Very Computer

Hello,

I've been reading this group for a few months now, and I'm trying to make a few
"security" decisions for my Linux workstation.  I'm aiming to make some sort of
Newbie mini-tutorial/howto for basic security when I finish my workstation.  I'm
hoping to get some advice from anybody who would be kind enough to respond:

I've had RH Linux installed for some time now.  Not much internet use, even less
after I started reading this NG.  I'll wait until my box is somewhat secure
before I get on the internet with it again.

SERVICES:
Since I'm using this as a personal workstation only, I don't have need for many
of the services, and have shut down things such as identd, fingerd, telnetd,
ftpd, httpd, etc.  Anything else I should take into consideration?

Should I have ANYTHING listening to ports on my PPP connection if I'm just web
browsing and downloading mail/news? (I don't use any ICQ or stuff like that)

If I can effectively stop all applications from LISTENING to my ppp connection,
am I safe from attack, or are there other methods/exploits to get into my
system?

I've been reading "Maximum Linux Security," and it seems like most of the
exploits are dependent on someone FIRST establishing a connection to my machine.
It seems that if I could prevent this, then I would not have any problems,
assuming that I've downloaded no trojans, etc.

IPCHAINS PACKET FILTERING:
I recently set up ipchains using a script provided by linux-firewall-tools.
Question:  When I scan my ports from the same machine, the IPCHAINS rules being
used are only those in effect for my LOOPBACK_INTERFACE, right?  

So if I want to know the rules in effect for my EXTERNAL_INTERFACE (ppp0), I'll
have to have a friend scan my machine when I'm online, right?

BASIC PORT SCANNING:
I get similar reports of open ports from using netstat and nmap, and only have a
few open ports.  Should I be concerned about any of these?

TCP ports from netstat:
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name  
tcp        0      0 *:1038        *:*           LISTEN      537/gen_util_applet
tcp        0      0 *:1037        *:*           LISTEN      535/gnomepager_appl
tcp        0      0 *:1036        *:*           LISTEN      525/gmc            
tcp        0      0 *:1034        *:*           LISTEN      523/panel          
tcp        0      0 *:1033        *:*           LISTEN      521/gnome-name-serv
tcp        0      0 *:1028        *:*           LISTEN      506/magicdev        
tcp        0      0 *:1025        *:*           LISTEN      476/gnome-session  
tcp        0      0 *:6000        *:*           LISTEN      453/X              
tcp        0      0 machine.local:8000     *:*       LISTEN      352/junkbuster

tcp        0      0 *:sunrpc(port 111)*:* LISTEN      219/portmap        

UDP from NMAP:
Port       State       Service
111/udp    open        sunrpc

Should "X" be listening to outside connections, or just the LOOPBACK_INTERFACE?
My Junkbuster HTTP proxy should only be listening to the LOOPBACK_INTERFACE, but
not the EXTERNAL_INTERFACE, right?
Are there any security concerns with the other listening apps?  
They should be listening only to the LOOPBACK_INTERFACE, right?

OTHER PORT SCANNING QUESTIONS:
When I use NMAP's  ACK scan internally on my own machine, nmap reports that all
ports are UNfiltered.  Is this good?  What does it mean?
Here's the output from NMAP:
All 65535 scanned ports on computer1.home (127.0.0.1) are: UNfiltered
Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds

<Slightly OT> Is there a good port scanner for windows, so that I can have a
buddy scan my machine?  I don't have any friends running Linux yet...

TRIPWIRE:
I've just installed Tripwire, but haven't configured it yet.  Are there some
common ways to get around it?  Anything I can do to maximize it's usage?  I
think I read something about putting the database on a write-protected floppy or
other write-protected media.

TCP_WRAPPERS:
Any advantages to using TCP_WRAPPERS combined with IPCHAINS?

KERNEL BOOT KITS:
I read something about this a while back.  Would it be beneficial to put my
kernel on a bootable CD-ROM to protect myself from this kind of attack?  
If so, does anyone know of any resources where I can learn how to do this?

OTHER QUESTIONS:
Is there a way that I can explicitly grant individual programs access to the
internet and deny it to all others by default?  IOW, assuming that I download a
trojaned executable, is there a way that I can prevent it from listening to a
port?  This behavior would be similar to ZoneAlarm, where it alerts you each
time that a program accesses the internet.
Also down that line, do any utilities exist that notify you if you have repeated
actions that violate your IPCHAINS rules, such as someone repeatedly attempting
a connection to your machine? Or is it customary to just look at the logs?

If you got this far, some of these questions must sound pretty dumb.  If so, I'm
sorry.  I've been trying to learn about Linux and TCP/IP simultaneously.  It all
seemed simple until I stumbled upon this NG months ago and realized how
complicated the subject of security is, and how important it is to understand.
I can honestly say that I'm humbled by trying to sort it all out.

Sincerely,
Greg

why is the surnrpc portmap stuff active ?
Kill it if you don't.

