I've been reading this group for a few months now, and I'm trying to make a few
"security" decisions for my Linux workstation. I'm aiming to make some sort of
Newbie mini-tutorial/howto for basic security when I finish my workstation. I'm
hoping to get some advice from anybody who would be kind enough to respond:
I've had RH Linux installed for some time now. Not much internet use, even less
after I started reading this NG. I'll wait until my box is somewhat secure
before I get on the internet with it again.
Since I'm using this as a personal workstation only, I don't have need for many
of the services, and have shut down things such as identd, fingerd, telnetd,
ftpd, httpd, etc. Anything else I should take into consideration?
Should I have ANYTHING listening to ports on my PPP connection if I'm just web
browsing and downloading mail/news? (I don't use any ICQ or stuff like that)
If I can effectively stop all applications from LISTENING to my ppp connection,
am I safe from attack, or are there other methods/exploits to get into my
I've been reading "Maximum Linux Security," and it seems like most of the
exploits are dependent on someone FIRST establishing a connection to my machine.
It seems that if I could prevent this, then I would not have any problems,
assuming that I've downloaded no trojans, etc.
IPCHAINS PACKET FILTERING:
I recently set up ipchains using a script provided by linux-firewall-tools.
Question: When I scan my ports from the same machine, the IPCHAINS rules being
used are only those in effect for my LOOPBACK_INTERFACE, right?
So if I want to know the rules in effect for my EXTERNAL_INTERFACE (ppp0), I'll
have to have a friend scan my machine when I'm online, right?
BASIC PORT SCANNING:
I get similar reports of open ports from using netstat and nmap, and only have a
few open ports. Should I be concerned about any of these?
TCP ports from netstat:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1038 *:* LISTEN 537/gen_util_applet
tcp 0 0 *:1037 *:* LISTEN 535/gnomepager_appl
tcp 0 0 *:1036 *:* LISTEN 525/gmc
tcp 0 0 *:1034 *:* LISTEN 523/panel
tcp 0 0 *:1033 *:* LISTEN 521/gnome-name-serv
tcp 0 0 *:1028 *:* LISTEN 506/magicdev
tcp 0 0 *:1025 *:* LISTEN 476/gnome-session
tcp 0 0 *:6000 *:* LISTEN 453/X
tcp 0 0 machine.local:8000 *:* LISTEN 352/junkbuster
tcp 0 0 *:sunrpc(port 111)*:* LISTEN 219/portmap
UDP from NMAP:
Port State Service
111/udp open sunrpc
Should "X" be listening to outside connections, or just the LOOPBACK_INTERFACE?
My Junkbuster HTTP proxy should only be listening to the LOOPBACK_INTERFACE, but
not the EXTERNAL_INTERFACE, right?
Are there any security concerns with the other listening apps?
They should be listening only to the LOOPBACK_INTERFACE, right?
OTHER PORT SCANNING QUESTIONS:
When I use NMAP's ACK scan internally on my own machine, nmap reports that all
ports are UNfiltered. Is this good? What does it mean?
Here's the output from NMAP:
All 65535 scanned ports on computer1.home (127.0.0.1) are: UNfiltered
Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds
<Slightly OT> Is there a good port scanner for windows, so that I can have a
buddy scan my machine? I don't have any friends running Linux yet...
I've just installed Tripwire, but haven't configured it yet. Are there some
common ways to get around it? Anything I can do to maximize it's usage? I
think I read something about putting the database on a write-protected floppy or
other write-protected media.
Any advantages to using TCP_WRAPPERS combined with IPCHAINS?
KERNEL BOOT KITS:
I read something about this a while back. Would it be beneficial to put my
kernel on a bootable CD-ROM to protect myself from this kind of attack?
If so, does anyone know of any resources where I can learn how to do this?
Is there a way that I can explicitly grant individual programs access to the
internet and deny it to all others by default? IOW, assuming that I download a
trojaned executable, is there a way that I can prevent it from listening to a
port? This behavior would be similar to ZoneAlarm, where it alerts you each
time that a program accesses the internet.
Also down that line, do any utilities exist that notify you if you have repeated
actions that violate your IPCHAINS rules, such as someone repeatedly attempting
a connection to your machine? Or is it customary to just look at the logs?
If you got this far, some of these questions must sound pretty dumb. If so, I'm
sorry. I've been trying to learn about Linux and TCP/IP simultaneously. It all
seemed simple until I stumbled upon this NG months ago and realized how
complicated the subject of security is, and how important it is to understand.
I can honestly say that I'm humbled by trying to sort it all out.