LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2006, 04:29 AM   #1
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 144

Rep: Reputation: 20
ssh secuirty concern?


Hi Linux people

I usually setup my laptop at home with SSH enabled so I can ssh in a toy around while I'm at work. I don't really care about the security of the laptop since it doesn't really have anything on it but I like to see how secure it is. I had to configure my router to forward the ssh port I'm using so I can connect to my ssh server on the laptop. Well, I pretty much locked it down from anyone accessing my ssh port outside of the host I specified in /etc/hosts.allow and this works great. (I think). From my test anyways.

I'm just wondering what risk it might pose having someone telnet or nc to my ssh port? I noticed if I run a telnet to my ssh port it comes up like this:

SSH-1.99-OpenSSH_3.8.1p1 Debian-8.sarge.4
get http
Protocol mismatch.

Connection to host lost.

C:\WINDOWS\system32>

Obviously they could see the ssh version I'm using which could be a security concern. But, I'm wondering if commands can be executed from this connection? I typed get http and it just disconnected. I didn't expect any results from that since it's not running http. just curious if anyone experimented with this. Also, I need to mess around a little more with netcat.
 
Old 07-13-2006, 04:32 AM   #2
spooon
Senior Member
 
Registered: Aug 2005
Posts: 1,755

Rep: Reputation: 51
No, this is normal.
 
Old 07-13-2006, 04:35 AM   #3
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
You could add to that by setting up iptables on your laptop and make it DROP all other traffic than that you want to pass through (ssh from the certain host), even block telnet traffic to ssh port. That way if your router did let telnet pass to your ssh port, iptables would simply drop the traffic (meaning it wouldn't let it pass and wouldn't keep any noise about it, just be quiet about it) thus making the situation look like there's nothing that could respond.

Another thought: what if you ran a portscan (using nmap for example) on your laptop? That's something that probably shows some information about your laptop.
 
Old 07-13-2006, 06:34 AM   #4
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 144

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by b0uncer
You could add to that by setting up iptables on your laptop and make it DROP all other traffic than that you want to pass through (ssh from the certain host), even block telnet traffic to ssh port. That way if your router did let telnet pass to your ssh port, iptables would simply drop the traffic (meaning it wouldn't let it pass and wouldn't keep any noise about it, just be quiet about it) thus making the situation look like there's nothing that could respond.

Another thought: what if you ran a portscan (using nmap for example) on your laptop? That's something that probably shows some information about your laptop.

Hi b0uncer. Thanks for these tips. You actually can specify that it drops all traffic except for ssh sshd using the host.allow file:

ssh sshd:10.16.0.51 : ALLOW

I would like to learn more about setting up iptables and stuff so I can be more experienced with that. I just found it much easier and quicker for me to use the hosts files. Anyways, here is what my iptables show with nothing setup. Is this normal for iptables? I need to read up and learn iptables.

Code:
root@nuxbox:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Old 07-13-2006, 06:53 AM   #5
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Yes, that's perfectly normal (clean) iptables setup. There are always (at least) 3 chains ("passages" through which all the traffic goes) in iptables, INPUT for incoming traffic, FORWARD for forwarded traffic and OUTPUT for outgoing traffic, and all of those have policy ACCEPT in your setup (meaning that all traffic is allowed to pass). You can define more chains yourself to build up a more complex firewall, for example chains for logging certain type of traffic or chains that forward certain traffic. The three most-used policies/rules are ACCEPT (let pass), DENY (don't let pass) and DROP (like DENY, but without any output = silent); with those one can build up a basic firewall.

You control iptables normally via command line, creating rules one by one, and finally using iptables-save to create the whole set of rules that you can then save into a file that gets loaded at bootup. Iptables is usually used to create a firewall, route stuff, do NAT'ing, masquerading, log events to detect port scans (for example) etc. The iptables man page explains very well how it works - it's simple. Like

Code:
iptables -P INPUT -j DROP
iptables -A INPUT -p udp -j ACCEPT
which would first define the INPUT chain's policy to be DROP (i.e. to drop everything that's not explicitly permitted), and the second line would then append a rule to the INPUT chain that would permit (-j ACCEPT) udp protocol (-p udp) to pass through. Basically it's simple like that. Many people write a script with the rules, which is easy to run and modify, and the script runs iptables-save in the end to produce the correct output that's then directed to a file that actually sets the rules every time it's needed (like when you boot).

EDIT: when you add your rules to iptables, the "iptables -L" will show them; when you only have a flushed (clean) iptables setup with policies set to ACCEPT, you get an output like the one in your post. You can safely try things (and do "iptables -L" to see the effect), since reverting back to the original state (clearing all iptables rules) goes like this:

Code:
iptables -F
iptables -X
iptables -P INPUT -j ACCEPT
iptables -P OUTPUT -j ACCEPT
iptables -P FORWARD -j ACCEPT
Just keep in mind: the commands are case sensitive and start working as soon as you press ENTER to accept the command line. In the above code, "-F" flushes all the created rules (deletes them), then "-X" clears all the non-builtin chains (so only INPUT, OUTPUT and FORWARD are left) and then the three last lines set the default policies for the built-in chains to be ACCEPT. In addition, if you do not forward the output of "iptables-save" into the file that gets loaded at boot, your iptables configuration is reverted back to normal when you boot. So you can safely play around and if you "get stuck", simply run the above commands and you're OK. When you want to save your settings "permanently", use
Code:
iptables-save > iptables_file
where iptables_file is the file where you want load your iptables rules at bootup (or at will).

Last edited by b0uncer; 07-13-2006 at 07:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
A security concern! Please advise! vharishankar General 5 11-30-2004 10:05 AM
Beginner Linux Red Hat 9.0 secuirty question... ivj Linux - Security 3 07-16-2004 08:06 PM
Win2k AD server because of very tight secuirty i can't make my linux box join domain keshif Linux - Networking 7 02-05-2004 02:04 AM
chkrootkit concern computergeek84 Linux - Security 14 01-28-2004 08:02 PM
Security concern linuxRules Linux - General 3 05-22-2002 01:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration