| 1 |
Alan McKinnon wrote: |
| 2 |
> On Saturday 05 September 2009 11:56:09 Dale wrote: |
| 3 |
> |
| 4 |
>> Hi, |
| 5 |
>> |
| 6 |
>> As some may know already, I recently got DSL. It's not a super fast |
| 7 |
>> connection by broadband standards but it does mean that my box may be |
| 8 |
>> easier to find for a hacker. So, I have a few questions about |
| 9 |
>> security. I think I am OK but want to make sure. |
| 10 |
>> |
| 11 |
>> 1: I have a good root password. It's not something someone would guess |
| 12 |
>> for sure. Nothing related to my history, birthdays or anything. It is |
| 13 |
>> still fairly easy for me to type tho. |
| 14 |
>> |
| 15 |
> |
| 16 |
> Good. Also disable root login using sshd |
| 17 |
> |
| 18 |
|
| 19 |
Since ssh is not running, I assume it doesn't matter at this point? |
| 20 |
|
| 21 |
> |
| 22 |
>> 2: I went to this link: https://www.grc.com/x/ne.dll?bh0bkyd2 |
| 23 |
>> According to that site my ports are in "stealth" mode which is good from |
| 24 |
>> what I understand. |
| 25 |
>> |
| 26 |
> |
| 27 |
> That's Gibson. Sometimes he talks sense and has good ideas, but he always |
| 28 |
> rambles. Wheat and chaff. |
| 29 |
> |
| 30 |
> Run "netstat -atnup" and see what's open. Apply brainpower to what you see. |
| 31 |
> Learn how to drive nmap and throw it at localhost. Apply brainpower to what |
| 32 |
> you see. |
| 33 |
> |
| 34 |
|
| 35 |
This looks OK to me. It is things that I have connected to the internet |
| 36 |
and am using. I have Seamonkey running and Kopete is logged into Yahoo |
| 37 |
at the moment. Still want to get rid of that pesky upgrade message |
| 38 |
tho. ;-) I do have cups running but nothing is shared. It's just a |
| 39 |
local printer. I have no idea what the mDNSResponderP thing is. That |
| 40 |
is something that is pulled in by something else and it showed up ages |
| 41 |
ago. |
| 42 |
|
| 43 |
root@smoker / # netstat -atnup |
| 44 |
Active Internet connections (servers and established) |
| 45 |
Proto Recv-Q Send-Q Local Address Foreign Address |
| 46 |
State PID/Program name |
| 47 |
tcp 0 0 127.0.0.1:3493 0.0.0.0:* |
| 48 |
LISTEN 26885/upsd |
| 49 |
tcp 0 0 127.0.0.1:631 0.0.0.0:* |
| 50 |
LISTEN 5428/cupsd |
| 51 |
tcp 0 0 127.0.0.1:3493 127.0.0.1:40613 |
| 52 |
ESTABLISHED26885/upsd |
| 53 |
tcp 0 0 127.0.0.1:38147 127.0.0.1:631 |
| 54 |
TIME_WAIT - |
| 55 |
tcp 0 0 127.0.0.1:631 127.0.0.1:38148 |
| 56 |
ESTABLISHED5428/cupsd |
| 57 |
tcp 0 0 192.168.1.1:53247 68.180.217.6:5050 |
| 58 |
ESTABLISHED6730/kopete |
| 59 |
tcp 1 0 192.168.1.1:45608 204.2.215.83:80 |
| 60 |
CLOSE_WAIT 6269/gpg-agent |
| 61 |
tcp 1 0 192.168.1.1:45609 204.2.215.83:80 |
| 62 |
CLOSE_WAIT 6269/gpg-agent |
| 63 |
tcp 0 0 127.0.0.1:38148 127.0.0.1:631 |
| 64 |
ESTABLISHED6795/seamonkey-bin |
| 65 |
tcp 0 0 127.0.0.1:40613 127.0.0.1:3493 |
| 66 |
ESTABLISHED28709/upsmon |
| 67 |
udp 0 0 0.0.0.0:40143 |
| 68 |
0.0.0.0:* 5382/mDNSResponderP |
| 69 |
udp 0 0 0.0.0.0:5353 |
| 70 |
0.0.0.0:* 5348/mdnsd |
| 71 |
udp 0 0 0.0.0.0:5353 |
| 72 |
0.0.0.0:* 5382/mDNSResponderP |
| 73 |
udp 0 0 0.0.0.0:60777 |
| 74 |
0.0.0.0:* 5348/mdnsd |
| 75 |
udp 0 0 192.168.1.1:123 |
| 76 |
0.0.0.0:* 25561/ntpd |
| 77 |
udp 0 0 127.0.0.1:123 |
| 78 |
0.0.0.0:* 25561/ntpd |
| 79 |
udp 0 0 0.0.0.0:123 |
| 80 |
0.0.0.0:* 25561/ntpd |
| 81 |
root@smoker / # |
| 82 |
|
| 83 |
> |
| 84 |
>> 3: I have no servers running here. No Apache, MySql, or any of that. |
| 85 |
>> I also have turned off/stopped ssh since I have only one box at the |
| 86 |
>> moment. |
| 87 |
>> |
| 88 |
> |
| 89 |
> no services running by default is a sane starting point for personal use. But |
| 90 |
> you will likely need *some* services, so deploy them one by one and audit each |
| 91 |
> one before taking it live. Start them only when you need them. |
| 92 |
> |
| 93 |
> |
| 94 |
>> 4: I'm currently using this kernel: 2.6.25-gentoo-r9 I plan to |
| 95 |
>> upgrade that in the next day or so. |
| 96 |
>> |
| 97 |
> |
| 98 |
> Kernel bugs exist of course, but in terms of numbers, it's far easier for |
| 99 |
> someone to access your box using other routes. Like php. |
| 100 |
> |
| 101 |
> Pay attention to kernel bugs but you also have to prioritize by risk factor, |
| 102 |
> so that one is correspondingly lower on the list. |
| 103 |
> |
| 104 |
> |
| 105 |
>> The DSL modem I am using is the Motorola 2210. It seems to be a gateway |
| 106 |
>> thing. I have no router at the moment but if I build a new rig I will |
| 107 |
>> be getting one then. Most likely a Linksys or something. I'll post |
| 108 |
>> here before getting one anyway. ;-) |
| 109 |
>> |
| 110 |
>> Am I missing anything? If you need more info, let me know. I just want |
| 111 |
>> to make sure no one can get into my box without me knowing about it and |
| 112 |
>> getting into mischief. |
| 113 |
>> |
| 114 |
> |
| 115 |
> By far the most common attack vector into home machines is users doing stupid |
| 116 |
> things with mail and dodgy links. This is how phishers work. So you need to |
| 117 |
> apply diligence in what you click and where you go. But, you are likely |
| 118 |
> exercising this already. |
| 119 |
> |
| 120 |
> Top of my list is always to lock down things that give shell access. No |
| 121 |
> telnet, no root login, access for specific users only. I use "AllowGroups" in |
| 122 |
> sshd_config a lot - only that group's members may log in and one grep shows |
| 123 |
> you exactly who is in that group. |
| 124 |
> |
| 125 |
> You deal with brute force attacks using packages like fail2ban and denyhosts. |
| 126 |
> The general idea is that if a certain number of failed attempts show up in the |
| 127 |
> logs in a short time, that IP is locked out for a few hours. |
| 128 |
> |
| 129 |
> john the ripper is excellent at finding weak passwords. I don't know how much |
| 130 |
> benefit you will get - having only two users with passwords - but I use it |
| 131 |
> routinely on my servers. There's a certain satisfaction in attending security |
| 132 |
> forum meetings and telling some manager with a stick up his ass that you are |
| 133 |
> the one who trashed his access because you found his password in 38 seconds |
| 134 |
> :-) |
| 135 |
> |
| 136 |
> |
| 137 |
|
| 138 |
I don't think anyone can login here except through something local. I |
| 139 |
can't remember where but it has to be a local connection for it to let |
| 140 |
you login. Basically, I don't want anyone to be able to login, root or |
| 141 |
user, from anything but my chair. I think that is how it is set up. I |
| 142 |
don't access or need access from a remote location basically. |
| 143 |
|
| 144 |
I am careful with things like bank sites, credit card sites even myspace |
| 145 |
and others. I don't click on links in emails or anything. I have most |
| 146 |
everything bookmarked in Seamonkey and keyworded so I don't have to type |
| 147 |
much. For my google email account, I type in gmail and it goes to my |
| 148 |
google email account. My bank and credit card doesn't allow form |
| 149 |
managers which in a way I don't like. I used to have a really long |
| 150 |
password that was about as secure as it could get but now that I have to |
| 151 |
type all that crap in, I changed it to something shorter. Yea, me and |
| 152 |
the bank went a few rounds on that one. |
| 153 |
|
| 154 |
I'll check into fail2ban and denyhosts. Any one better or more |
| 155 |
preferred than the other? |
| 156 |
|
| 157 |
Thanks. I knew you would help me on this. LOL |
| 158 |
|
| 159 |
Dale |
| 160 |
|
| 161 |
:-) :-) |
Archives