Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running Slackware 9.1 which I only installed this week, so I'm not experianced at all. I am up to date in my patches, I run no unnecessary services, and I have a basic firewall up. Here is my firewall script:
# Drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow established connections and programs that use loopback
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
Now... I'm being attacked, right now, as I type this. I'm not getting much beyond port scans but I have friends (who use the same ISP) who are also being scanned, and taking more serious attacks (All Windows users behind Sygate). The attacks are all coming from the same IP#
So my main question is, can anybody see any serious problems with my security that I should worry about? And, what is the best way to react in a situation like this? Is there any way I can trace them and report them to their ISP?
Any help you can give me would be appreciated. This is a bit much for a newbie such as I.
But for now, I scanned them right back and found masses of open ports. I also found that they are from the French ISP Wanadoo. Tomorrow I'll call my ISP and tell them about it, maybe they can notify these Wanadoo people and some action can be taken. At least since I scanned them, their own attacks seem to have stopped.
What a piss off...
Again, thanks for the help, I'll be sure to read over those.
I'm not getting much beyond port scans
...which you can ignore if you're not interested. Else install an IDS like Snort. It's reporting will be much more verbose compared to firewall rules, in some cases it'll name the tool, any (possibly) malicious activity in a way you could determine the threat level.
(...)taking more serious attacks (All Windows users behind Sygate). The attacks are all coming from the same IP[/i]
What is serious in your opinion?
Post the IP?
So my main question is, can anybody see any serious problems with my security that I should worry about? And, what is the best way to react in a situation like this? Is there any way I can trace them and report them to their ISP?
No, i see nothing worrying in this picture. If you're not running services and don't harass ppl on the 'net, then the amount of scannage done IMHO largely depends on if you're on a "popular" network range (lotsa innocent sheep with insecure boxen, ranges for worms to scan, etc etc), if the previous user of the IP (ppp, right?) did stuff ranging from waging war on IRC to ghosting P2P connections (which can be mistaken for scans). Of course there are other options, but without a tool like Snort it will be much harder for you to assess what exactly comes across the ocean...
If it persists, notifying their ISP would be SOP, but that usually doesn't get you nowhere. Blocking and not logging is your alternative. Since you scanned them, is it a Wintendo box?
If you want a comprehensive overview of security measures and such, please check out the LQ FAQ: Security references.
//moderator.note:
320mb:d/l and read the 2 pdf files here
320mb, I want you to stop spamming we should D/L these PDF's. In the first place they're just conversions of the Linux Administrators Guide and the Network Administrators Guide, second offering PDF's doesn't constitute an answer at LQ. If you can't offer an answer to a security question, please have the general netiquette to move on to a question you're willing to put some effort answering in. If you disagree, please take it up with me by email. TIA.
I hope I'm not intruding in this conversation unwanted. I had a few related questions and after reading about excessive postings I thought I would just try and jump into this one instead of creating a new post.
How can I shutdown this X11 service? What is it exactly? I'm running RH 9 by the way.
(The 65534 ports scanned but not shown below are in state: closed)
Port State Service
6000/tcp open X11
The more serious attacks I mentioned are pretty vague. In my friends words, his fire wall "went nuts" and he was disconnected. He dialed back in and the same happened again not long later.
The scans are still happening every few minutes even today, but now most of them come from IP addresses owned by my ISP (in Australia.) Maybe from compromised computers?
I'm just guessing, I really know nothing about security beyond what I have learned in the past week.
A couple of IP's that have come up more than once today are 203.221.244.149 and 203.220.216.53
I'm reading up on snort now, but it looks like I'm just going to have to wait this out. If nothing else it has motivated me to learn more about my systems security.
Thank you for all your help, its very much appreciated.
install portsentry(block scan and ip address), installe snort, configure your firewall too well, use a gui if necessary, and add "--no-listen tcp" option to X server startup(port 6000) or your startx command(if you start X from console).
shorewall is easier than "direct iptables rules"
test your firewall at sygate site
nmap your ip adress
unSpawn: Don't you think that instead of spoon feeding him the answer, it would be better to point him in the right direction and let him find the answer himself. In doing so, he will also learn alot more about Linux security. Also, what is wrong with posting a few e-books, as I allready said, it will help him get the answer, and in the process he will learn alot of useful info.
unSpawn: Don't you think that instead of spoon feeding him the answer, it would be better to point him in the right direction and let him find the answer himself.
First of all I usually don't talk much about approaches to solving problems here. Most of the time people do not want an elaborate explanation, background information let alone know about structurising troubleshooting and whatnot, but just want an answer. If that constitutes spoonfeeding ppl info, then I'm as guilty as hell all of my life and everywhere I've been.
Define "better". What is the "best" approach? What's the "best" way to tell a security expert, a forensics expert, a colo admin, a DBA, a manager, a student, a newbie? How do you assess, except by reading between the lines, how much effort ppl want to put in it?
In doing so, he will also learn alot more about Linux security.
I agree, but partially. Solving one problem doesn't make ppl knowledgable, unless you know what and where to look for. This isn't a newbie thing tho. A lot of professionals struggle with it too. Myself, I'm still learning, and there's A LOT I know zilch about.
Also, what is wrong with posting a few e-books,
Well, the deeper significance of this is that it's not even the "official" URI for those. NAG, SAG or whatever they're called have official URI's where they're (sposed to be) updated. My problem with posting these URI's is twofold really: they do not constitute an answer themselves (you could as well say RTM) unless you point to the relevant chapter and secondly 320 has been posting the PDF's URI twice w/o adding anything of himself, which to me means as much as being unhelpful (the NG or mailinglist way). At LQ, we gotta do more than just post URI's. As moderator I operate under the same rules. I do regularly point ppl to the LQ FAQ: Security references, but you'll usually see that in conjunction with an answer or at least me pointing to the relevant part.
*1. Nick, if you're willing, add the answer like I should have given it to him. Don't worry about completeness or failing etc, etc, it's the effort that counts IMHO. Hopefully I can learn something there too.
*2. If you've got more meta questions or want to constructively discuss spreading the nfo, you're invited to take this up with me by email. Hopefully I can learn something from you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.