine upstairs and this is what I got:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>nmap -T Aggressive -P0 -sT -p 1-65535 10.0.3.7

Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-08-31 10:05 Eastern
Daylight Time
Interesting ports on intranet (10.0.3.7):
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3

Nmap finished: 1 IP address (1 host up) scanned in 2994.869 seconds

Is this a good procedure? or I should not bother?
 
Old 08-31-2006, 02:39 PM   #2
isuck@linux
Member
 
Registered: Jun 2006
Distribution: messed up debian
Posts: 250

Rep: Reputation: 30
You are ok as long as you know the open ports and the security settings used for those services. So if you have ftp correctly set up, you want ssh on port 22 and is correctly configured, you use smtp sendmail (this is probably the weakest point of your net) with AV software and antispam, your web server is completely secured you have nothing to worry about. The problems with ports is when you have an open port and you don't know why or what services are running there. Off course there is no guarantee against new security problems but do your best keeping your server updated.
 
Old 08-31-2006, 03:11 PM   #3
cucolin@
Member
 
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416

Original Poster
Rep: Reputation: 31
Right now I'm just hosting a website for our intranet and using ssh. Do I need FTP and SMTP for this? Or should I close these ports, if so how do you do that??

Thanks
 
Old 08-31-2006, 03:23 PM   #4
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Something else you can do to test you security is get a vulnerability scanner. There are free ones such as Nessus. It will tell you if there are certain unpatched vulnerabilities and things of that nature. There are also pay for ones availbe from places like eeye.com

You can also search the net for securing certain things such as apache or sendmail or whatever else you are running. A bad configuration or misconfiguration will most certainly let intruders in.

Also look into setting up a firewall if you have not already. Is this going to be on the internet or just the local intranet? If it is going to be public then you definitely need to worry about security. Consider where you work. Does the company have secrets that don't need to be known or have information that shouldn't escape because of federal regualtions? Does it keep financial records of clients? If your box is insecure and it gets penetrated by a hacker smart enought to get what he wants consider your secrets gone. When that happens you might as well invite the hacker in your doors with a laptop and network cable. Don't be the weak link in security. Worry about it.
 
Old 08-31-2006, 03:27 PM   #5
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
You need to search how to turn off the services. I assume you are using Ubuntu so I can't help you an that since I've never really used that. There may be something in your menu that will help you stop and keep those 2 services off.

Even though you say it is for intranet purposes, it would still be prudent to do a vulnerability scan on it.
 
Old 08-31-2006, 03:30 PM   #6
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
To see what is open goto a site that offers port scanning like this one.
http://www.hackerwatch.org/probe/

It will scan your open internet address and you can have scan for certain or all ports to see what the outside world can see.

Brian1
 
Old 08-31-2006, 04:20 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by cucolin@
Right now I'm just hosting a website for our intranet and using ssh. Do I need FTP and SMTP for this? Or should I close these ports, if so how do you do that??
if you just have an HTTP server and an SSH daemon, the all you need is ports 80 and 22 open... those other ports should definitely be filtered (and the unnecessary services disabled)... the tool to do this is iptables... how many interfaces does this box have?? it has a private (non-Internet) IP right?? just trying to get a better picture...

please post the output of these commands (as root):
Code:
iptables -L -n -v
Code:
netstat -an | grep "LISTEN "

Last edited by win32sux; 08-31-2006 at 04:37 PM.
 
Old 08-31-2006, 04:35 PM   #8
J_K9
Member
 
Registered: Nov 2004
Distribution: Slackware 11, Ubuntu 6.06 LTS
Posts: 700

Rep: Reputation: 30
Employees have just as great a potential of hacking the server as anyone on the internet, so you should be just as aware of the security of your box even if it is only available on the intranet.

What kind of content are you hosting on the webserver? Is it static (.htm, .html) or dynamic (.php, .asp, etc, possibly accessing a database)? If it's the latter, you will need to worry about things like SQL injection, XSS attacks, etc. You will need to make sure that your scripts are secure (eg. use a whitelist of input characters such as a-zA-Z0-9), and also use Apache's mod_security if you wish.

If it's dynamic content, you may also be interested in running a Nikto scan on the box. Check out my tutorial on this if you need some help: http://tazforum.thetazzone.com/viewtopic.php?t=3124

You should also run a Nessus scan against your box, as that will reveal most potential vulnerabilities in both the OS and its services.

Do you want to run ftp, smtp and pop3 servers on that box? If you do not, you will need to disable them, as they increase the chances of your box being compromised (as there are more routes of entry). IIRC you can do this via: System -> Administration -> Services.

