Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
10-15-2007, 07:02 PM
|
#1
|
Member
Registered: Apr 2007
Posts: 146
Rep:
|
running a home server , what security measures should i take
well after running smooth a few weeks , someone been poking around , seen it in my error.log
and now someone has estanblished an connection , as i speak for to long to me
tcp 0 0 10.0.0.9:1580 66.35.251.22:9000 ESTABLISHED
i'm not paranoia , but want to make shure , "evil" folks don't compromise people who ( i ask to)come on my site their pc's , through getting their MAC adress and such
I have a DHCP server
i'm busy with iptables and installed nmap, noticed arpwatch
so i'm reading ,
but what i want is some advice for a newcomer (who's proudly running a simple webserver)
|
|
|
10-16-2007, 08:03 AM
|
#2
|
Member
Registered: Apr 2007
Posts: 146
Original Poster
Rep:
|
NO love right,
i just want to say that from the last 3/4 thread/questions i posted , i only got a answer that wasn't needed,
i asked about starting a server, not even a hint , after a week i was going to give up , i woke up and the 8th day did it all myself ,
cause actually nothing is too difficult ,
read and do and learn is my method
my question is , should i keep on posting or should i just read threads on the internet and done
i know that one not always gets an answer , but i was wondering , cause lately it feels like , whatever
This is probably how i experience it and has nothing to do with others,
maybe my questions aren't clear or so
any mod can remove this post ,
just a little dissapointed
i shouldn't have started this thread, i guess , i'm better reading the threads anyway
|
|
|
10-16-2007, 09:17 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
I'm sorry to see you're disappointed. Most of the time it has nothing to do with *you*. LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to. You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now.
|
|
|
10-16-2007, 10:26 AM
|
#4
|
Member
Registered: Apr 2007
Posts: 146
Original Poster
Rep:
|
that already made me feel a little better unSpawn,
>LQ is a volunteer-driven community effort relying on its members to supply answers when they can and want to.
I know
You can't nor shouldn't rely on it for 24/7 OTF replies. I'll check in later today since I gotta run right now
I understand , that's why I said , it's just me, today !
and there's a lot a reading material, so i shouldn't be dissapointed
---->
thnx for the reaction
firedancer
|
|
|
10-16-2007, 10:44 AM
|
#5
|
Member
Registered: Jun 2005
Location: Portland, ME
Distribution: Slackware 13, CentOS 5.3, FBSD 7.2, OBSD 4.6, Fedora 11
Posts: 122
Rep:
|
Well, here is a start that might be helpful. Port 9000 looks like it is related to something called CSlistener. The only thing I could find out about it, is might have to do with Websphere - but not really any good info out there at first glance. The IP(66.35.251.22) is owned by a company called SAVVIS, INC. ( http://whois.sc will tell you that type of info)
As for Firewalls, if you are new to Linux/Networking and use a GUI for your server - Firestarter might be a good option for you. Also might want to read over the thread that is sticky'd in this section about Failed SSH attempts.
And when it comes to security Paranoia is your friend.
Hope that helps
Last edited by dguitar; 10-16-2007 at 10:45 AM.
|
|
|
10-16-2007, 11:12 AM
|
#6
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
What services are running on your server ? Is it strictly a webserver ? FTP ? SSH ?
you could look at a solution to monitor file integrity on your server. these products will monitor your files for changes, and if they are changed it can put back the originals and notify you of the attempted change..
http://sourceforge.net/projects/tripwire/
http://www.la-samhna.de/samhain/
http://osiris.shmoo.com/
Use firestarter or Guarddog to manage your firewall. These GUI helper apps will make it easier for you to configure your firewall securely if you are unfamiliar with iptables.
fail2ban - a program that monitors your services (SSH, FTP, etc..) for failed login attempts, and then modifies firewall rules on the fly to block login attempts from malicious users.
not sure how far you want to go with this, so that's a few suggestions for you to look at.
|
|
|
10-17-2007, 08:57 AM
|
#7
|
LQ Newbie
Registered: Sep 2003
Distribution: fedora, ubuntu, uclinux
Posts: 23
Rep:
|
this pdf has a pretty good checklist of things to run through and lock down. It's by no means complete, but it's a pretty good start IMHO
http://www.sans.org/score/checklists...9dd1a7bb22618c
|
|
|
10-17-2007, 09:14 AM
|
#8
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
Quote:
Originally Posted by jweller
|
Good call. I always forget about those guides when someone asks a question like this..
|
|
|
10-17-2007, 09:26 PM
|
#9
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,050
|
You can cut-out an awful lot of things just with a firewall router, immediately downstream from your cable or DSL box. Yep, the "stateful firewalls" that they provide out-of-the-box are usually quite good.
Beyond that, you need to carefully consider ... exactly what programs you intend to run on your box; exactly what ports will be used and for what purpose; and by what means an outsider might somehow be able to obtain a shell session or its equivalent on your box, however briefly.
If you take simple precautions and "simply plan," you can stop most intruders long enough to make them simply wander on in search of "easier pickings." When there are millions upon millions of systems out there that are utterly unprotected, they play the numbers.
|
|
|
10-17-2007, 10:35 PM
|
#10
|
Member
Registered: Apr 2007
Posts: 146
Original Poster
Rep:
|
Thnx guys , i had a look into iptables , cheops, Rootkit Hunter and played with the "permissions" chmod of certain directories like logs etc., just to start somewhere
Right now it's a basic webserver, but i'm thinking on , ftp, mail and other
was thinking on the GUI firestarter , see if I can apt-get that, but i'm a little familiar with linux os's , i was thinking on writing a script or so , there are many , also on this forum.
Well, about security , i've been getting stuff like this in my error.log
123.4.125.169 - [17/Oct/2007 08:56:31 -0400] [error 403] Forbidden http://bearbaby.s9.x-beat.com/ip.cgi
123.4.125.169 - [17/Oct/2007 08:56:32 -0400] [error 403] Forbidden http://bearbaby.s9.x-beat.com/ip.cgi
200.12.212.117 - [17/Oct/2007 18:23:35 -0400] [error 403] Forbidden http://localg4.techiemedia.net/env2.php
and that is not a good sign , that's the reason for my concern too, just noticed it in th log
i will check other measures like fail2ban or so
And many thanx to you, you (guys) cleared up many of my doubts,
firedancer
Last edited by firedancer; 10-17-2007 at 10:40 PM.
|
|
|
10-19-2007, 01:56 PM
|
#11
|
Member
Registered: Apr 2007
Posts: 146
Original Poster
Rep:
|
doesn't this look bad , i'm 127.0.0.1,
127.0.0.1 - [17/Oct/2007 05:17:41 -0400] [error 404] Not Found /favicon.ico
127.0.0.1 - [18/Oct/2007 17:24:42 -0400] [error 404] Not Found /images/public/cc-GPL-a.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/tbt-wheel.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/impakt.png
127.0.0.1 - [18/Oct/2007 17:24:55 -0400] [error 404] Not Found /pics/jetsetwilly.png
127.0.0.1 =localhost
i never tried finding these things on my server, what's up with this ,
busy securing server, hopefully i'm not too late ,
just reinstall then on the a$$!@LE THEN
|
|
|
10-19-2007, 02:17 PM
|
#12
|
Member
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104
Rep:
|
Getting 403's and 404's is pretty normal, and nothing to be worried about. Getting traffic from localhost is a valid concern, if and only if you are neither browsing from the webserver itself nor browsing via an ssh proxy. If you're browsing your own site from localhost, those 404's are broken links on pages.
Getting spurious requests for things that don't exist is pretty normal background noise, and nothing to panic about.
What you need to be more concerned about is vulnerable webapps (eg: old exposed versions of awstats, old versions of phpbb), exploitable versions of listening services (eg: misconfigured samba, very old apache versions, very old php versions), and weak user passwords on your sshd.
|
|
|
10-19-2007, 02:32 PM
|
#13
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
/favicon.ico this is the icon for your site that will show up in the URL bar of the browser, or next to the bookmark for the site, IF you have created this icon and placed it on the web server. so this is definitely normal for it to be missing if you have not created one.
|
|
|
10-24-2007, 11:39 AM
|
#14
|
Member
Registered: Apr 2007
Posts: 146
Original Poster
Rep:
|
Is Bastille Front END based or what
I just had a fresh debian etch 4.01 install followed the howto setup perfect debianetch document
webserver (apache),ftp,ssh,msql, is what i have setup
I have no GUI and not thinking on adding one
is a new area for me so my questions can sound silly
but apache works ,ill have to see wether i can setup an static ip ,webredirect to url, and i trying first if i have anymore Q? i checked with IP address, I
'll post in server forum
Linux is not Mc Donalds but "I'm Loving IT"
|
|
|
10-24-2007, 03:19 PM
|
#15
|
Member
Registered: Apr 2007
Posts: 146
Original Poster
Rep:
|
i'm proceeding in this thread ,with these Q if I should start another pls let me know
i'm trying to install rkhunter on my (GUI'less)server ,
i'm having problems using the ./installer.sh to install the program ,and isn't that for systems with GUI , i think i read something like that , i never installed using that,
secomd questions need advice on options for installing samhain ,is the default ok ?, i'm a noob so that's why the question, i'll read ,but in the meanwhile some clarity (advice) will do
thnx in advance
firedancer
|
|
|
All times are GMT -5. The time now is 09:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|