LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-26-2004, 07:34 PM   #256
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38

Sorry if this has already been mentioned before, I didnt feel like reading through all 17 pages of posts. But your guide suggests you use 'nmap localhost' to find out what ports you have open. Although this does work, a better way would be to use the following command:

Code:
netstat -tpan
Not only will this show you the ports that are open, it will show you what interface(s) its listening on, if it's an established or just listening connection, and most important of all, it will show you the process ID/name of the program that is bound to that listening port.

If there is a funky port open that I havnt already memorized, lets say port 37 for example, the fastest way to figure out what exactly that port is used for is to type in the following command

Code:
grep "37/tcp" /etc/services
The 'services' file is basically a 1:1 map of port numbers to their common name. From this command I would be able to figure out that its used for time servers and thus not needed.

Lastly, you recommend buying a router to allow multiple computers to share the internet and act like a "firewall." I put firewall in quotes because really its not a firewall, its just a byproduct of Network Address Translation (NAT). A "true" firewall will allow statefull packet inspection, packet mangleing etc. Now although a router will do a decent job, if we are going to make our Slackware box into a web and mail server, heck why not make it into a rock solid firewall that will blow any Router out of the water using the 100% free 'iptables'. With one extra Network Interface Card (NIC), a switch (could even use a Router and just turn off everything), and a program called 'ipkungfu' which you can get at http://www.linuxkungfu.org you got yourself one beast of a firewall. While your at it, you can set up dhcpd and become your own DHCP server and only lease out IP's to known MAC addresses!

As you can probably guess im pretty big into security and ive never come across a more robust, full of options, easy to configure firewall script than ipkungfu. I plan to write a howto on how to turn your Linux machine into a firewall/gateway and I might just toss in dhcpd server for the fun of it. Feel free to incorporate these into your site as you see fit.

Last edited by SiegeX; 07-26-2004 at 10:37 PM.
 
Old 07-27-2004, 02:54 AM   #257
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
Three comments: To the netstat -natp command, I'd like to add lsof -i; it's also very handy. Another iptables script - or "ruleset generator" - is quicktables. The DI-604 router we discussed above does stateful packet inspection, but since it's basically a black box, you really don't know what it's doing.

Cheers
 
Old 07-27-2004, 01:15 PM   #258
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Thanks guys. That stuff is great. I just tried out all the commands you guys gave, and they work great. The only one I would change at all is:

Code:
grep " 37/tcp" /etc/services
Instead of:

Code:
grep "37/tcp" /etc/services
That's just me being silly, though. All that does is get rid of the extra results that end in *37.

I've been very busy lately, but I do have some plans for a some big changes/additions to the site (and of course this thread). One of the things that I've been saying for awhile is that I'd like to add more on security, so this is exactly the kinds of things I've been looking for.

SiegeX - I agree that, "heck why not make it into a rock solid firewall." I'm not very sharp when it comes to the use of iptables. I'm wondering this; Is it possible to leave the current router/"firewall" in place and implement iptables also, essentially "doubling up". This would be great, if possible. That way, I would be able to add a section on this further down in my guide. That way, people (meaning me ) would be able to get their servers up and running, test them out, implement iptables, and verify that the iptables wasn't the cause of their server not working. Does this sound right?

Thanks again,

Shilo
 
Old 07-27-2004, 02:25 PM   #259
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
Security, yes There was the SAStk for Slackware, but it seems to not have been upgraded since 2002, which is a pity. On the other hand, this Jeffrey Denton, who seems to be the lead developer of it has some stuff on his Slackware page. The system hardening page gives good advice. I have written a hardening script myself, following the tips of CERT's UNIX Security checklist. Of course, all of this can be found on the Security references thread that unSpawn has written in the Security forum.

About the "doubling up"; I'm not sure I understand what you mean, but of course both a router and an iptables firewall can be used at the same time.

<EDIT>
Oh yes, have a look at the articles at hackinglinuxexposed.com too! Concerning firewalls, there is this, this and this article. Here is an expanded version of the latter.
</EDIT>


Last edited by Bebo; 07-27-2004 at 02:35 PM.
 
Old 07-27-2004, 03:30 PM   #260
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Wow!!! Thanks Bebo. It looks like I'm gonna be busy reading for awhile. I really gotta pick up the pace on my website revisions so I can start adding some new stuff like this. Just glancing through the articles that you posted, I already see that I am going to need to A) Revise some of the sections that I have and, B) Add some new sections.

Thanks again. These articles look great.
 
Old 07-27-2004, 08:51 PM   #261
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38
As far as doubling up goes, yes you can do what I call a nested NAT, basically:

Modem => Router's NAT (192.168.0.0/24) => Linux NAT ( 10.0.0.0/8)

But to tell you the truth, if you have your Linux firewall set up properly, there really is no reason to do it and it just unnecessary complicates things. For those of you who already have a hardware router (be it linksys, dlink, netgear etc) then you can actually use that as the switch and you only need to buy an extra NIC for a total of two in your linux box. In case you didn't know, all the hardware routers you buy on the shelves are nothing more than a 4-port switch with an embedded OS that often times runs a stripped down linux kernel using iptables! I currently own a Wireless Linksys router, and all I do is plug my DSL modem into the first NIC on my linux box, then plug the second NIC into port1 of the router and my other computers into ports 2, 3 and 4. I then give the router a new LAN IP address, usually 192.168.1.254 so that I can use 192.168.1.1 for the LAN interface on my linux box, I also turn off DHCP because I use linux to do that as well, and then I have myself a wireless 4-port switch. By the way, you don't have to change the router's IP, but by convention the first IP of the subnet ( 192.168.1.1 in this case) is generally the gateway, which is now your linux box.

As far as learning IPTables goes, its definitly a good idea to learn some of its basic syntax, some rules can get quite complicated, especially if you are doing stuff in the NAT table. Again my best recommendation is still IPkungfu from www.linuxkungfu.org , and trust me ive done my share of testing of many many iptables scripts. The nice thing about IPKungfu is that its not just one huge linear series of questions, it actually breaks down all the abilities of iptables into seperate .conf files: forwarding, redirecting, deny hosts, allow hosts, virtual servers to name a few. And if that wasnt cool enough, the syntax you use to do a rule in the .conf files is WAY easier than the actual syntax of the IPtables rule it creates. For example:

IPTables Syntax to forward port 8080 from WAN IP 123.123.123.123 to port 80 of LAN IP of 192.168.1.7
Code:
iptables -A PREROUTING -d 123.123.123.123 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.7:80
IPKungfu syntax
Code:
0/0:192.168.1.7:8080:80:tcp

Ill admit I am a bit biased towards IPkungfu because after seeing how kick ass it was, I contacted the author and im currently working on adding features to it. Right now I got a working mod that im testing that will detect a port-scan to your box and report to the attacker that ALL your ports (yes, all 65,536) are open even though you may only have 3 or 4. By doing this, the attacker has no way to determine *in an easy manner* which ports are really open and which ports it lied about. Hopefully it will be included in the next version of IPkungfu which is 0.60. Im currently working on a way to have it randomly choose ports that are open, this way the response looks more real and is even more confusing because the open ports change every scan!

Last edited by SiegeX; 07-27-2004 at 10:55 PM.
 
Old 07-28-2004, 05:34 PM   #262
h1tman
Member
 
Registered: Jul 2003
Distribution: Slackware 11
Posts: 439

Rep: Reputation: 30
nice thing you got goin here.
 
Old 07-30-2004, 11:12 AM   #263
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
I just remembered something about Brian Hatch's Ten minute host firewall that I linked to above. It says that one can use an iptables rule like this
Code:
iptables -A INPUT -p tcp ! --syn -j ACCEPT
to block incoming connections. He says
Quote:
No machines can connect to your machine with TCP, but you can make outbound connections and the associated packets will be allowed back in. You can't be a server (no SSH to your machine, for example) but all outbound TCP stuff should work fairly well.
I'd say that this rule is a not good enough, since it assumes that all packets which do not have the SYN bit set are packets that should be let through. So what happens then when someone uses nmap to scan your computer and uses any of those scans which are not the stealth (-sS) or the connection (-sT) scan, for instance the ACK or FIN scan? Those packets are let through!

Instead one should use
Code:
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
to let packets through which you have requested, for instance when surfing or ssh'ing to some remote computer. If you want to be able to ssh to your computer, or want to allow other people to access something on your computer, you should instead use something like
Code:
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
This rule of course applies to new ssh requests (port 22!), but you can use --dport 80 for your web server. This way, the incoming connection is allowed in if it is NEW, if it has the SYN bit set properly, and is coming to a specific port. Being specific is always good in these contexts. It is even better if you also can be specific about which IP's that are allowed to establish connections to your box - like this:
Code:
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --source 192.168.23.58 --dport 22 -j ACCEPT
When the connection has been established, the connection is no longer NEW, but instead ESTABLISHED, so the first rule is applied instead.

So, in summary, the INPUT chain may look like this:
Code:
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --source 192.168.23.58 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
The last DROP rule is redudant (the policy is enough for this), but, well, whatever.

Cheers

Last edited by Bebo; 07-30-2004 at 11:13 AM.
 
Old 07-31-2004, 12:29 PM   #264
blood_omen
Member
 
Registered: Apr 2004
Location: Canada
Distribution: OpenBSD 3.6, Slackware 10.1
Posts: 134

Rep: Reputation: 15
Shilo:

Let me, or better yet, let us all know when you update your site with the security section, so I can update the pdf file too.

Have a good day
 
Old 07-31-2004, 09:49 PM   #265
noobtesting
Member
 
Registered: Mar 2004
Location: Illinois
Distribution: Mint 15
Posts: 163

Rep: Reputation: 30
Hello,

I have just installed slackware 10.0 again to give it another try. I have run into 1 problem since my fresh full install and that is the fact that when I type xf86config in the console it says:

bash: xf86config: command not found

I am wondering what that is all about?

Any help would be great.

Thanks for your time
 
Old 07-31-2004, 10:23 PM   #266
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38
Slackware10 no longer uses XFree86, it uses X.org now which is a fork of XFree86. Basically a big licence fiasco went down now everybody is pissed off and said no problem screw you XFree86 , we will use X.org. XFree86 really shot themselves in the foot this time cause most if not all major distro's have dropped them for X.org.
 
Old 07-31-2004, 10:27 PM   #267
noobtesting
Member
 
Registered: Mar 2004
Location: Illinois
Distribution: Mint 15
Posts: 163

Rep: Reputation: 30
ok thanks I will just have to look at my xorg.conf file and see what I can edit in it to get things working properly for my nvidia drivers and also for my scrolling on my mouse unless someone can please tell me so I don't have to worry about messing things up.

Thanks for your time
 
Old 07-31-2004, 10:31 PM   #268
SiegeX
Member
 
Registered: Jul 2004
Location: Silicon Valley, CA
Distribution: Slackware
Posts: 171

Rep: Reputation: 38
Go the the very 1st post in this thread, Shilo then gives a link to his webpage. One of the buttons on the left tells how to setup mouse scrolling, another button tells how to setup Nvidia drivers.
 
Old 08-01-2004, 09:55 AM   #269
noobtesting
Member
 
Registered: Mar 2004
Location: Illinois
Distribution: Mint 15
Posts: 163

Rep: Reputation: 30
OK I got swaret all installed and even edited my swaret.conf file but keeping getting this failure when trying to run swaret --update.

swaret 1.6.2-1

[ ftp://ftp.nluug.nl/pub/os/Linux/dist...ckware-current ]
### Fetching CHECKSUMS List File... DONE!
FILELIST List File is up-to-date!
Packages Descriptions up-to-date!
Extra Packages Descriptions up-to-date!
ChangeLog up-to-date!
[ ftp://ftp.linuxpackages.net/pub/Slackware-10.0 ]
### Fetching 'LinuxPackagesDOTNET' CHECKSUMS List File... FAILED!
### Fetching 'LinuxPackagesDOTNET' FILELIST List File... FAILED!
### Fetching 'LinuxPackagesDOTNET' PACKAGES List File for Packages... FAILED!

any ideas and help would be great, I have tried changing the ftp location back to 9.1 and that still failed so I turned it back to 10.0. I am at a loss.

Thanks
 
Old 08-01-2004, 02:42 PM   #270
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
In my experience, it's not very uncommon to have troubles downloading LinuxPackages' package info. I think the "default" mirror is having a hard time coping with all the download requests. Try using another mirror; they're listed here: http://www.linuxpackages.net/mirrors.php

However, for upgrading your Slack install, it's not necessary to use a LinuxPackages repository. If you just want to upgrade the "ordinary" Slack packages on your box, then just disable LinuxPackages in /etc/swaret.conf.


Last edited by Bebo; 08-01-2004 at 02:46 PM.
 
  


Reply

Tags
kernel


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration