LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-21-2005, 06:37 PM   #61
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69

//Moderator Note: Let's keep this thread on topic. Any more random comments, trolls, or personal attacks and this thread will be closed.
 
Old 03-21-2005, 07:36 PM   #62
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
penguinlnx, perhaps you should re-read the thread. Most questions you've asked have been addressed, points countered, yet when we have posted questions to you, you sidestep them and change your argument.

Did you come here to debate, or to learn? If it is to merely debate, may I suggest another forum where mental masturbation and debate for the sake of debate is more topical?

What questions or points have you post which have not been addressed, corrected, or countered? How about answering some of the questions and addressing some of the points we have raised? You claim to have come here to get answers, but every response has either ignored what we have posted, or have been outright hostile, as our friendly moderator pointed out. We're open to discussion for academics and also to improve security of our own respective networks, but to debate simply for the sake of debating, well, I'd rather leave that up to Congress.
 
Old 03-21-2005, 09:02 PM   #63
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
Steps to take to harden a home system

So what steps should a person take after installing a basic distro to improve or prevent various net vulnerabilities?

(a) What is the essential list of things to check once your GUI is up and running
and you have internet access enabled?

(b) What concrete steps should one take before going internet sailing?
(I presume there are at least a few things one must probably teak out of the box).

(c) How politically correct must one act so as not to have to waste time with trivialities.
( I have no real interest in discussing other issues except as they pertain to security.)

(d) Don't you just hate abortion, same sex marriage and cops?
(just kidding, don't respond.)
 
Old 03-21-2005, 10:07 PM   #64
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
I think distro's could do a better job ensuring the users create a non-root user and use it. I know some still don't disable root login through kdm/xdm/gdm by default. I always do that to get ride of the temptation of logging into the computer and using it for everyday purposes as a super user. When you have to go out of your way to switch users it gives you that moment to think.. "do I really want to do this?".

Setup an IPTables firewall. This should be done BEFORE you give your machine access to the open internet. I'm not saying you have to make individual rules for everything your users might use.. but at least only allow incoming connections that were either a) solicited or b) to a specifically designated service you are running. Most desktops need only a few rules:

Code:
        #flush existing rules
        ${IPTABLES} -F INPUT

        #This allows all data that has been sent out for this machine to be
        #replied to.
        ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
        ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
        ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

        #Drop and log all other data
        #The logging is set so if more than 5 packets are dropped in
        #three seconds they will be ignored. This helps to prevent a DOS attack
        #Crashing the computer the firewall is running on
        ${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "
        ${IPTABLES} -A INPUT -i ! lo -j DROP
Never ever run telnetd or ftpd... It should be made clear the days of running telnet and ftp are over. SSH version 2.0 is the only way to fly for remote shell access and file transfer. I don't know of any distro's out there that run ftp or telnet software out of the box, if there are any let me know so I can personally go out of my way to scream at there maintainers. I would like to make special note though... that so long as you don't run deamon services like telnetd and ftpd as root (ie you have a telnet user that owns the telnetd process) the amount of damage that can be done even if the telnetd program is hacked is very limited. It has been quite some time since I've see a distribution that doesn't execute insecure daemons this way.

If your so inclined, update your kernel to a grsec/pax kernel and use the features that provides. Linux does a good job of setting up process address spaces so buffer overflows are much more likely to segfault the process then to cause abitrary code execution. This is done simply, by making the stack and the heap grow toward the important process structure elements required for the process to run... you start overwriting the process structure blindly and the process will get distroyed. Having random pids, random inodes, random packet sequencies, and such help stop people from deducing what is where in memory.

Use a strict umask (077 instead of the usual 022 default) so that by default nothing is executable, readable, or writable by any user other then the user who created the file unless they go out of there way to change the permissions.

Make sure your kernel limits in sysctl.conf are reasonable. Usually they are, but it doesn't hurt to check?

Make sure to browse your logs now and again.... It is shocking how useful log messages can be to tell you when something is wrong... I like to setup a little cron job to e-mail me parts of log files so I don't forget.
 
Old 03-22-2005, 07:13 AM   #65
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
Thank you: this looks very useful...

(1) I need a bit more of the mechanics for this:

Are these command line instructions? Can I automate this process?
Or does this go into a file called 'IPTABLES" or "IP-CONFIG"? and where would it be stored,
so that it is automatically installed on boot-up?

(2) With my Gentoo Install, I just used "EMERGE GENKERNEL",
which apparently runs a script that installs a generic (hopefully up to date) kernel package.
I think there is a command that tells me what kernel number I have but I can't find it.

(3) In the PORTAGE list of things I can install with the auto-EMERGE, (under kernel) I found these:

CMAN-KERNEL - CMAN cluster kernel module
CODA-KERNEL - Kernel module for the Coda Filesystem. for Coda 6.0+
CONFIG-KERNEL - Kernel environment configuration tool
DIM-KERNEL - GFS Network Block Devices kernel module
MINDI-KERNEL - a basic kernel image for a mindi created bootdisk
NVIDIA-KERNEL - Linux kernel module for the NVIDIA X11 driver (hey, I have this graphics card...)

Would any of these things correspond to
>> "update your kernel to a grsec/pax kernel and use the features that provides. "

And while we're here, should I or shouldn't I install the NVIDIA kernal?
Would the Coda Filesystem be useful?
What is a 'CMAN'?
Do I need a MINDI bootdisk for emergencies or backups?

Yeah, I know these questions sound silly to someone who already knows the answers...
 
Old 03-22-2005, 09:00 AM   #66
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
To use pax/grsec in Gentoo use the "hardened-sources" or the "hardened-dev-sources".

If you have an nvidia card then there is no reason not to use the nvidia kernel module. It will allow you to get hardware acceleration with your graphics card.

As for the IP tables issue, there are a bunch of front ends for iptables that people use, but being a text editor/cli type I always just create my own script. To use this you must emerge iptables and have netfilter/iptables support in your kernel.

Put jts-firewall in your /sbin directory. Make sure you make it executable by root. Put firewall-init in your /etc/init.d directory, again make sure it is executable by root. Edit the jts-firewall script as needed. I have a bunch of rules commented out for allowing connections on different ports so you can see examples of how things are done. Adding firewall-init to your initscripts (rc-update add firewall-init default) will get your firewall up and running on each boot.
 
Old 03-22-2005, 09:21 AM   #67
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
MSN Messenger Vulnerability: Why LINUX as an attack base?

A vulnerability in the parsing of PNG images allows an attacker to run arbitrary code on chat partner's machine and gain access to the system with the privileges of the victim running MSN Messenger.

End Targets: Win 2K (all service packs) and Win XP (all service packs) that run MSN Messenger.

It passes unnoticed to network Intrusion Detection Systems (IDurtS), Prevention Systems (IPS) and firewalls that do not decode and 'normalize' the encapsulated MSN protocol. Also you can compromise vulnerable systems without disrupting the normal function of MSN Messenger.

a valid PNG file could be modified and still look as a harmless picture to other applications.
There are 4 known attack vectors to trigger the vulnerability in the PNG image processing code:
- Delivery of the PNG image as display picture, thumbnail, an icon, or as a regular file transfer.

Not disrupting the execution of the MSN Messenger on the victim's computer means it can be used to compromise other clients by 'infecting' the victim's display picture (or emotocon etc.) Thus it can be used to launch massive attacks using victims as a delivery vectors to more victims.

Crafting the malformed PNG image file is simple but delivering the image to the victim is more difficult:

Alternatives to implementing an entire messenger client are:

1) using the standard client application to send the image.
2) using an open source third party client. *!*
3) using a messenger protocol proxy.

1. to use the standard client, it must be previously patched and modified to safely use the image.
2. The difference with the previous option is that the modifications can be made easily.

SPELLING IT OUT:
Using MSN Messenger/Windows as a launch-base is extremely difficult since you don't have the source code.
Using a Linux Box & Open Source communication tools is easy, since you can easily write or customize your Launcher.

Nuff said: "Four out of five professional criminals recommend Linux!"
 
Old 03-22-2005, 09:38 AM   #68
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
>>you must emerge iptables and have netfilter/iptables support in your kernel.

Does emerging iptables give me netfilter/iptables support, or is that a separate step?
how will I know if I already have netfilter/iptables support?

Thanks in advance!
 
Old 03-22-2005, 10:34 AM   #69
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
Netfilter/iptables support has to be enabled in when you configure your kernel... I believe genkernel includes those options as many people use them. emerge iptables should complain if your kernel won't support iptables.


As for the IM vulnerability...
Quote:
1) using the standard client application to send the image.
2) using an open source third party client. *!*
3) using a messenger protocol proxy.
If you can use the standard client then how exactly is it difficult to deliver the image? All the blame for this vulnerability should go firmly on the receiving client that allows arbitrary code to be executed. There is really no incentive to sending the image with any particular client as every client will allow you to transfer a binary file. All the open source clients are doing is implementing the full extent of protocol. Is it our fault if the protocol and the standard clients are flawed? Hardly.
 
Old 03-22-2005, 11:38 AM   #70
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Quote:
Originally posted by penguinlnx
Nuff said: "Four out of five professional criminals recommend Linux!"
while shaking head.
 
Old 03-22-2005, 12:15 PM   #71
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
emerging iptables

emerging iptables seems to have compiled fine without complaint.

However, I tried emerging config-kernel and it was masked off as broken...

I don't know if I can config the kernel at all without some tools...

When I tried to compile another package I got a fatal ERROR
and the emerge aborted, with the message,
"kernel not configured!"

This doesn't seem to be good....
 
Old 03-22-2005, 01:00 PM   #72
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
If you want to hang configure the kernel emerge the kernel you want (for instance, hardened-dev-sources is my personal favorite). Your kernel source will reside in /usr/src. Go into the directory for the new kernel, run "make menuconfig". That will allow you to hand configure the kernel.
 
Old 03-22-2005, 01:59 PM   #73
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
Quote:
Originally posted by penguinlnx
SPELLING IT OUT:
Using MSN Messenger/Windows as a launch-base is extremely difficult since you don't have the source code.
Using a Linux Box & Open Source communication tools is easy, since you can easily write or customize your Launcher.

Nuff said: "Four out of five professional criminals recommend Linux!"
SPELLING IT OUT:

Closed source: A disgruntled contractor working for beans on a 1099 slips malicious code into MSN Messenger, and somehow it slips by QA. Aforementioned contractor leaves M$, writes, and distributes a virus or worm exploiting that hole. Because it is closed-source, and MSN Messenger is available only from one place, the userbase is none the wiser until it is too late.

Open source: A disgruntled open source project member slips code into a project and checks it in. Five minutes later, any project team memberm or even any Tom, Dick, or Harry who checks out or gets the source spots the vulnerability, posts an alert to several messageboards and mailing lists. A couple of minutes later the CVS repository is either rolled back or locked, the exploit is removed, and then either rolled back forward or unlocked.

Of course, this is taking penguin's FUD campaign and reversing it, but I think he sees the point. I still think he's debating for the sake of debating, so is there any remaining point to this thread?
 
Old 03-22-2005, 02:14 PM   #74
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
not an orator or debater.

Debating for the purpose of debating? I don't think so.

But if you don't ask questions and poke at as many areas in an answer as possible,
you never really learn how solid an answer is, or where it holds up, and where it folds up.
I am not here to debate, I'm here to learn.

I never would have learned anything without starting this thread.

I would not have learned more or learned faster by just nodding my head,
especially when I didn't understand the answers at all, or strongly doubted their claims.

When something looks logically flawed, you question it.
That doesn't mean it IS logically flawed, and if it ISN'T logically flawed,
that doesn't mean you shouldn't have questioned it!

If you think you are wasting your time responding to my questions,
you are in the wrong business. Open discussions full of crazy untested ideas
are the most exciting cutting edge discussions you can participate in.
Who cares if ten people talk, and two are idiots, one is crazy, one is paranoid,
and one is deaf? That means five people are saying something awfully important.

What makes a thread fun and full of important and useful truths,
is having people from all different views and backgrounds participating,
not just reading about it.
 
Old 03-22-2005, 02:22 PM   #75
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
Clear example:

I am sitting here with a Linux OS and a beautiful $500 laser printer that I cannot access.

In HARDWARE, I posted a thread to get some help getting it working. One person responded.
My printer is still not working, and I am no further ahead than I was 2 weeks ago.

Here in SECURITY, I asked about the dangers of trying to set up MSN messenger on my Linux box,
and there have been 75 postings! I have learned more about Linux, Security, installs, configuration,
and my own machine and OS in the last two days than I was able to learn on my own in 2 weeks!

Clearly I lucked out posting a silly question here.

It hardly encourages me to stop asking questions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
POSIX message queues(Solaris) to SYS V message queues(Linux) devershetty Programming 1 01-22-2007 10:15 AM
Linux Kernel Vulnerability jeremy Linux - Security 2 03-15-2005 02:03 AM
Linux Services Ameii83 Linux - Software 7 12-24-2004 03:12 AM
Linux vs Mac question (Virus vulnerability related) unixfreak Linux - Security 14 08-29-2004 06:05 AM
TightVNC Ver terminal Services.. also looking for terminal Services for linux 2782d4 Linux - Security 3 05-20-2004 02:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration