Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-13-2006, 04:29 AM
|
#1
|
Member
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 144
Rep:
|
ssh secuirty concern?
Hi Linux people
I usually setup my laptop at home with SSH enabled so I can ssh in a toy around while I'm at work. I don't really care about the security of the laptop since it doesn't really have anything on it but I like to see how secure it is. I had to configure my router to forward the ssh port I'm using so I can connect to my ssh server on the laptop. Well, I pretty much locked it down from anyone accessing my ssh port outside of the host I specified in /etc/hosts.allow and this works great. (I think). From my test anyways.
I'm just wondering what risk it might pose having someone telnet or nc to my ssh port? I noticed if I run a telnet to my ssh port it comes up like this:
SSH-1.99-OpenSSH_3.8.1p1 Debian-8.sarge.4
get http
Protocol mismatch.
Connection to host lost.
C:\WINDOWS\system32>
Obviously they could see the ssh version I'm using which could be a security concern. But, I'm wondering if commands can be executed from this connection? I typed get http and it just disconnected. I didn't expect any results from that since it's not running http. just curious if anyone experimented with this. Also, I need to mess around a little more with netcat.
|
|
|
07-13-2006, 04:32 AM
|
#2
|
Senior Member
Registered: Aug 2005
Posts: 1,755
Rep:
|
No, this is normal.
|
|
|
07-13-2006, 04:35 AM
|
#3
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
You could add to that by setting up iptables on your laptop and make it DROP all other traffic than that you want to pass through (ssh from the certain host), even block telnet traffic to ssh port. That way if your router did let telnet pass to your ssh port, iptables would simply drop the traffic (meaning it wouldn't let it pass and wouldn't keep any noise about it, just be quiet about it) thus making the situation look like there's nothing that could respond.
Another thought: what if you ran a portscan (using nmap for example) on your laptop? That's something that probably shows some information about your laptop.
|
|
|
07-13-2006, 06:34 AM
|
#4
|
Member
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 144
Original Poster
Rep:
|
Quote:
Originally Posted by b0uncer
You could add to that by setting up iptables on your laptop and make it DROP all other traffic than that you want to pass through (ssh from the certain host), even block telnet traffic to ssh port. That way if your router did let telnet pass to your ssh port, iptables would simply drop the traffic (meaning it wouldn't let it pass and wouldn't keep any noise about it, just be quiet about it) thus making the situation look like there's nothing that could respond.
Another thought: what if you ran a portscan (using nmap for example) on your laptop? That's something that probably shows some information about your laptop.
|
Hi b0uncer. Thanks for these tips. You actually can specify that it drops all traffic except for ssh sshd using the host.allow file:
ssh sshd:10.16.0.51 : ALLOW
I would like to learn more about setting up iptables and stuff so I can be more experienced with that. I just found it much easier and quicker for me to use the hosts files. Anyways, here is what my iptables show with nothing setup. Is this normal for iptables? I need to read up and learn iptables.
Code:
root@nuxbox:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
|
|
07-13-2006, 06:53 AM
|
#5
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
Yes, that's perfectly normal (clean) iptables setup. There are always (at least) 3 chains ("passages" through which all the traffic goes) in iptables, INPUT for incoming traffic, FORWARD for forwarded traffic and OUTPUT for outgoing traffic, and all of those have policy ACCEPT in your setup (meaning that all traffic is allowed to pass). You can define more chains yourself to build up a more complex firewall, for example chains for logging certain type of traffic or chains that forward certain traffic. The three most-used policies/rules are ACCEPT (let pass), DENY (don't let pass) and DROP (like DENY, but without any output = silent); with those one can build up a basic firewall.
You control iptables normally via command line, creating rules one by one, and finally using iptables-save to create the whole set of rules that you can then save into a file that gets loaded at bootup. Iptables is usually used to create a firewall, route stuff, do NAT'ing, masquerading, log events to detect port scans (for example) etc. The iptables man page explains very well how it works - it's simple. Like
Code:
iptables -P INPUT -j DROP
iptables -A INPUT -p udp -j ACCEPT
which would first define the INPUT chain's policy to be DROP (i.e. to drop everything that's not explicitly permitted), and the second line would then append a rule to the INPUT chain that would permit (-j ACCEPT) udp protocol (-p udp) to pass through. Basically it's simple like that. Many people write a script with the rules, which is easy to run and modify, and the script runs iptables-save in the end to produce the correct output that's then directed to a file that actually sets the rules every time it's needed (like when you boot).
EDIT: when you add your rules to iptables, the "iptables -L" will show them; when you only have a flushed (clean) iptables setup with policies set to ACCEPT, you get an output like the one in your post. You can safely try things (and do "iptables -L" to see the effect), since reverting back to the original state (clearing all iptables rules) goes like this:
Code:
iptables -F
iptables -X
iptables -P INPUT -j ACCEPT
iptables -P OUTPUT -j ACCEPT
iptables -P FORWARD -j ACCEPT
Just keep in mind: the commands are case sensitive and start working as soon as you press ENTER to accept the command line. In the above code, "-F" flushes all the created rules (deletes them), then "-X" clears all the non-builtin chains (so only INPUT, OUTPUT and FORWARD are left) and then the three last lines set the default policies for the built-in chains to be ACCEPT. In addition, if you do not forward the output of "iptables-save" into the file that gets loaded at boot, your iptables configuration is reverted back to normal when you boot. So you can safely play around and if you "get stuck", simply run the above commands and you're OK. When you want to save your settings "permanently", use
Code:
iptables-save > iptables_file
where iptables_file is the file where you want load your iptables rules at bootup (or at will).
Last edited by b0uncer; 07-13-2006 at 07:03 AM.
|
|
|
All times are GMT -5. The time now is 07:44 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|