Quote:> Hello,

> I've been reading this group for a few months now, and I'm trying to make
a few
> "security" decisions for my Linux workstation.  I'm aiming to make some
sort of
> Newbie mini-tutorial/howto for basic security when I finish my
workstation.  I'm
> hoping to get some advice from anybody who would be kind enough to
respond:

> I've had RH Linux installed for some time now.  Not much internet use,
even less
> after I started reading this NG.  I'll wait until my box is somewhat
secure
> before I get on the internet with it again.

> SERVICES:
> Since I'm using this as a personal workstation only, I don't have need for
many
> of the services, and have shut down things such as identd, fingerd,
telnetd,
> ftpd, httpd, etc.  Anything else I should take into consideration?

> Should I have ANYTHING listening to ports on my PPP connection if I'm just
web
> browsing and downloading mail/news? (I don't use any ICQ or stuff like
that)

> If I can effectively stop all applications from LISTENING to my ppp
connection,
> am I safe from attack, or are there other methods/exploits to get into my
> system?

> I've been reading "Maximum Linux Security," and it seems like most of the
> exploits are dependent on someone FIRST establishing a connection to my
machine.
> It seems that if I could prevent this, then I would not have any problems,
> assuming that I've downloaded no trojans, etc.

> IPCHAINS PACKET FILTERING:
> I recently set up ipchains using a script provided by

linux-firewall-tools.

Quote:> Question:  When I scan my ports from the same machine, the IPCHAINS rules
being
> used are only those in effect for my LOOPBACK_INTERFACE, right?

> So if I want to know the rules in effect for my EXTERNAL_INTERFACE (ppp0),
I'll
> have to have a friend scan my machine when I'm online, right?

> BASIC PORT SCANNING:
> I get similar reports of open ports from using netstat and nmap, and only
have a
> few open ports.  Should I be concerned about any of these?

> TCP ports from netstat:
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> PID/Program name
> tcp        0      0 *:1038        *:*           LISTEN
537/gen_util_applet
> tcp        0      0 *:1037        *:*           LISTEN
535/gnomepager_appl
> tcp        0      0 *:1036        *:*           LISTEN      525/gmc
> tcp        0      0 *:1034        *:*           LISTEN      523/panel
> tcp        0      0 *:1033        *:*           LISTEN
521/gnome-name-serv
> tcp        0      0 *:1028        *:*           LISTEN      506/magicdev
> tcp        0      0 *:1025        *:*           LISTEN
476/gnome-session
> tcp        0      0 *:6000        *:*           LISTEN      453/X
> tcp        0      0 machine.local:8000     *:*       LISTEN
352/junkbuster

> tcp        0      0 *:sunrpc(port 111)*:* LISTEN      219/portmap

> UDP from NMAP:
> Port       State       Service
> 111/udp    open        sunrpc

> Should "X" be listening to outside connections, or just the
LOOPBACK_INTERFACE?
> My Junkbuster HTTP proxy should only be listening to the

LOOPBACK_INTERFACE, but

Quote:> not the EXTERNAL_INTERFACE, right?
> Are there any security concerns with the other listening apps?
> They should be listening only to the LOOPBACK_INTERFACE, right?

> OTHER PORT SCANNING QUESTIONS:
> When I use NMAP's  ACK scan internally on my own machine, nmap reports
that all
> ports are UNfiltered.  Is this good?  What does it mean?
> Here's the output from NMAP:
> All 65535 scanned ports on computer1.home (127.0.0.1) are: UNfiltered
> Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds

> <Slightly OT> Is there a good port scanner for windows, so that I can have
a
> buddy scan my machine?  I don't have any friends running Linux yet...

> TRIPWIRE:
> I've just installed Tripwire, but haven't configured it yet.  Are there
some
> common ways to get around it?  Anything I can do to maximize it's usage?
I
> think I read something about putting the database on a write-protected
floppy or
> other write-protected media.

> TCP_WRAPPERS:
> Any advantages to using TCP_WRAPPERS combined with IPCHAINS?

> KERNEL BOOT KITS:
> I read something about this a while back.  Would it be beneficial to put
my
> kernel on a bootable CD-ROM to protect myself from this kind of attack?
> If so, does anyone know of any resources where I can learn how to do this?

> OTHER QUESTIONS:
> Is there a way that I can explicitly grant individual programs access to
the
> internet and deny it to all others by default?  IOW, assuming that I
download a
> trojaned executable, is there a way that I can prevent it from listening
to a
> port?  This behavior would be similar to ZoneAlarm, where it alerts you
each
> time that a program accesses the internet.
> Also down that line, do any utilities exist that notify you if you have
repeated
> actions that violate your IPCHAINS rules, such as someone repeatedly
attempting
> a connection to your machine? Or is it customary to just look at the logs?

> If you got this far, some of these questions must sound pretty dumb.  If
so, I'm
> sorry.  I've been trying to learn about Linux and TCP/IP simultaneously.
It all
> seemed simple until I stumbled upon this NG months ago and realized how
> complicated the subject of security is, and how important it is to
understand.
> I can honestly say that I'm humbled by trying to sort it all out.

> Sincerely,
> Greg

HI,

I'm no expert but I've a few thoughts to throw at you....

In article <39a18cdb.1352...@news.flash.net>, gfar...@XpostX.com (gfarris)
wrote:

When you establish an FTP connection, if you are running in 'active'
FTP mode the server you connect to will try to open a connection
to your priviledged FTP server port - which your config should
reject. Instead, you'll have to run an FTP clinet in 'passive' mode
whereby the remote FTP server will send back data using the
connection you established - this is the most secure way - but
you'll need to know to set som eFTP browser clients to use
passive mode.

Some argue that you should have the identd port open - or at least
REJECTing rather than DENYing - so remote locations can
identify you exist. Some connections amy not work or may suffer
from timeouts if the remote server cannot identify you. I'd be interested
to hear other's views. I suppose if you block it and all works - cool...

Theoretically, you could mistakenly allow rogue software to compromise
your security and open up a connection fro the inside (trojans and
rootkits) but they would have to find a way onto your machine in the
firstplace. Common sense, not running root unless you have to,
checking logs etc should keep it all cool.

Coolest site around....... :-)
Correct, any local scans from the firewall machine will go through
the loopback - which will basically be open anyway.

Yup

If the Gnome and X interfaces are listening to the external interface,
then a connection could be made :-( Unless you want them too :-)
My guess you dont.....

Sounds like the loopback intereface is wide open - and why
shouldn't it. Just make sure your firewall rules don't allow
for spoofed private IP address connections through the public
IP address interface. eg. a connection attempt from 172.16.1.1
coming through your ppp0 interface connection to your ISP.
The firewall scripts from linux-firewall-tools should deal with this

There's NMAPNT - an NT implementation but I don't know where
to get it from - check out davecentral.com

There are websites which will scan your connection for you.
The wonderful www.grc.com's shields-up. (Though it's only
the basic ports it checks - and only claims to). Also
www.hackerwhaker.com, though you need to register.

Iknownothing....

Use as much as you can but be aware that wrappers such as inetd's
/etc/hosts.deny and hosts.allow only protect the wrapped services -
always use a firewall

Checkout firestarter.sourceforge.net and portsentry etc

Know what you mean :-)

Quote:>why is the surnrpc portmap stuff active ?
>Kill it if you don't.

I hadn't figured out if I needed it or not, and didn't want another process to
crash if I should have had it running.
Looks like I need to do some reading on portmapper.

Thanks,
Greg

  Basically shut down all external services.  To get an idea of what
you're running, log on as root and execute...

  ps -axf > output.txt

...then browse through output.txt.  Post it here if there's anything you
don't understand in the output.  To cut down the verbosity, make sure
you're not running X or any apps when you get the output.

Quote:> Should I have ANYTHING listening to ports on my PPP connection if I'm just web
> browsing and downloading mail/news? (I don't use any ICQ or stuff like that)

  No.  Telnetd, sendmail, nfsd, ftpd, etc should not be running.  Note
that you do not need to run any of the servers to use their equivalent
clients.  Depending on your version of linux, you may or may not have a
file /etc/inetd.conf with various servers listed.  If so, comment out
all lines by putting a "#" (without quotes) as the first character of
each line.  Also ensure that /etc/hosts.deny has only one line...

ALL:ALL

...and /etc/hosts.allow should be empty.

Quote:> I've been reading "Maximum Linux Security," and it seems like most of the
> exploits are dependent on someone FIRST establishing a connection to my
> machine.  It seems that if I could prevent this, then I would not have any
> problems, assuming that I've downloaded no trojans, etc.

  Mostly correct (Buffer overflows are always at least a remote
possibility).  I block *ALL* incoming traffic to ports 0..1023 and all
incoming syn-packets, period.  This breaks standard ftp.  The solution
is to invoke "passive mode" ftp.  In Redhat, the command is "ftp -p" or
"pftp".  BTW, web-browsers access ftp sites in passive mode, so that
isn't a problem.
  I also allow only enough ICMP traffic for basic functionality like
MTU-discovery, and to run traceroute.  Other ICMP stuff is dropped.
Scanners shouldn't be able to even tell that I exist, let alone ping me
or get info out of me.  I don't believe in only "security by obscurity".
However, camaflouge *IN ADDITION TO* other strong security measures is
one additional hurdle for crackers.  Let me know if you want a look at
my firewall script.

Quote:> So if I want to know the rules in effect for my EXTERNAL_INTERFACE (ppp0),
> I'll have to have a friend scan my machine when I'm online, right?

  Right, or one of the free scanning sites on the web.

Quote:> If you got this far, some of these questions must sound pretty dumb.

  The only stupid question is the one you didn't ask (but should've).
I switched to internet access via linux in late March, and it was a
steep curve at first, but worth it.  It's nice to be able to open email
fearlessly, while the Windows users are in a panic about LOVE-LETTER,
JOKE, BUBBLE-BOY, etc.

--