Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-19-2006, 10:44 AM
|
#1
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Rep:
|
mp3 home server
I've been running a mp3 server out of my basement for a couple months now using an old Pentium pc, Slackware 10.2, and gnump3d ver. 2.98. I'm using a precompiled 2.6.13 kernel and iptables 1.3.5...I've set up a couple simple filter rules that open up traffic on port 8001 for my server and allow no-ip's software to run in the background and update my changing IP address on the web since I have a DHCP.
As far as I know, nobody has messed with my 24/7 server. Is there a log file that keeps track of all online activity?
What else could I do to secure my server from vulnerabilities?
|
|
|
06-19-2006, 06:15 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by linuxhippy
I've been running a mp3 server out of my basement for a couple months now using an old Pentium pc, Slackware 10.2, and gnump3d ver. 2.98. I'm using a precompiled 2.6.13 kernel and iptables 1.3.5...I've set up a couple simple filter rules that open up traffic on port 8001 for my server and allow no-ip's software to run in the background and update my changing IP address on the web since I have a DHCP.
As far as I know, nobody has messed with my 24/7 server. Is there a log file that keeps track of all online activity?
What else could I do to secure my server from vulnerabilities?
|
as for logfiles, being that this is (i assume) a dedicated mp3 server, i believe you'd be pretty-much limited to the logfiles provided by the mp3 server app... of course there's always the iptables logs (and the system logs) but they aren't of much use in this situation (unless you are indeed allowing remote ssh logins, etc.)... what mp3 server app are you using??
as for hardening the box, you could post your iptables script and then maybe we could give you some pointers on how you might be able to make it better/tighter...
i would also recommend downgrading your kernel to the latest 2.4 (if possible), which at the time of this post is 2.4.33-rc1... you should make sure it's stripped-down to only what you need (a good start is disabling all the experimental options) of course... you'll need to recompile iptables after that...
other steps you can take are making sure you uninstall any packages you aren't using on the box, such as compilers, graphical libs/apps, etc...
if you want some heavy armor you could always patch the kernel with grsecurity... they should have a version for 2.4.33 released soon after 2.4.33 is actually released...
also, if your mp3 server app is able to run in a chroot jail, that would be great, as grsecurity provides chroot jail hardening...
there's plenty of other things you can do also... like, perhaps install rootkit hunter and set a cron job to email you the results of a scan once a day... or tripwire... or both...
just my ...
PS: does your mp3 server app have a web-based front-end?? if so, does it have it's own or does it use apache??
EDIT: sorry, i just noticed that you had indeed posted the app you are using, gnump3d...
Last edited by win32sux; 06-19-2006 at 06:25 PM.
|
|
|
06-19-2006, 06:42 PM
|
#3
|
Senior Member
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
|
Why should I go back to the 2.4.X kernel? I'm running a 200 MHz pc, so I'd like a precompiled 2.4.33 kernel for Slack 10.2. The 2.4 kernel that is on the server is 2.4.31.
As for the server application, it's gnump3d version 2.98. It provides me with a detailed access log file. People access this 24/7 mp3 server on port 8001.
I'm using a DHCP IP address. I'm using the software at www.no-ip.com to run in the background as a process and update their online database with my IP address changes. It needs port 8245 to be open for their software to use.
I've opened up the above ports in my iptables 1.3.5 definitions along with ports for ssh and ftp and the no-ip process updates in the background:
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
COMMIT
|
|
|
06-19-2006, 07:01 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by linuxhippy
Why should I go back to the 2.4.X kernel?
|
mainly for security... using an unsupported 2.6.13 is a very bad idea if you are concerned about security... trust me, patrick volkerding is not ever going to be backporting security patches to that 2.6.13...
Quote:
I'm running a 200 MHz pc, so I'd like a precompiled 2.4.33 kernel for Slack 10.2. The 2.4 kernel that is on the server is 2.4.31.
|
precompiled?? ideally you want a kernel with only the features you NEED included... precompiled kernels like those provided by slackware come with everything but the kitchen sink included (including experimental stuff)...
in any case, i doubt patrick will provide a 2.4.33 kernel for slackware 10.2, considering he didn't even provide a 2.4.32... but then again, 2.4.33 includes (will include) a lot security fixes so perhaps he'll issue it as a security update this time around... who knows...
what i can tell you is that it's best if you don't depend on him for your kernels... is there some reason in particular why you don't want to compile your own??
yeah, i realized this after i posted - look at my edit...
Quote:
It provides me with a detailed access log file. People access this 24/7 mp3 server on port 8001.
|
cool... i was reading through the docs for that app and the developer seems like a serious person, which is good... he seems to have given a lot of thought to the security implications of this application...
Quote:
I'm using a DHCP IP address. I'm using the software at www.no-ip.com to run in the background as a process and update their online database with my IP address changes. It needs port 8245 to be open for their software to use.
I've opened up the above ports in my iptables 1.3.5 definitions along with ports for ssh and ftp and the no-ip process updates in the background:
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
COMMIT
|
it's easier to give you feedback if you post your *entire* rc.firewall script...
Last edited by win32sux; 06-19-2006 at 07:11 PM.
|
|
|
All times are GMT -5. The time now is 06:07 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|