LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2007, 04:15 PM   #16
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158

Quote:
Originally Posted by nx5000 View Post
As root:
Code:
netstat -lapute
The column "local address" is particularly important. the ones where it stands "localhost:xxx" like "localhost:smtp" means the service is only accessible from this computer.
IMO, it's better to correct the cause (remove the unneeded services) rather than hidding them behind a firewall.
What's the criteria for an unneeded service? That's a criteria that is probably going to be determined by the admin. Some mail servers use localhost to send system messages. If the admin doesn't want/need the system messages, then they should disable the server (unless they need to serve mail to other hosts). If the admin depends on these system messages, that should be all the criteria to determine that mail is a needed service on localhost.

It shouldn't be a cut/dry issue. The issue is totally dependent on the admin's needs. A firewall, unless it is a firewall that is installed on the server, won't block localhost traffic, as that traffic never makes it beyond the machine itself....hence, it is not a danger because the service is limited to communicating with the machine the service is running on, loopback device only.
 
Old 09-13-2007, 08:23 PM   #17
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by nx5000 View Post
IMO, it's better to correct the cause (remove the unneeded services) rather than hidding them behind a firewall.
That is sound advice, no doubt about it. I would just like to add that ideally you want to do *both*. I think it's very important to stress this, because some people might get the impression that simply removing unneeded services suffices with regards to security. Whether disabling services or properly firewalling them is more important is definitely debatable, and will come down to personal opinion (as you already know, judging by the "IMO" in your post). I'm sure, however, that we can agree that disabling services is not a replacement for a proper firewall setup (and vice-versa to a certain extent).

As such, it's important that an admin take care of both aspects when trying to limit network access. That way, for example, if a service is accidentally made to listen on an interface it isn't supposed to listen on, the firewall will serve as a safety net for the admin. A host-based firewall also provides several other means of protection, such as preventing someone with a non-root exploit from wreaking further havoc by starting listening processes on unprivilaged ports, using the compromised box as a bastion to launch further cyber-attacks against other boxes on the LAN, etc, etc, etc.

Last edited by win32sux; 09-13-2007 at 08:28 PM.
 
Old 09-14-2007, 06:48 AM   #18
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
I'm sure, however, that we can agree that disabling services is not a replacement for a proper firewall setup (and vice-versa to a certain extent).
Very true. Disable the unneeded services AND put a firewall.

A few ideas in no logical order:

GNU/Linux gives us the ability to understand the inner parts of the OS. Tweaking and closing ports is usually very easy.
Why would you leave a service that you don't need? You disable it and when you need it again, you re-enable it.
The drawback of this, is that when something does not work it can be hard to track down what you have to re-enable again. I use rc init level for this.
My default run level has nothing I don't need. The others are untouched.
The same for the kernel, I have a custom kernel with the minimal stuffs and when I want to try new hardware/.. , I'll take the packaged kernel to be sure to have full features to see if it works. Then I'll create a new custom kernel.

It's always a trade-off between usability and security.
Depending on the context (home user,school, company,..), the need of the users is different and the sensitivity of information is not the same.
As an example in my company, only http goes out. We don't need more. Ok I would need bittorrent but my admin for unknown reasons refuses lol.
In a university I was before, all ports were opened to the outside, that was great for the users.. and for the bad guys.. we got compromised several times, but there was no sensitive information anyway.

If you look at any serious security checklist you will see two major things, which in fact are common sense!
-> Privilege. Why would you start your proxy server as user root when it doesn't need root unlimited power.
-> Services. Why would need stuffs that you don't need. Are YOU able to say that these services are 100% bug-free? Not me.
Windows has failed on these two points.

We are here talking of inbound access but do not forget about outbound access. Reverse shells exist, even vnc can be launched as reverse, which means that somebody can start vnc server on your machine and vnc server will connect to vnc client. If your firewall also blocks the outbout access, it will give more headache to the bad guys. After you've done basic hardening, make the life of the cracker harder (otherwise it's not funny for him ahah)
Monitoring bandwidth (possibly on another bastion machine) can also be good. Outbound/ Inbound. If during the night you see a peak of traffic, there's something wrong..

Also do not forget to make regular backups.
My rule:
- Do everything to not get cracked
- I will be cracked, so what should I do in this case. After compromise, it's too late. Yes this costs money for something only potential.. But sometimes less money that reinstalling or re-asking all your customers their information.

As soon as a door has been found, it's your system security that'll be checked. If you have rogue accounts or poor passwords or old kernel, etc.. , it won't take long.

Now I'll be fussy: For the people who say that leaving _unneeded_ services listening on localhost is not a risk: Well, if somebody manages to enter on your machine as a user, or use an opened service to bounce on this localhost service, he can get higher privilege or send spam or whatever.


Sleep well


ps:
dickeyp, can you scan my machine also, it's www .microsoft.com (I swear)
 
Old 09-14-2007, 10:10 AM   #19
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Original Poster
Rep: Reputation: 58
... microsoft.com ... I would be interested to see that scan. Maybe i'll scan it if I get bored after work. Thanks for all the advice, it is very sound. One question though. How come I can't get rid of 113? Even when it is stealthed just like the others, scans see it as closed? This is very irritating for me. Also, how do I make 10000 just available on localhost?
Its, webmin btw. Altho when you try to connect from the outside it does't let you. I would still like it to go away from the scans.

nomb
 
Old 09-14-2007, 11:26 AM   #20
dickeyp
LQ Newbie
 
Registered: Sep 2007
Posts: 8

Rep: Reputation: 0
Quote:
Originally Posted by nx5000 View Post
ps
dickeyp, can you scan my machine also, it's www .microsoft.com (I swear)

I knew it was you Mr Gates.

I agree with ya nx5000. Security at all levels.
 
Old 09-14-2007, 01:31 PM   #21
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by nomb View Post
How come I can't get rid of 113? Even when it is stealthed just like the others, scans see it as closed?
Could you post your basic active iptables configuration?
Code:
iptables -nvL
Your firewall rules should be taking care of this, so I suspect something is not right. "Closed" means the scanner did receive a reply, so the port is NOT stealthed. FYI port 113 is Ident.

Quote:
Also, how do I make 10000 just available on localhost?
Its, webmin btw.
I'm not familiar with Webmin, but a quick Google seems to indicate the setting is in the "Ports and Addresses" section of it's interface.
 
Old 09-17-2007, 10:25 AM   #22
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Original Poster
Rep: Reputation: 58
Well this is was my firewall aparently... My firewall wasn't being executed on startup...
Code:
Chain INPUT (policy ACCEPT 196K packets, 35M bytes)                             
 pkts bytes target     prot opt in     out     source               destination 
                                                                                
  174 15974 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
           multiport dports 22,115                                              
                                                                                
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)                                
 pkts bytes target     prot opt in     out     source               destination 
                                                                                
                                                                                
Chain OUTPUT (policy ACCEPT 142K packets, 49M bytes)                            
 pkts bytes target     prot opt in     out     source               destination 
                                                                                
                                                                                
Chain fail2ban-ssh (1 references)                                               
 pkts bytes target     prot opt in     out     source               destination 
                                                                                
  146 13294 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
I have now turned my firewall on. Could you please re-scan me?

nomb
 
Old 09-18-2007, 10:50 AM   #23
dickeyp
LQ Newbie
 
Registered: Sep 2007
Posts: 8

Rep: Reputation: 0
Not shown: 1693 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
113/tcp closed auth


Looking much better. I'd lock down what IPs can connect on ftp and ssh though.
 
Old 09-18-2007, 11:08 AM   #24
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Original Poster
Rep: Reputation: 58
Man I still can't get port 113 to go away...
I host people's linux webpages for them.
What would you recomend as far as how to lock down
22 and ssh?

nomb
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PLESK [Solution] Change port to 23 (telnet) instead of default port 8443 x5452 Linux - Software 6 05-10-2009 06:58 AM
port forwarding on Belkin 4-port Cable/DSL Gateway Router sycamorex Linux - Networking 5 03-05-2007 04:27 PM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 01:59 AM
Using serial port card(PCMCIA) with IPAQ running Linux, can't find ttyS0 port d2army Linux - Laptop and Netbook 0 11-12-2005 09:07 PM
--destination-ports port[,port[,port...]] KevinGuy Linux - Networking 1 03-16-2004 07:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration