HOWTO: Secure and stealth your Linux Box!
After trying firestarter and finding that Kppp (KDE's dialer) doesn't work well with it (and I have to be root to run firestarter at all, which is a pain), I have decided to drop that and I learned a bit about IPTables. I tested this all at GRC.com's Shield's Up, which does a rather nice job testing things. Here's how I stealthed my Red Hat 9 (clone) system - I have iptables installed as well as lokkit. You need to be root to do all this stuff.
NOTE That this is for desktop systems that depend on modem (dial-up) internet connections via ppp0. Also, when I say to type something at the shell prompt, do NOT type the preceeding # as that is just there to show it's a shell prompt. STEP 1: Going Stealth on all ports Here's the /etc/sysconfig/iptables file content: # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1055 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 1720 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 5000 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1055 -j DROP -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j DROP -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 1720 -j DROP -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 5000 -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j DROP COMMIT Note the line -A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP, this line is necessary because port 0 will always show up in Shield's Up as closed, but it shows up, giving away the fact you're on the internet. :( This line will make that port not respond. Port 0 is a U*ix "null" port that is basicall "invalid" (thus the state name). GRC.com says it's used by some programmers as a test port to test development of applications that use ports of some kind. If you test your system there and click on the 0 port link, it'll give you more information on this. Next, type the following at the shell prompt: #/etc/init.d/iptables restart STEP 2: Stopping PINGS Another nasty is pings. Here is how you can make it so that your system will not respond to pings at all. Simply edit (as root) the /etc/sysctl.conf file. Find these lines: # Controls source route verification net.ipv4.conf.default.rp_filter=1 Now add these two lines: net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_all = 1 Next at the shell prompt type this: #/sbin/sysctl -p STEP 3: Masking Reverse DNS lookup Wherever you go on the internet, you're machine name (or rather your ISP's machine name which looks like a URL path of some kind) is given out. Clever people could use that to personally identify you, I think the GRC.com site says. By not allowing your system to give this away, you further can protect your privacy. To do this, type at the shell prompt: # echo "1" > /procs/sys/net/ipv4/ip_forward STEP 4: Tell them off! LOL! While this might not really be necessary if you have your system pretty well stealthed, it still might be a good measure anyway. When you boot Linux and log in, some distributions will show what distro you're using along with the Linux Kernel version. If you're using an older kernel for some reason, you definitely don't want a potential intruder to find this out! That's IF you get hacked (which they'd have to find you in the first place and if you did the above, it'd be pretty hard to find your machine on the internet!) But anyway, you can back up your /etc/issue and /etc/issue.net files, then edit the non-backups to say something like: ** WARNING!! ** This is a private closed system. Any and all activity is logged. ** GO AWAY!! ** Or whatever to let someone who finds their way to log in to know they aren't welcome. :) STEP 5: Allowing Hosts? Lastly, you can edit your /etc/hosts.allow and /etc/hosts.deny files as so: /etc/hosts.allow (after the comments put the following line) ALL:127.0.0.1 /etc/host.deny (after the comments put the following line) ALL:ALL Now you're all set! You shouldn't need to reboot the computer but if for some reason things haven't yet started working the way you expected, a reboot is a good idea before trying to further diagnose things. Hope this helps some of those out there on dial-up connections. If you're running a network, don't have Lokkit or RH9 distro, you'll have to make some changes. Hopefully this will give some basics to get started. |
Hmmm, looks to me (but I'm no iptables guru) like that script is accepting everything that's not explicitly denied. That's rather silly... check that, it's really not smart. A firewall should be default-deny and only allow the ports you explicitly tell it to.
If anyone scans an uncommon port, they're going to see the "connection refused" from the non-listening port on your box (the response is from the port, not the firewall). While that's not particularly dangerous in and of itself, suppose a trojan had installed itself (as a user) and was running on some high port? Not good! |
Quote:
Can you give some examples, maybe, where it would only open up one port for allowing a user to browse the web, another for allowing the user to get/send email (evolution) and another for using gftp to connect and download files via anonymous ftp (no servers are running on this machine, btw)? Some examples might help me understand things a little better. The above looks like it's stealthing out certain ports (which GRC.com checks), or so I had thought. at least, it appears to. Quote:
|
Ok, I made some changes. How does this look? I tested some random odd ports that Shield's Up doesn't do in their port tests (but they do let you specify a port to probe) and the script below seems to stealth out ALL ports but still allowing a normal user to access the web, etc. Problem is, I couldn't just do a --dport 0:65535 for some reason because it then wouldn't access the web, etc. So I did it this way (split it up) but it still covers all ports.
# Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -m state --state INVALID -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:8080 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8081:65535 --syn -j DROP -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:8080 -j DROP -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8081:65535 --syn -j DROP COMMIT I tried experimenting with things like: :INPUT DROP [0:0] then -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 8080 -j ACCEPT But again, I couldn't get the browser to access the internet. Of course, I'm still experimenting with ways to do this. |
You don't want to specify which ports to drop, you're still doing that. Instead, you want to drop ALL. I'm not sure what the iptables keyword is for that, but it's probably either "all" or "ALL". Then you want to allow connections only from your own IP address, and only to IPs other than you're own, i.e. something like
block all inbound block all outbound source my_ip destination not my_ip allow outbound and keep state (this is just pseudo code) This will let you browse the web, etc (since those are all outbound connections) If you want to run some type of server on your machine, then you would have to do something like source any destination my_ip (only "syn" is set and destination my_service port) allow inbound and keep state By the way, HTTP uses port 80/tcp, unless you're sending it through some proxy (in which case you need to talke to the proxy port, such as 3128, 8080, etc). |
well...I'm no iptables guru at all...tried to understand it but failed ^^
could anybody give me a hint if the following is terrible bad ? Code:
iptables -F :confused: thats what it does, no ? |
Looks right to me (iptables -P INPUT DROP is the default action), but have someone familiar with iptables confirm that for sure.
|
Quote:
Also, opening ports - I don't want someone to use one of them to log into the system. I'll try this code a bit later and see how it stands up to GRC.com's probes. |
If you're not running an http or ftp server, you don't need to accept incoming packets on ports 80 and 21. Ditto for 8080. If you want to be completely stealthed, omit the last four lines of your script so that the only incoming you accept will be established packets. Of course this may foul up your ppp interface, requiring you to add some ACCEPT rules for it...
You'll find, when you do your GRC testing, that you have three ports open, which tells the world your computer exists. Removing those three ACCEPT lines will make them go away... |
DROP = "stealth", although you'll be easily discovered if you have at least one port open (i.e. set to ACCEPT). Even if you have "full stealth" there are still some particular nmap scans that can discover you. Don't be overly reliant on not being found. Make sure you treat any box as though it will be attacked, regardless of what firewall you have in front of it.
|
Quote:
|
Thanks for all the info, everyone. I've saved it all and will be trying things out soon.
|
thanks for the info guys...
looks like I _did_ understand it =P now for my next enemy...sendmail ^^ |
Quote:
Before you bother going in depth with Sendmail, I'd remove all traces of it and install a replacement, such as Postfix or Qmail. They're both much more secure. |
Here's a nice clean way to flush your existing rules and set the default policy to drop.
$IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat Then if you want to allow establish/related traffic in do $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT of course you'll probably have your variables set up differently, so you'll have to adjust for that. |
All times are GMT -5. The time now is 03:38 PM. |