HOWTO: Secure and stealth your Linux Box!
 

After trying firestarter and finding that Kppp (KDE's dialer) doesn't work well with it (and I have to be root to run firestarter at all, which is a pain), I have decided to drop that and I learned a bit about IPTables. I tested this all at GRC.com's Shield's Up, which does a rather nice job testing things. Here's how I stealthed my Red Hat 9 (clone) system - I have iptables installed as well as lokkit. You need to be root to do all this stuff.

NOTE That this is for desktop systems that depend on modem (dial-up) internet connections via ppp0.

Also, when I say to type something at the shell prompt, do NOT type the preceeding # as that is just there to show it's a shell prompt.

STEP 1: Going Stealth on all ports

Here's the /etc/sysconfig/iptables file content:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1055 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 1720 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 5000 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1055 -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 1720 -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 5000 -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j DROP
COMMIT

Note the line -A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP, this line is necessary because port 0 will always show up in Shield's Up as closed, but it shows up, giving away the fact you're on the internet. :( This line will make that port not respond. Port 0 is a U*ix "null" port that is basicall "invalid" (thus the state name). GRC.com says it's used by some programmers as a test port to test development of applications that use ports of some kind. If you test your system there and click on the 0 port link, it'll give you more information on this.

Next, type the following at the shell prompt:

#/etc/init.d/iptables restart

STEP 2: Stopping PINGS

Another nasty is pings. Here is how you can make it so that your system will not respond to pings at all. Simply edit (as root) the /etc/sysctl.conf file. Find these lines:

# Controls source route verification
net.ipv4.conf.default.rp_filter=1

Now add these two lines:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1

Next at the shell prompt type this:

#/sbin/sysctl -p

STEP 3: Masking Reverse DNS lookup

Wherever you go on the internet, you're machine name (or rather your ISP's machine name which looks like a URL path of some kind) is given out. Clever people could use that to personally identify you, I think the GRC.com site says. By not allowing your system to give this away, you further can protect your privacy. To do this, type at the shell prompt:

# echo "1" > /procs/sys/net/ipv4/ip_forward

STEP 4: Tell them off! LOL!

While this might not really be necessary if you have your system pretty well stealthed, it still might be a good measure anyway. When you boot Linux and log in, some distributions will show what distro you're using along with the Linux Kernel version. If you're using an older kernel for some reason, you definitely don't want a potential intruder to find this out! That's IF you get hacked (which they'd have to find you in the first place and if you did the above, it'd be pretty hard to find your machine on the internet!) But anyway, you can back up your /etc/issue and /etc/issue.net files, then edit the non-backups to say something like:

** WARNING!! **
This is a private closed system.
Any and all activity is logged.
** GO AWAY!! **

Or whatever to let someone who finds their way to log in to know they aren't welcome. :)

STEP 5: Allowing Hosts?

Lastly, you can edit your /etc/hosts.allow and /etc/hosts.deny files as so:

/etc/hosts.allow
(after the comments put the following line)
ALL:127.0.0.1

/etc/host.deny
(after the comments put the following line)
ALL:ALL

Now you're all set! You shouldn't need to reboot the computer but if for some reason things haven't yet started working the way you expected, a reboot is a good idea before trying to further diagnose things.

Hope this helps some of those out there on dial-up connections. If you're running a network, don't have Lokkit or RH9 distro, you'll have to make some changes. Hopefully this will give some basics to get started.

Hmmm, looks to me (but I'm no iptables guru) like that script is accepting everything that's not explicitly denied. That's rather silly... check that, it's really not smart. A firewall should be default-deny and only allow the ports you explicitly tell it to.

If anyone scans an uncommon port, they're going to see the "connection refused" from the non-listening port on your box (the response is from the port, not the firewall). While that's not particularly dangerous in and of itself, suppose a trojan had installed itself (as a user) and was running on some high port? Not good!

Could you be a bit more specific? I'm just learning this myself so I would like to know how that works out. At GRC.com it shows ports 0 - 1055 as stealth. Also the "DROP" at the end of the line means not to respond to anything coming in on those ports.

Can you give some examples, maybe, where it would only open up one port for allowing a user to browse the web, another for allowing the user to get/send email (evolution) and another for using gftp to connect and download files via anonymous ftp (no servers are running on this machine, btw)? Some examples might help me understand things a little better. The above looks like it's stealthing out certain ports (which GRC.com checks), or so I had thought. at least, it appears to.

I can see your point. That is a concern. I'm not quite sure how to black ALL ports but the ones needed for access...? I don't want the ports needed for normal internet access (non-server use) to show up as anything but stealth, but still be usable.

Ok, I made some changes. How does this look? I tested some random odd ports that Shield's Up doesn't do in their port tests (but they do let you specify a port to probe) and the script below seems to stealth out ALL ports but still allowing a normal user to access the web, etc. Problem is, I couldn't just do a --dport 0:65535 for some reason because it then wouldn't access the web, etc. So I did it this way (split it up) but it still covers all ports.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:8080 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8081:65535 --syn -j DROP
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:8080 -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8081:65535 --syn -j DROP
COMMIT

I tried experimenting with things like:

:INPUT DROP [0:0]

then

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 8080 -j ACCEPT

But again, I couldn't get the browser to access the internet. Of course, I'm still experimenting with ways to do this.

You don't want to specify which ports to drop, you're still doing that. Instead, you want to drop ALL. I'm not sure what the iptables keyword is for that, but it's probably either "all" or "ALL". Then you want to allow connections only from your own IP address, and only to IPs other than you're own, i.e. something like

block all inbound
block all outbound
source my_ip destination not my_ip allow outbound and keep state
(this is just pseudo code)

This will let you browse the web, etc (since those are all outbound connections)

If you want to run some type of server on your machine, then you would have to do something like
source any destination my_ip (only "syn" is set and destination my_service port) allow inbound and keep state

By the way, HTTP uses port 80/tcp, unless you're sending it through some proxy (in which case you need to talke to the proxy port, such as 3128, 8080, etc).

well...I'm no iptables guru at all...tried to understand it but failed ^^
could anybody give me a hint if the following is terrible bad ?

it's supposed to block all inbound connections, except for ftp, http and mutella (on port 8080) ^^
:confused: thats what it does, no ?

Looks right to me (iptables -P INPUT DROP is the default action), but have someone familiar with iptables confirm that for sure.

My question is, will it keep those ports STEALTH? That is what I'm hoping to accomplish. The idea here is to make it look like the computer doesn't exist on the internet at all, should something try to connect to that IP (ie. like there's no computer using that IP address at the moment or something). Otherwise, if I have just one port open, it gives it away that there is a computer (this one) connected to the internet.

Also, opening ports - I don't want someone to use one of them to log into the system.

I'll try this code a bit later and see how it stands up to GRC.com's probes.

If you're not running an http or ftp server, you don't need to accept incoming packets on ports 80 and 21. Ditto for 8080. If you want to be completely stealthed, omit the last four lines of your script so that the only incoming you accept will be established packets. Of course this may foul up your ppp interface, requiring you to add some ACCEPT rules for it...

You'll find, when you do your GRC testing, that you have three ports open, which tells the world your computer exists. Removing those three ACCEPT lines will make them go away...

DROP = "stealth", although you'll be easily discovered if you have at least one port open (i.e. set to ACCEPT). Even if you have "full stealth" there are still some particular nmap scans that can discover you. Don't be overly reliant on not being found. Make sure you treat any box as though it will be attacked, regardless of what firewall you have in front of it.

The first and third lines are probably sufficient. If you have connection tracking those two tell iptables to drop all packets that are not in reply to an allready initiated connection. In the last four you are telling iptables to accept new connections on those ports. Aslo you are probably going to have to let in some UDP packets(for DNS) and some ICMP(time exceeded and such not). If you can lay your hands on it I found "Linux Firewalls" by Ziegler heavy going but has a lot of information about what you need to let in and what you can drop.

Thanks for all the info, everyone. I've saved it all and will be trying things out soon.

thanks for the info guys...
looks like I _did_ understand it =P
now for my next enemy...sendmail ^^

It's good to treat Sendmail like a potential enemy, because it has been exploited so many times, chances are your Sendmail (controlled by an attacker) might some day turn on you!

Before you bother going in depth with Sendmail, I'd remove all traces of it and install a replacement, such as Postfix or Qmail. They're both much more secure.

Here's a nice clean way to flush your existing rules and set the default policy to drop.

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

Then if you want to allow establish/related traffic in do

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT

of course you'll probably have your variables set up differently, so you'll have to adjust for that.