Hey Guys -
A friend of mine is running a linux box to run stuff off of on the internet ... including his website, ftp server, email, and some forums. He's had some issues with unauthorized people getting into the box (the most recent of which was this weekend, where someone was able to place a spam emailer on his server which pumped out 2.5gigs worth of spam email in 3 days). Also the bbs has been getting hit hard with spam bots. So I guess my question is what options does he have as far as security/firewalls/etc? I don't know much about it myself, but I know that some of you probably do.
Thanks in advance for any help.
-Talsor/Ed
Linux Box Security
-
- Sojourner
- Posts: 376
- Joined: Wed Feb 07, 2001 6:01 am
- Location: Long Branch, NJ
well first of all he can run the linux box as a firewall also, that will help i dont have any of the program links handy but i will get ahold of them what cersion of linux is he using? that is a big question on how to best protect him
i dont know what your problem is, but i bet its hard to pronounce
myspace.com/tgchef
myspace.com/tgchef
-
- Sojourner
- Posts: 376
- Joined: Wed Feb 07, 2001 6:01 am
- Location: Long Branch, NJ
not sure i havent played with it any. im still learning the ins and outs of linux.
my dad is the real guru. the other thing you could do is talk to zipah in game he is a linux admin he should be able to help you out alot.
my dad is the real guru. the other thing you could do is talk to zipah in game he is a linux admin he should be able to help you out alot.
i dont know what your problem is, but i bet its hard to pronounce
myspace.com/tgchef
myspace.com/tgchef
this is the Zipah!... unwanted access tempts in linux
the best way to restrict access to a linux box is to run I tight set of firewall rules with other services restricted or obscured... this is easily done.
ssh is the number 1 intrusion, though it is needed for remote management so be sure that ssh is updated the latest version, next obscure the port that it is connecting on, and disable root login to ssh. all should be done from the sshd_config OR sshd.conf file on your linux box(depending on distro).
my firewall of choice good old iptables should be a standard package for just about every distro
create a good acl based firewall. A firewall with a default policy of accept is not a firewall it is a filter
this will get you started
first you need to clear the iptables lists and set the policies so you can access the box... then restrict them again
ran as root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -L -n
ths should display something like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
then you need to add the rule for your local address
iptables -I INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
where XXX.XXX.XXX.XXX is the external address of your workstation( if you are behind a nat device you need to have it be the address of the nat device a.k.a visit whatismyip.com)
iptables -P INPUT DROP
now your box is completely non existant on the internet accept for the single address that you allowed
next you need to add some minor rules for TCP sessions so that it doesn't look like it is firewalled so much
iptables -A INPUT -s 0.0.0.0/0 -m --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT --dport XXXX -j ACCEPT
where XXXX is your new ssh port
iptables -A INPUT -s 0.0.0.0/0 -j LOG --log-level 4 --log-prefix "UFO access attempt"
iptables -A INPUT -s 0.0.0.0/0 -j DROP
and bang all access to the box is now stopped... if you have spicific networks that you want to allow to the box there are some ways you can do that easiest is with "white listing" using the rule that i used to allow your address
you can specify an address block by -s XXX.XXX.XXX.0/XX the /XX is the netmask (usually 24)
tighter firewalls can be achieved using a proggy called fwlogwatch... but it is too hard to explain here
any question you can mmail me or talk to me ingame... I play zipah mostly now
---------------------------
Your Friendly Neighborhood Paladin
ssh is the number 1 intrusion, though it is needed for remote management so be sure that ssh is updated the latest version, next obscure the port that it is connecting on, and disable root login to ssh. all should be done from the sshd_config OR sshd.conf file on your linux box(depending on distro).
my firewall of choice good old iptables should be a standard package for just about every distro
create a good acl based firewall. A firewall with a default policy of accept is not a firewall it is a filter
this will get you started
first you need to clear the iptables lists and set the policies so you can access the box... then restrict them again
ran as root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -L -n
ths should display something like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
then you need to add the rule for your local address
iptables -I INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
where XXX.XXX.XXX.XXX is the external address of your workstation( if you are behind a nat device you need to have it be the address of the nat device a.k.a visit whatismyip.com)
iptables -P INPUT DROP
now your box is completely non existant on the internet accept for the single address that you allowed
next you need to add some minor rules for TCP sessions so that it doesn't look like it is firewalled so much
iptables -A INPUT -s 0.0.0.0/0 -m --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT --dport XXXX -j ACCEPT
where XXXX is your new ssh port
iptables -A INPUT -s 0.0.0.0/0 -j LOG --log-level 4 --log-prefix "UFO access attempt"
iptables -A INPUT -s 0.0.0.0/0 -j DROP
and bang all access to the box is now stopped... if you have spicific networks that you want to allow to the box there are some ways you can do that easiest is with "white listing" using the rule that i used to allow your address
you can specify an address block by -s XXX.XXX.XXX.0/XX the /XX is the netmask (usually 24)
tighter firewalls can be achieved using a proggy called fwlogwatch... but it is too hard to explain here
any question you can mmail me or talk to me ingame... I play zipah mostly now
---------------------------
Your Friendly Neighborhood Paladin
Ooohhh forgot something
You need to change all user and root accounts passwords... to things that are more secure
something like these
yvrwDcJDl
ywmkhxHCKC
KfxYaw97kTavY
SUE7ohAr7PD1Y
from my pass-o-matic script *grin*
---------------------------
Your Friendly Neighborhood Paladin
something like these
yvrwDcJDl
ywmkhxHCKC
KfxYaw97kTavY
SUE7ohAr7PD1Y
from my pass-o-matic script *grin*
---------------------------
Your Friendly Neighborhood Paladin
-
- Sojourner
- Posts: 376
- Joined: Wed Feb 07, 2001 6:01 am
- Location: Long Branch, NJ
Disable root logins entirely, as using root login is stupid. Don't forget your root password though, you'll still need it to perform some things you restrict.
Is he using BSD or Linux? You say Linux, but I know a lot of people say Linux and mean BSD cause they don't know they difference. :) OS/distro would be good to know in this situation.
CONFIGURE APACHE PROPERLY!!! This is the biggest security leak you could potentially have if he just threw it on the box without doing any major configs.
If he's running an FTP, make sure he doesn't allow executables to be uploaded. That could be how he got the spam engine. If you allow anonymous logins, then consider disabling anonymous uploads. Log your uploads from other users, just in case.
Try this page out if he's really new at Linux...
http://www.reallylinux.com/docs/conflin.shtml
Astaro is a good choice for a Linux firewall, and IPFW2 is a great BSD firewall.
I could post tons more, but I don't feel like Googling at 5 AM. :P I highly recommend searching for documentation on configuring each of your processes (FTP/Apache/email/BBS).
Hope that helps, Ed!
Is he using BSD or Linux? You say Linux, but I know a lot of people say Linux and mean BSD cause they don't know they difference. :) OS/distro would be good to know in this situation.
CONFIGURE APACHE PROPERLY!!! This is the biggest security leak you could potentially have if he just threw it on the box without doing any major configs.
If he's running an FTP, make sure he doesn't allow executables to be uploaded. That could be how he got the spam engine. If you allow anonymous logins, then consider disabling anonymous uploads. Log your uploads from other users, just in case.
Try this page out if he's really new at Linux...
http://www.reallylinux.com/docs/conflin.shtml
Astaro is a good choice for a Linux firewall, and IPFW2 is a great BSD firewall.
I could post tons more, but I don't feel like Googling at 5 AM. :P I highly recommend searching for documentation on configuring each of your processes (FTP/Apache/email/BBS).
Hope that helps, Ed!
Support Your Addiction! Vote for TorilMUD Today!
Top Mud Sites: http://www.topmudsites.com/cgi-bin/topmuds/rankem.cgi?id=shev
Why Nerox is jealous of me:
Nerox tells you 'man this thing is kicking my ass and i have blisters!'
Nerox tells you 'ok attempting it again put tape on my fingers for easier sliding'
Top Mud Sites: http://www.topmudsites.com/cgi-bin/topmuds/rankem.cgi?id=shev
Why Nerox is jealous of me:
Nerox tells you 'man this thing is kicking my ass and i have blisters!'
Nerox tells you 'ok attempting it again put tape on my fingers for easier sliding'
Return to “General Discussion Archive”
Who is online
Users browsing this forum: No registered users and 22 guests