HTH. If you have any more questions, just ask

Cheers,

-jk
 
Old 09-01-2006, 01:04 PM   #9
cucolin@
Member
 
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416

Original Poster
Rep: Reputation: 31
root@intranet:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

root@intranet:~# netstat -an | grep "LISTEN"
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8484 /var/run/mysqld/mysqld.sock

Thanks Win32Sux
 
Old 09-01-2006, 01:29 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by cucolin@
root@intranet:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
okay, this is pretty much what i had imagined... your firewall is currently disabled... i'll hook you up with a script to fix that later today, i'm heading out the door right now to take care of some stuff for my mom...

Quote:
root@intranet:~# netstat -an | grep "LISTEN"
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 8484 /var/run/mysqld/mysqld.sock
you left-out the space before the last quotation mark!!!

without the space, the output is totally different... it's my bad, i should have pointed-out that the space was completely intentional...

EDIT: actually, i was in a hurry at the moment and didn't realize that without the space the only difference would be that lines that read "LISTENING" would also be displayed... =/

Last edited by win32sux; 09-01-2006 at 06:34 PM. Reason: cuz what i said didn't make much sense
 
Old 09-01-2006, 01:41 PM   #11
cucolin@
Member
 
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416

Original Poster
Rep: Reputation: 31
How do I close these ports: port 21, 25 and 110 if I don't need them? Can I open them again if I do?

Thanks for your help..
 
Old 09-01-2006, 01:46 PM   #12
cucolin@
Member
 
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416

Original Poster
Rep: Reputation: 31
I see, but the only diff. is that the last line is omitted.

Thanks and I will wait for your code. I will be here until 5PM, (New York time).
 
Old 09-01-2006, 01:58 PM   #13
J_K9
Member
 
Registered: Nov 2004
Distribution: Slackware 11, Ubuntu 6.06 LTS
Posts: 700

Rep: Reputation: 30
cucolin@ - See my post about disabling those services. However, while you figure that out, you can block (drop) all packets to/from those ports with the following commands (replace eth0 with the interface connected to the internet):
Code:
$ sudo iptables -A INPUT -p ALL -i eth0 --dport 21 -j DROP
$ sudo iptables -A INPUT -p ALL -i eth0 --dport 25 -j DROP
$ sudo iptables -A INPUT -p ALL -i eth0 --dport 110 -j DROP
$ sudo iptables -A OUTPUT -p ALL -i eth0 --sport 21 -j DROP
$ sudo iptables -A OUTPUT -p ALL -i eth0 --sport 25 -j DROP
$ sudo iptables -A OUTPUT -p ALL -i eth0 --sport 110 -j DROP
That will drop all packets going to and coming from those ports. I still recommend you disable the services altogether though, as they're pretty useless without a network- or internet-facing connection
 
Old 09-01-2006, 02:15 PM   #14
cucolin@
Member
 
Registered: Nov 2003
Location: USA
Distribution: Ubuntu, CentOS, RedHat
Posts: 416

Original Poster
Rep: Reputation: 31
But do I need these services such as FTP to download updates/upgrades?? Is there a way that I can set them like in Windows that you set the services to: automatic, manual or disable. Can I set this manually, so it will start whenever I need them.

Thanks J-K9..
 
Old 09-01-2006, 02:17 PM   #15
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
I don't use Ubuntu, but I believe you can go to System > Administration > Services in your menu and you can disable and stop the MTA (port 25), FTP and POP3 servers.

As far as a firewall, instead of getting a script, I suggest that you download a program that will start a firewall for you. A good one for Gnome is Firestarter. Here's some instructions on how to install and use it: http://www.fs-security.com/docs/installation.php (fs-security.com is the makers of Firestarter)

I say to use that instead of a script because many scripts that float around here do not deal with logging or limiting connections. Plus it's easier to change later if you are in deed using a GUI to administer your server.

And as for your question on FTP, what is running on your computer is a server. You are talking about using a client, which will run even if your own server is not running. Go ahead and just disable it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security test for linux (SSH) SlAiD Linux - Security 4 02-22-2005 11:23 AM
should I bother with configuring security on my linux box if... darkpark Linux - Security 8 12-11-2003 09:37 PM
please test my OrangeB Security Linux! gloomez Linux - Distributions 14 11-02-2003 01:44 PM
How to build a Linux Security / Hack Box Pistol Linux - Newbie 4 10-31-2003 01:36 PM
How should I 'test' my Linux box? AMDPwred Linux - General 8 01-16-2002 10:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration