1 |
Alan McKinnon wrote: |
2 |
> On Saturday 05 September 2009 11:56:09 Dale wrote: |
3 |
> |
4 |
>> Hi, |
5 |
>> |
6 |
>> As some may know already, I recently got DSL. It's not a super fast |
7 |
>> connection by broadband standards but it does mean that my box may be |
8 |
>> easier to find for a hacker. So, I have a few questions about |
9 |
>> security. I think I am OK but want to make sure. |
10 |
>> |
11 |
>> 1: I have a good root password. It's not something someone would guess |
12 |
>> for sure. Nothing related to my history, birthdays or anything. It is |
13 |
>> still fairly easy for me to type tho. |
14 |
>> |
15 |
> |
16 |
> Good. Also disable root login using sshd |
17 |
> |
18 |
|
19 |
Since ssh is not running, I assume it doesn't matter at this point? |
20 |
|
21 |
> |
22 |
>> 2: I went to this link: https://www.grc.com/x/ne.dll?bh0bkyd2 |
23 |
>> According to that site my ports are in "stealth" mode which is good from |
24 |
>> what I understand. |
25 |
>> |
26 |
> |
27 |
> That's Gibson. Sometimes he talks sense and has good ideas, but he always |
28 |
> rambles. Wheat and chaff. |
29 |
> |
30 |
> Run "netstat -atnup" and see what's open. Apply brainpower to what you see. |
31 |
> Learn how to drive nmap and throw it at localhost. Apply brainpower to what |
32 |
> you see. |
33 |
> |
34 |
|
35 |
This looks OK to me. It is things that I have connected to the internet |
36 |
and am using. I have Seamonkey running and Kopete is logged into Yahoo |
37 |
at the moment. Still want to get rid of that pesky upgrade message |
38 |
tho. ;-) I do have cups running but nothing is shared. It's just a |
39 |
local printer. I have no idea what the mDNSResponderP thing is. That |
40 |
is something that is pulled in by something else and it showed up ages |
41 |
ago. |
42 |
|
43 |
root@smoker / # netstat -atnup |
44 |
Active Internet connections (servers and established) |
45 |
Proto Recv-Q Send-Q Local Address Foreign Address |
46 |
State PID/Program name |
47 |
tcp 0 0 127.0.0.1:3493 0.0.0.0:* |
48 |
LISTEN 26885/upsd |
49 |
tcp 0 0 127.0.0.1:631 0.0.0.0:* |
50 |
LISTEN 5428/cupsd |
51 |
tcp 0 0 127.0.0.1:3493 127.0.0.1:40613 |
52 |
ESTABLISHED26885/upsd |
53 |
tcp 0 0 127.0.0.1:38147 127.0.0.1:631 |
54 |
TIME_WAIT - |
55 |
tcp 0 0 127.0.0.1:631 127.0.0.1:38148 |
56 |
ESTABLISHED5428/cupsd |
57 |
tcp 0 0 192.168.1.1:53247 68.180.217.6:5050 |
58 |
ESTABLISHED6730/kopete |
59 |
tcp 1 0 192.168.1.1:45608 204.2.215.83:80 |
60 |
CLOSE_WAIT 6269/gpg-agent |
61 |
tcp 1 0 192.168.1.1:45609 204.2.215.83:80 |
62 |
CLOSE_WAIT 6269/gpg-agent |
63 |
tcp 0 0 127.0.0.1:38148 127.0.0.1:631 |
64 |
ESTABLISHED6795/seamonkey-bin |
65 |
tcp 0 0 127.0.0.1:40613 127.0.0.1:3493 |
66 |
ESTABLISHED28709/upsmon |
67 |
udp 0 0 0.0.0.0:40143 |
68 |
0.0.0.0:* 5382/mDNSResponderP |
69 |
udp 0 0 0.0.0.0:5353 |
70 |
0.0.0.0:* 5348/mdnsd |
71 |
udp 0 0 0.0.0.0:5353 |
72 |
0.0.0.0:* 5382/mDNSResponderP |
73 |
udp 0 0 0.0.0.0:60777 |
74 |
0.0.0.0:* 5348/mdnsd |
75 |
udp 0 0 192.168.1.1:123 |
76 |
0.0.0.0:* 25561/ntpd |
77 |
udp 0 0 127.0.0.1:123 |
78 |
0.0.0.0:* 25561/ntpd |
79 |
udp 0 0 0.0.0.0:123 |
80 |
0.0.0.0:* 25561/ntpd |
81 |
root@smoker / # |
82 |
|
83 |
> |
84 |
>> 3: I have no servers running here. No Apache, MySql, or any of that. |
85 |
>> I also have turned off/stopped ssh since I have only one box at the |
86 |
>> moment. |
87 |
>> |
88 |
> |
89 |
> no services running by default is a sane starting point for personal use. But |
90 |
> you will likely need *some* services, so deploy them one by one and audit each |
91 |
> one before taking it live. Start them only when you need them. |
92 |
> |
93 |
> |
94 |
>> 4: I'm currently using this kernel: 2.6.25-gentoo-r9 I plan to |
95 |
>> upgrade that in the next day or so. |
96 |
>> |
97 |
> |
98 |
> Kernel bugs exist of course, but in terms of numbers, it's far easier for |
99 |
> someone to access your box using other routes. Like php. |
100 |
> |
101 |
> Pay attention to kernel bugs but you also have to prioritize by risk factor, |
102 |
> so that one is correspondingly lower on the list. |
103 |
> |
104 |
> |
105 |
>> The DSL modem I am using is the Motorola 2210. It seems to be a gateway |
106 |
>> thing. I have no router at the moment but if I build a new rig I will |
107 |
>> be getting one then. Most likely a Linksys or something. I'll post |
108 |
>> here before getting one anyway. ;-) |
109 |
>> |
110 |
>> Am I missing anything? If you need more info, let me know. I just want |
111 |
>> to make sure no one can get into my box without me knowing about it and |
112 |
>> getting into mischief. |
113 |
>> |
114 |
> |
115 |
> By far the most common attack vector into home machines is users doing stupid |
116 |
> things with mail and dodgy links. This is how phishers work. So you need to |
117 |
> apply diligence in what you click and where you go. But, you are likely |
118 |
> exercising this already. |
119 |
> |
120 |
> Top of my list is always to lock down things that give shell access. No |
121 |
> telnet, no root login, access for specific users only. I use "AllowGroups" in |
122 |
> sshd_config a lot - only that group's members may log in and one grep shows |
123 |
> you exactly who is in that group. |
124 |
> |
125 |
> You deal with brute force attacks using packages like fail2ban and denyhosts. |
126 |
> The general idea is that if a certain number of failed attempts show up in the |
127 |
> logs in a short time, that IP is locked out for a few hours. |
128 |
> |
129 |
> john the ripper is excellent at finding weak passwords. I don't know how much |
130 |
> benefit you will get - having only two users with passwords - but I use it |
131 |
> routinely on my servers. There's a certain satisfaction in attending security |
132 |
> forum meetings and telling some manager with a stick up his ass that you are |
133 |
> the one who trashed his access because you found his password in 38 seconds |
134 |
> :-) |
135 |
> |
136 |
> |
137 |
|
138 |
I don't think anyone can login here except through something local. I |
139 |
can't remember where but it has to be a local connection for it to let |
140 |
you login. Basically, I don't want anyone to be able to login, root or |
141 |
user, from anything but my chair. I think that is how it is set up. I |
142 |
don't access or need access from a remote location basically. |
143 |
|
144 |
I am careful with things like bank sites, credit card sites even myspace |
145 |
and others. I don't click on links in emails or anything. I have most |
146 |
everything bookmarked in Seamonkey and keyworded so I don't have to type |
147 |
much. For my google email account, I type in gmail and it goes to my |
148 |
google email account. My bank and credit card doesn't allow form |
149 |
managers which in a way I don't like. I used to have a really long |
150 |
password that was about as secure as it could get but now that I have to |
151 |
type all that crap in, I changed it to something shorter. Yea, me and |
152 |
the bank went a few rounds on that one. |
153 |
|
154 |
I'll check into fail2ban and denyhosts. Any one better or more |
155 |
preferred than the other? |
156 |
|
157 |
Thanks. I knew you would help me on this. LOL |
158 |
|
159 |
Dale |
160 |
|
161 |
:-) :-) |