LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 02-13-2006, 10:05 AM   #1
jcombs_31
Member
 
Registered: Dec 2004
Distribution: Slackware
Posts: 104

Rep: Reputation: 15
securing slackware server


I have a slackware 10 box set up at home running as a web/ftp/database/ssh server. I have noticed that it is getting hammered on my network. I have a simple hardware firwewall (wireless router) that has only the necessary ports open for the current services I'm running. I would assume it's something either through my mail or web that is hogging lots of bandwidth but I don't know how to pinpoint or stop it. Any good suggestions on where to go from here?
 
Old 02-13-2006, 10:33 AM   #2
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,016
Blog Entries: 1

Rep: Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364
Quote:
Originally Posted by jcombs_31
I have a slackware 10 box set up at home running as a web/ftp/database/ssh server. I have noticed that it is getting hammered on my network. I have a simple hardware firwewall (wireless router) that has only the necessary ports open for the current services I'm running. I would assume it's something either through my mail or web that is hogging lots of bandwidth but I don't know how to pinpoint or stop it. Any good suggestions on where to go from here?
Hi,

Too general of a question without reference information!

First, what do mean by hammered? Someone port scanning you? How did you find this out?

I would first try to see how your security is set. Try a service like 'Steve Gibson's' www.grc.com. Check to see what is exposed.
How your system is responding to inquiries from the internet.

Do you have tripwire or chroot running? Could you have been cracked already? Maybe someone has already scripted you and using you as a POS for attacks therefore hogging your services.

I'd like to help but can't without information.

As for the 'simple hardware firewall (wireless router)' how is it connected to the internet? Via cable,dsl or what? By chance do you have it set with DMZ?
 
Old 02-13-2006, 11:12 AM   #3
jcombs_31
Member
 
Registered: Dec 2004
Distribution: Slackware
Posts: 104

Original Poster
Rep: Reputation: 15
Sorry, I will try to provide a bit more info. the wireless router is connected with DSL, and is not set with DMZ. The ports open are 80, 22, 25, 21 and are forwarded to the slack box.

By hammered, I noticed that data was being transferred just by looking at the router and dsl modem and noticing that everything I was doing on the internet was crawling, I then ran "netstat" and noticed a lot of connections. I actually have the computer off now temporarily while I'm at work. I'm not sure what "tripwire" is.
 
Old 02-13-2006, 07:25 PM   #4
jcombs_31
Member
 
Registered: Dec 2004
Distribution: Slackware
Posts: 104

Original Poster
Rep: Reputation: 15
All GRC.com really told me was which ports I had open, which I already knew. I'm temporarily blocking SMTP to see if this is the problem. Is there a good guide to securing mail services?
 
Old 02-14-2006, 09:43 AM   #5
jcombs_31
Member
 
Registered: Dec 2004
Distribution: Slackware
Posts: 104

Original Poster
Rep: Reputation: 15
A perfect example of my server getting spammed is my guestbook. It is loaded with crap. How can I secure apache not to accept this kind of junk?
 
Old 02-14-2006, 12:31 PM   #6
GlowGlow
Member
 
Registered: Jun 2005
Posts: 111

Rep: Reputation: 15
Block automatic thrasing in some way? For instance, by requiring the user to enter a number that is displayed in some automatically generated image.
 
Old 02-14-2006, 01:33 PM   #7
jcombs_31
Member
 
Registered: Dec 2004
Distribution: Slackware
Posts: 104

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by GlowGlow
Block automatic thrasing in some way? For instance, by requiring the user to enter a number that is displayed in some automatically generated image.
I was hoping there might be an option for the webserver itself, not the forms on it. There has to be a way to detect and stop spam constantly scanning your site. I also feel it's a bit drastic to require someone to validate an image just to post to a guestbook or send an email. I can understand with some type of registration system, but not something so simple and meaningless.
 
Old 02-14-2006, 03:37 PM   #8
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
The problem is that Apache does not know which are legitimate connections and which are not. If you can identify what constitutes an unwanted connection, you can build rules into Apache (and maybe your firewall).

Someone here may well be able to help, can you describe the differences between the connections that should and should not be allowed?
 
Old 02-14-2006, 04:46 PM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,016
Blog Entries: 1

Rep: Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364
Quote:
Originally Posted by jcombs_31
Sorry, I will try to provide a bit more info. the wireless router is connected with DSL, and is not set with DMZ. The ports open are 80, 22, 25, 21 and are forwarded to the slack box.

By hammered, I noticed that data was being transferred just by looking at the router and dsl modem and noticing that everything I was doing on the internet was crawling, I then ran "netstat" and noticed a lot of connections. I actually have the computer off now temporarily while I'm at work. I'm not sure what "tripwire" is.
Hi,

Look here;

http://sourceforge.net/projects/tripwire/

I prefer to set my systems up so as they are a true stealth to the internet.
If someone needs to get in they know me therefore can get in. Web services, I would use a hosting service (cheap $$).

Since you are forwarding to the slack box I assume you have rule set for the router and/or DSL modem. Maybe too loose on the allow/dent sets.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing NFS server on Slackware Yalla-One Slackware 0 01-16-2006 01:44 AM
Securing Server brentos Linux - Security 4 06-08-2004 10:57 AM
Securing Slackware 8.1 Tekime Slackware 9 02-21-2004 09:27 PM
POSTFIX -securing [slackware] darklogik_org Linux - Networking 0 01-24-2004 04:02 AM
Securing slackware 9.0 ematrixxx Linux - Security 1 08-27-2003 09:03 PM


All times are GMT -5. The time now is 10:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration