Making Your Linux Box Secure

pryan writes "rootprompt.org has some interesting articles on locking down a Linux box on a hostile network (read: Internet) and cloaking a Debian box so script kiddies don't find it. Check out fortress building, part 1, and part 2. For you Debian freaks (I'm wearing a Debian swirl t-shirt as I type this), check out cloaking Debian. Of course, the cloaking article is easily adaptable to other distributions. Let's lock down those boxes! "

Another great resource (NT, Linux, Solaris)

[Saron]

Is Lance Spitzner's Security Whitepapers.

Its a handy little site, covers firewalls in NT and Linux, how to properly armor a NT, Solaris, or Linux install (from the perspective of Redhat, but thats easily adaptable), and for those of you that are a bit more curious, he has a "How to build a honeypot" section.

Enjoy!

Re:Wewanthackers.com has been up 50 days straight

[Bruce+Perens]

I should also add, without an obvious penetration (except for the simple mail hack we actually invite on the web page). The fact that it ran 50 days without a reboot would not necessarily interest security people, except as anecdotal evidence that nobody was able to remotely crash the kernel.

Bruce

Re:http://cr.yp.to/

[Bryan+Ischo]

Care to name your sources? I've never heard of any qmail exploits, period, and I have a feeling that I have been watching more closely than you have.

Re:Our comany firewall

[Malcontent]

I also usually explicitly deny packets from offensive hosts like flycast, doubleclick etc. These days it's also probably a good idea to not let everything out. If somehow somebody lobbed something in you don't want them to initiate a connection out.

A Dick and a Bush .. You know somebody's gonna get screwed.

Re:http://cr.yp.to/

[Malcontent]

Bruce did not say that Dan had no right to distribute his code under any license he chooses. He just stated that it was not open source. So what is the big deal? Was he wrong?

A Dick and a Bush .. You know somebody's gonna get screwed.

Re:http://cr.yp.to/

[Russ+Nelson]

Agreed with all of it, BUT his software has never been broken into either. Hard to argue with success if you define success as "secure".
-russ

In Other News:

[Denor]

Change of Pace for Slashdot Disturbing, Posters Find.

ASSOCIATED PRESS - Dozens were shocked today as popular website Slashdot posted a story that had nothing to do with a corporate or governmental conspiracy.
"I'm absolutely floored" one frequent poster commented. "I mean, I was all ready to get out one of my 'damn the man' rants for karma, but it turns out it's completely offtopic for this story. I mean, I'd actually have /lost/ karma! That was close. I have no clue why Slashdot would do this."
Many others were confused as well. Local trolls were dismayed, one going so far as to assert "I'm betting this is a slashdot conspiracy to try to lull us into a false sense of security."
Many contributors fell into the pattern of trying to form a Slashdot editorial conspiracy, but ultimately failed as the comments did not have nearly the manifesto-inspiring potential that the earlier front page stories had included.
"I was all ready to boycott this 'debian' thing they mentioned in the blurb," commented one disillusioned poster, "But then I went and read the article, and there was nothing about corporate conspiracy at all!"
While there was still theorizing by those who had not read the article, for the most part conversation was stilted and akward, with many participants struggling to figure out exactly what, if not governmental or corporate conspiracy, the article was actually about.

Our comany firewall

[doomy]

Here is the scripts I used to secure our file wall
and enable a nice well secured debian based internal network.

SERVER_IP= #set this to server ip

#
# Local area network
ifconfig eth1 192.168.0.1 netmask 255.255.255.0 up
route add -net 192.168.0.0 netmask 255.255.255.0 window 16384 eth1

# S E C U R I T Y ################################################## ###

#
# Enable syncookies and ip forward

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# Let local calls through

/sbin/ipchains -A input -j ACCEPT -s 0/0 -d 0/0 -i lo

#
# External calls to 127 blocking.

/sbin/ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 -l

#
# IP MASQ Forwarding for 192.168.0.2 subnet
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.2/24 -j MASQ

#
# Modprobing
modprobe ip_masq_user
modprobe ip_masq_ftp
modprobe ip_masq_irc ports=6667,6668,6669,6670
modprobe ip_masq_raudio
modprobe ip_masq_quake ports=26000,27000,27910,27960

#
# Now block some ports we dont want people to use from outside
# block from ICMP troubled ports

/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 21 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 23 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 25 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 79 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 139 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 143 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 1080 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 6000 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 12345 -l
/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 31337 -l

#
# Block ICMP flooding/pinging

/sbin/ipchains -A input -p icmp -j DENY -s 0/0 8 -d 0/0 -l

#That's some basic stuff to be blocked. These rules will block: ftp, telnet,
#smtp, finger, netbios, imap, socks, X11, netbus and Back Orfice. It will
#also create a syslog entry as logging (-l) has been enabled. You can add or
#remove ports as you want.
# got this bit from a security listing

# Block everthing on eth0 for the following ports
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 2401
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 6000
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 515
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 752
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 1024
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 111
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -i eth0 -d ${SERVER_IP}/32 5432

Basically it blocks almost every kind of ICMP and any unwanted attempts by intruders and also blocks access to resources used only within our network. Eg: Our postgresql server and so on.. Also it logs any illegal activities.

Enjoy.
--

Re:Our comany firewall

[arivanov]

/sbin/ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 79 -l

You mean tcp (or for some of these UDP) right?

Re:Our comany firewall

[PhiRatE]

Just a few notes:

Always enabled ip_forwarding _after_ you have initialised your firewall, in this case, move the echo to ip_forward at the top down to the bottom of the script. The reasoning behind this is that without such a move, there is a short window during which your system will forward but your firewall is not in place, thus if the attacker somehow manages to reboot your firewall they can get through into your internal network in the clear. Certainly in this case this is a very small risk, but its a trivial change and good for completeness.

The best security policies are built from the "deny first, accept later" method. You should set the default policy on your network to DENY, and then accept what you need, not the other way around as you have done here. Yes this requires a lot more work, since you have to really figure out what you need to access, but it remains far more secure against unanticipated future attacks and insecure internal machine configurations (ie, leaving on a service that you didn't mean to).

You should always drop martians on a firewall as well, a martian is a packet that has an address that should not be possible, this includes broadcast addresses you don't want, 192.168.* from the internet, 10.* from the internet, any addresses you have inside the firewall, etc. For complete lists check out places like securityfocus, they have some good resources, the iptables and ipchains sites have good information as well.

Again, only accept in packets addressed to legal accessible hosts, only send out packets addressed from legal sending hosts.

If at all possible, create a real internal network setup (ie, a 192.168.* address space), and use NAT (available in iptables and ipfilter and to some extent in ipchains) to translate these to external, this causes even more difficulty for IP based assaults as internet and internal packets must be explictly converted before they are effective in either network, giving another layer of security. This also follows on to greater security possibilities such as a public and private DNS (one outside, and one inside, that give out only the relevant information, revealing little about your network structure), binding many services at the firewall and using port based NAT to forward different ports to different hosts (confusing the attacker, making more efficient use of network resources including clustering, and causing many multi-service exploits to fail).

If possible, a reasonable variation in the operating systems used can be helpful as well, don't use an O/S you're not familiar with, you're more likely to make a critical mistake in securing the box, but if you're familiar with OpenBSD and Solaris, use both rather than aiming for a single-os network, it improves the odds of partial network survival in the event of operating system-specific exploits. This includes architectures too, most buffer overflow exploits come out for x86 systems, so having a PowerPC or MIPS system instantly improves your odds against those attacks.

All in all its a balancing game, but you can certainly make life extremely hard for those attempting to penetrate your network at many levels.

Vitually unplug yourself from the net

[Delirium+Tremens]

The moron answer to this is: Unplug Your PC from the net, oh oh oh!

Funny thing is, it can be done while still connected:

• Run your browser from within a VMWare (or clone) guest hosted by the Linux installation you want to protect.
• Or run the Linux installation you want to protect inside VMWare and browse from your host OS that you don't mind being compromised (you're only using it to watch DVD and play Diablo anyway).

Re:Hmm...

[technos]

The telltale marks of your stack can be changed easily. As is mentioned in the article, it is possible to manipulate Linux into appearing to be OpenBSD with merely ipchains. Also, there are several 'perfect' stacks that do nothing peculiar, or do the same set of oddities in the same fashion to the same packets, and are thus indistinguishable.

Hmmm. FreeBSD != great

[cvillopillil]

I found several bugs in FreeBSD 4.1. I tested a variety of systems with DMZ-originating SYN attacks, and none of them stood up to the attack. What I had was a mail server on one end of the line, and an automated pop client on the other end. I popped mail from the box, but since the firewall inbetween the perimeter network of the DMZ was blocking traffic between the two subnets from one end, the TCP SYN packets were requesting a TCP connection to be made, but the box couldn't find the orginating address of the requesting machine.

Here were my results:

Solaris on SPARC E250 This box was actually the fastest to collapse under the load. Pathetic.

Linux 2.2.16 on SPARC E250 This thing looked better than the Solaris box for a while, but ended up having the same problem, even with the new and improved qpopper daemon from Qualcomm.

FreeBSD 4.1 on Intel MMX-166This was slightly better. It running the Qmail mail system. Unfortunately, however, it was extremely slow (although it didn't really crash at all, it was mostly unusable. The Linux and Solaris boxes crashed about 6 times each)

Windows NT 4 SP6 on Intel MMX-166This was the only system that actually managed to perform decently. It was running the Ipswitch Imail Mail system. It didn't crash and didn't noticeably slow down.

So, there you have it. The results. NT 4/Imail on top, FreeBSD/Qmail 2nd, Linux/Sendmail 3rd, and Solaris/Sendmail stone last.

Looking at this retrospectively, It could be said that Open source products are middle ground. The worst performing system was a Solaris (commercial box) running an open source (sendmail) mail system. The best performing system was a commercial operating system (NT 4) and a commercial mail system (Imail). The two middle-grounders were both running Open source operating systems and mail systems (Linux, FreeBSD, Sendmail and Qmail).

Re:http://cr.yp.to/

[arivanov]

Because of D.J.B.s habit to replace a number of O.S. library functions and includes with his own qmail versions prior to 1.0.3 can be used to deliver highly effective D.O.S.es to linux machines. The bug is Linux specific. Look through the qmail sources for an ifdef linux and you will find it. Or diff 1.0.2 vs 1.0.3. The type of attack is more or less standard resource exaustion. Or search on Bugtraq where the bug was published.

Re:Can "cloaking" hide from nmap -O ?

[mindslip]

I found this the other day while looking for something else entirely:

(From Freshmeat)

IP Personality
Jean-Marc Saffroy - July 27th 2000, 20:51 EDT

The IP Personality project is a patch to the newer Linux kernels that adds netfilter features: it enables the emulation of other OSes at network level, thus fooling remote OS detection tools such as nmap that rely on network fingerprinting.

Download:
http://ippersonality.sourceforge.net/download.ht ml (315 hits)

Homepage:
http://ippersonality.sourceforge.net/

Re:Windows cloaking device

[slickwillie]

Just run Blue Screen of Security 1.0.

Try Bastille Linux

[slickwillie]

Here. It is supposed to harden your Linux system. I haven't tried it though. I downloaded it, but before I got around to running it, I installed FreeBSD.

Re:Yeah, Mom ...

[debrain]

Yep. My mother and Unix don't get along. Come to think of it, my mother and computers don't get along.

One of the best points I noticed here was that Linux distributions are not being segregated by what they are specialized for. The one size fits all distribution is good in theory, but not particularly practical for most instances of implementation, nor does it have a great business model. (Specialization is where the money's at, man. :) )

Re:Wewanthackers.com has been up 50 days straight

[Bruce+Perens]

Do you know how many attempts there have been?

It's being port-scanned continuously. I didn't count them, but I'd have to say thousands. At least a dozen people wrote me to point out the fact that the telnet port is open (although it's a nice encrypted telnet).

Anyway, that's 'crackers' surely?

Indeed. Read the web page on the site.

Bruce

Lock down? Why?

[Fervent]

The whole principle of hacking is to share and divulge information and ideas. You claim information wants to be free, then proceed to "lock down" your Linux box (this is the modern day hacker's paradox).

According to Steven Levy, the "original hackers" (those working at MIT) had a small drawer where all the paper tapes could be read, borrowed, changed and altered. Anyone could have access to the box.

When the university developed their first time-sharing machine (replete with user names and passwords) they hated it. Not for the fact that they were losing computer power (although some would argue this was important) but because information was hidden from other users.

They accepted the time-sharing box under one condition: users could have passwords, but all user information could be read by any other user. This included admins. So the standard user could change and view the admin's files, and vice versa.

The tape drawer was reborn.

One would argue that the modern-day hacker has really lost touch with what hacking is supposed to mean. It's about sharing, and by "locking down" boxes and trying to break into web servers to expose security, we're moving farther and farther away from that ideal. We should go back to the tape drawer, people.

P.S. Read the book "Hackers" by Steven Levy. You'll be glad you did.

Re:Wewanthackers.com has been up 50 days straight

[Demona]

>Anyway, that's 'crackers' surely?

Nah. Wewantcrackers.com could make people think it's run by kids. Or parrots. And that would lead people to associate it with pirates, and the stain would be too great for them to ever gain any legitimacy in mindshare.

Re:Hmm...

[earlytime]

haven't you guys sever heard of queso, or nmap -O?

there are lots of ways someone can id your box over the network, regardless of the service headers.

And BTW, if you're gonna print identifying headers, why print sendmail? print postfix, or qmail, or nothing! ;-)

-earl

Amateurs . . .

[alhaz]

OK, I'm sorry. I shouldn't talk down to people, but that "cloaking debian" article, while definately helpful, smacked of an amateurish failure to fully comprehend how these things work. For starters he has you turn on ip forwarding w/o even mentioning what it's for and letting you decide if you really want it. (tip, unless your linux box is a router, you don't)

There is a MUCH better free resource on the issue - http://www.linux-fire wall-tools.com/linux/firewall/index.html

Run it. Read it. Study it. Compare it with the documentation. OK, just use it, but using it and working with it can help you get a far better grip on what's going on. The script it will generate for you is FAR better at keeping a lid on your network connection.

ls output from publicfile's ftpd

[woods]

publicfile is a fabulous package that should really get much more recognition and use. It can do 90% of what most people want from httpd/ftpd servers in a faster and far more secure manner.

However, one stumbling block for a lot of people is Dan Bernstein's exclusive use of his EPLF format for LIST and NLST requests. This format is a great idea but still isn't very widely implemented by ftp clients including most web browsers; this is why you'll usually just see the raw eplf output on most clients when you do a dir or ls (example eplf output).

I wrote a patch to publicfile that will cause it to use the more widely accepted /bin/ls format. This will allow it to display properly in most ftp clients and web browsers (example of patched publicfile ftpd, over 65k modem BTW).

The patch is at ftp://ftp.essc.psu.ed u/pub/emsei/woods/publicfile_no_eplf.patch. I don't believe it compromises the security of the package in any way. Please let me know if you find it useful, or have any suggestsions.

-- Scott

Re:Lock down? Why?

[ackthpt]

Very egalitarian. But you do know the use of the word hacker in this sense is the one bandied about in the media by people who wouldn't know paper tape from masking tape.

AFAIK Hacking originated in the physics discipline.

In my 8bit days I probably did a bit of cracking (taking the protection/loader, etc. out of a commercial package) and hacking (adding my own special mods to get the package to behave, IMHO, rationally.)

I'm sure there's a grey enough line between there somewhere, particularly where Randal Shwartz is concerned.

Vote Naked 2000

"Friendly" security help

[Masem]

Has anyone considered a service which would be composed of hackers (in the correct sense of the word) that would offer to run the gambit of security attacks at a given IP range, and then report back on this with suggestions of how to lock the system down more? Like the services that Redford and co. were doing for physical security in the movie Sneakers?

Sure, there would be a lot of initial paperwork (guarentee said requestor owns or manages the IP range), and a LOT, I mean a LOT, of trust between the requestor and said team that if there was a security problem, the team would not take advantage of it. In addition, this group would have to stay ahead of the script kiddies, possibly roaming in their irc channel so that they keep up on lame attacks.

Sure there are programs like Saint that can capture some of this, but this certainly isn't best that one can ask for. I also know there are industral groups that you can pay $$$$ for to have this done, but they tend to be about a month behind (roughly). So this isn't good for the hom user.

Note that I don't think many home linux box users are lazy. Most keep up with the distro updates, and take advice that is given in the articles here (like the inetd stuff). However, there are holes found all the time, not necessarily reported to lists like bugtraq, and even if reported, it is hard to check to see if one is truely vunerable from inside your own network. The service I describe is not meant to be a replacement for your own work in securing the box. But it should help supplement it, and make finding those last security holes easier.

Yeah, Mom ...

[debrain]

It goes like this:
"Mom, open your slash-etc-slash-i-n-e-t-dot-d"

"What's a slash?"

"It's the same key as the question mark"

"Oh ok. Found it. What do I hit after that?"

"Well are you root?"

"Maybe. What's root? Brian, this is too complicated for me."

And so on and so forth. All those securities enabled in the rootprompt article should be, in my humble opinion, enabled by default. Admittedly, I'm not giving my mother Linux anytime soon (maybe for Xmas, if I'm particularly cruel), but still, the only services that should be allowed are those necessary for a client. If you want your machine to act as a server, you should really have the know-how to set it up with the serving-serivces. If you don't know how to set up those services, you probably shouldn't be using them. I think OpenBSD is a good example of how to do a distribution properly. Secure by default.

How apropriate...

[nevets]

Yesterday, a friend of mine found out (I told him) that he was hacked.

He first called me to ask me why he can no longer read his vfat filesystem after he mounts it. It seems that the functions (ls, cd, ...) core dump after he access his vfat system. Then he ask (as a side note!) is it normal to have the Transfer and Receive lights of his cable modem flashing while he is not doing anything. This is where I became curious.

I asked him to do a netstat -a and he told me that he sees a connection to .ksu.edu on port 1025. Looks like he was currently being hacked. I did a nmap on his machine and it was a straight out-of-the-box version of RedHat 6.1, with everything from linuxconfd to webservers to finger open. He just told me he didn't care.

I helped him reinstall his whole system with only his mp3s stored and we whiped clean his harddrive and reinstalled. I showed him how to use ipchains and to turn off all daemons that he did not use. We also set up a system to perform check sums of his file system to compare it to a check sum on a cdrom.

With more and more users connecting to the Internet via cable modems and DSL and leaving their machines up 24 hours a day, things like this will happen unless you lock down your system.

I have to mail him this.
Steven Rostedt

Re:http://cr.yp.to/

[Bruce+Perens]

Quoting DJB: If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my approval.

IMO that's a genuine lack of freedom. Next time you have a question like this, would you please leave out the gratuitous insult?

In his place, I would publicize the checksum of the "official version" and let people do what they want with unofficial versions. I would use a trademark to distinguish official and unofficial versions. Since I started using that strategy for the official Debian CD ISO image, it's worked pretty well.

Bruce

Re:Windows

[(trb001)]

Let me preface this (possible flame) with this: I like Linux. I think it's better for networking than Windows.

That being said, Windows is really not THAT bad. You have to know what you're running on it, true, but it's the same way with Linux. The problem is that NT installs a LOT of stuff for you. You have to go back through and configure stuff, turn stuff off, turn monitoring on, etc.

I ran a Windows NT server at a college that was the software distro for the entire campus and never was hacked. You'd think a college serverwith no firewall would be a prime target, no? Well, I turned off just about everything except what I needed...web server, ftp with VERY controlled access, a little file sharing and the rest was shut off to the world. I then monitored it through system logs and if I saw something not right, I checked it out.

Not saying that holes don't exist, but I think people (especially on /.) tend to jump down NT's throat about security. If you REALLY want to jump on NT, do it for the right reasons...resource hogging.

Just my HO.

--trb

Why don't you just use an OpenBSD firewall

[Hairy_Potter]

What other OS has been gone through line by line to eliminate potential holes, flaws and buffer attacks?

OpenBSD, most secure OS out there.

Of course, export restrictions make it tough to get OpenBSD if you're in the US (Which is why they are based in Canada), but you can always smuggle a copy across the border, as long as you don't look like a terrorist.

Re:Why don't you just use an OpenBSD firewall

[mindstrm]

Hunh? in the US, you may import whatever you want...
why should it be hard to get OpenBSD?
And if it's developed in Canada, export restrictions are also lax...
I don't understand?

Hmm...

[Aqualung]

I can just see it now....

root@host#telnet box.host.org 25
Trying 123.244.244.244...
Connected to box.host.org.
Escape character is '^]'.
220 box.host.org ESMTP Sendmail 8.11.0/8.11.0/NOT DEBIAN I SWEAR!!!!! 8.11.0-1; Wed, 13 Sep 2000 13:47:29 -0500
Script Kiddie:Curses, foiled again!

:-)

----
Dave
MicrosoftME®? No, Microsoft YOU, buddy! - my boss

Re:Windows

[bartjan]

Securing a windows box is easy: remove all cables connected to it.

http://cr.yp.to/

[Russ+Nelson]

If you want secure servers, run Dan Bernstein's software. Three of the top ten programs on SANS's list of security holes include bind, sendmail, and ftp servers. Dan has secure replacements for all of them.
-russ

Re:http://cr.yp.to/

[alhaz]

He *Says* it's never been broken into. qmail has been a vehicle for attacks in the past, he covers this by stating that it was a bug in the operating system that made it possible. Sure, whatever.

I respect his abilities, but he's unfortunately off his nut. That's the problem with fanatics, generally.

Re:http://cr.yp.to/

[AliasTheRoot]

The license he distributes his software is his business, just because it doesn't mesh with the prevalent ideology here on /. doesn't make it bad.

Me, I couldn't give a rats ass what license something is distributed under, it's just not important to me in the selection process.

Tools for the job.

Re:http://cr.yp.to/

[Bruce+Perens]

Dan is a pretty interesting guy. I just wish he would change his take on licensing. None of his replacements for other programs have OSD-compliant licensing, as far as I'm aware, and IMO his reasons for that aren't good enough. The result is that people write replacements for his replacements! The Postfix mail delivery agent is a good example of this.

Bruce

Re:Security != "security_from_script_kiddies"

[G27+Radio]

The cloaking article says "they can't crack what they can't find"... and sadly I think it's very true. My home small network has a firewall with only ssh2 open. I get portscanned about 3 times a day. I think my setting is pretty secure, but I might always have a security hole somewhere. However, script kiddies will not bother with my computer because so many others are fully open.

I get scanned that many times an hour at times (probably because people know my subnet is all cablemodems.) One day I decided to run nmap on the IP's as they scanned me. On about the third IP address I that nmapped I found an open port 139. So for kicks I connected to it with a null login and password from an Win2k box I was testing. His entire C: drive, CDROM, and CDR were wide open. How convenient of him to leave a guest account for the people he scanned to find out more about him. I got bored fast (sharing over tcpip was way slow) so I didn't bother to read through his homework, but I did download a photo of him and his mother. I should've mailed it back to him from a hotmail account and told him he's an idiot. Disclaimer: Before you even think about trying this yourself, consider that the machine may be a honeypot owned by a hacker. Documents and executables may contain trojans.

Considering how quickly I got scanned by a script kiddie whose own system was wide open, I have to wonder is this the average skill level of a script kiddie?

There is an excellent radio show available online called Info.sec.radio. It's available on SecurityFocus.com under the Audio/Visual Media section. They do a one hour show every two weeks. They've got some cool interviews: the RCMP officer that busted the welsh hacker, and most recently Kevin Mitnick himself. They also have done a feature on Hacking Through the Ages which is a historical perspective on hacking. Every show they do a segment on new vulnerabilities.

I wasn't expecting much but now I'm addicted. They do an excellent job of providing a lot of information quickly. I think what suprised me the most was that the show moves quickly and is not boring at all. If you have any interest in securing/cracking systems you'll be glad you checked it out (IMO).

Requires Realaudio :|

numb

Re:Security != "security_from_script_kiddies"

[PhiRatE]

Actually, it is far more likely that the box you connected to had already been the target of a script kiddie, and he was using that as a relay. i expect you only got a picture of another victim, and his mother.

Re:Security != "security_from_script_kiddies"

[G27+Radio]

Actually, it is far more likely that the box you connected to had already been the target of a script kiddie, and he was using that as a relay. i expect you only got a picture of another victim, and his mother.

In retrospect this does seem most likely. Hmm. Makes me glad I didn't go after his e-mail address, then I would really feel like a bozo.

numb

Re:Can "cloaking" hide from nmap -O ?

[noeld]

The "cloaking" described in the article causes nmap to not find anything. Much less the type of machine. It firewalled all of the open ports on that interface from incoming packets.

RootPrompt.org -- Nothing but Unix

Is it more secure than other secure systems?

[Christopher+B.+Brown]

I'd have no trouble agreeing that qmail has a better security record than Sendmail.

The problem is, that's not the only plausible comparison to make. It's more or less like saying, Because Windows Crashes If You Look At It Funny, and Linux doesn't, therefore Linux must be SuperRobust Software.

Which may be a legitimate comparison at one level, but still doesn't mean that closer comparisons aren't more relevant. I'd think we'd learn more from comparing Linux to VMS, or Tandem, or *BSD.

And heading back to relevance, perhaps qmail hasn't gotten "hacked," but it seems to me that we could ask if Postfix has gotten hacked, and find that quite meaningful.

GNU system philosophy

[Ross+C.+Brackett]

I think things have changed a bit now, but you're right -- GNU software design certainly reflects this paradigm, even in today's modern security-paranoid age. Here's a great few paragraphs I've excerpted from the GNU sh-utils manual from '96 (I kid you not)

----

Why GNU su does not support the `wheel' group
(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

----

I didn't know if I should shake my head and weep or pump my fist "right-on" style and start a food collective. It wasn't exactly the answer to the question I was looking for, but it is one of the cooler things I've ever seen in a software manual.

Better to cloak or look like boringly visible?

[dpilot]

Cloaking seems to be a great idea, but it falls on a few counts. First off, you really shouldn't block all ICMP messages. You really do need some of them for efficient operaion. I don't know if the ones that need to be open can be used in a ping-like fashion, but I wouldn't put it past someone to figure out a way.

Second, you really need at least some opening for IDENT, or else you'll get terrible throughput on your email. You can filter based on the source IP, but that can be spoofed. (Of course the responses then go to the mailrelay...) Some web sites seem to generate IDENT requests, but I'm not sure what they do if you DENY them.

This is even before we get to scans with illegal packets. I'm under the impression that there are some scans that will get responses from some firewalls even if a port is "stealthed".

In general, it just might be better to look "boringly visible" and offer no services, just closed ports. Nothing to offer, nothing to hide. At the same time, it would be useful to get the kernel patch that lets you change your TCP fingerprint - make your box look like OS/2, for instance.

The situation will change when Kernel 2.4 gets out with netfilters. Stateful filtering will make it possible to DENY more effectively if you want to fly with "stealth", and the general architecture should make it easier to look boring, including changing the TCP fingerprint. (Netfilter or ipchains will allow you to offer ports to some IPs while hiding from others, netfilters will just let you do a better job of it.)

Re:Better to cloak or look like boringly visible?

[mjg]

There is a patch available here called the Linux IP Personality patch. It adds features to netfilter in the 2.4 kernel series which gives you the ability to change the network fingerprint, so you can, for example, fool nmap.

So yes, you can make your box look like OS/2 pretty easily.

Wewanthackers.com has been up 50 days straight

[Bruce+Perens]

We put a Debian "potato" system up as WeWantHackers.com and it's been up 50 days without a reboot. Of course, the web page on the site says we aren't really looking for computer crime...

Bruce

Can "cloaking" hide from nmap -O ?

[swb]

From my quickie look, cloaking involved blackholing some traffic and disabling some common services.

The tool *I* use when I wonder what something is running is nmap and its -O option, which uses things like TCP sequence numbering in addition to open services to determine what kind of IP stack is running. Cloaking as described above may not necessarily fool nmap as it looks more deeply than just a simple TCP port scan.

Security != "security_from_script_kiddies"

[JPS]

The cloaking article says "they can't crack what they can't find"... and sadly I think it's very true.

My home small network has a firewall with only ssh2 open. I get portscanned about 3 times a day.
I think my setting is pretty secure, but I might always have a security hole somewhere.
However, script kiddies will not bother with my computer because so many others are fully open.

Securing a network against SK is fairly easy because you just need to be more secure than the norm. Securing a network for real is certainly harder.

ipchains rules

[Dionysus]

Why didn't the guy block everything by default, and then let selected services through?

Here is easy firewall rules:

/sbin/ipchains -P input DENY # deny everything by default

# local have full access
/sbin/ipchains -A input -i lo -j ACCEPT

# let some basic services through
/sbin/ipchains -A input -p udp --sport domain --dport 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp --sport domain --dport 1024: -j ACCEPT # not strictly necessary, but some dns services return answers using tcp
/sbin/ipchains -A input -p tcp --sport telnet --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport ftp --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport ftp-data --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport ssh ! -y -j ACCEPT # ssh uses a lower numbered port when you want RSA access
/sbin/ipchains -A input -p tcp --sport www --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport https --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport smtp --dport 1024: ! -y -j ACCEPT
/sbin/ipchains -A input -p tcp --sport pop3 --dport 1024: ! -y -j ACCEPT # note that redhat calls the port pop-3

# let some icmp messages through
/sbin/ipchains -A input -p icmp --icmp-type pong -j ACCEPT
/sbin/ipchains -A input -p icmp --icmp-type destination-unreachable -j ACCEPT

# finally, add a catch all logging
/sbin/ipchains -A input -l

you need to set your ftp to passive=off (check prefs_v3 if you are using ncftp). You can expliclty deny addresses from the private network block, but according to the IPCHAINS-HOWTO there is a better way to do it. Check it out.

When you finish, type '/sbin/ipchains-save > ipchains.rules' to save it, and '/sbin/ipchains-restore ipchains.rules' to restore the rules.

Re:Lock down? Why?

[Vassily+Overveight]

One would argue that the modern-day hacker has really lost touch with what hacking is supposed to mean. It's about sharing, and by "locking down" boxes and trying to break into web servers to expose security, we're moving farther and farther away from that ideal. We should go back to the tape drawer, people.

And prepare to have your head handed to you, legally speaking. There was a recent SlashDot story on a guy who had done something like this on his web site, letting all users upload stuff, and all uploads being accessible to all users. The intent was to let people upload their materials/applications so that they could get at them from wherever they were in the world. He's now being prosecuted (or maybe it's only at the threat stage right now - I haven't checked) for running a service that assists in copyright infringement.

Social Engineering

[zpengo]

It always comes down to the human element, though, which is the part that the 1337 h@x0rz and skr1p7 k1dd13z never quite figure out. The great crackers went beyond mundane knowledge of how to open a box to use creativity, psychology, and human nature to get people to give up the goods. I've been made a fool once or twice, but each time I let myself get talked into it. A box is only as secure as its administrator is paranoid.