l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2005 May 31 07:42

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Basic security issues
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Basic security issues



on Wed, May 11, 2005 at 12:58:57PM -0700, Richard Crawford (rscrawford@mossroot.com) wrote:
> Long story short:  last week I ran nmap from my Linux box at work to
> check for open ports on my home network.  

As you've probably discovered, an activity which carries some risks,
most of which are cultural rather than technical.  Depending on politics
and personalities, you may want prior approval to do such things in
future.

> One of the ports nmap scanned was 31337.  Because that's the port that
> Back Orifice uses, our department's IT -- a Microsoft zealot --
> decided that someone was trying to hack into our network to use Back
> Orifice on one of our systems.  

I'm impressed that he detected the scan.

Just one additional note of caution.  There are a few port scan
detectors for GNU/Linux.  Snort is probably the better one, and is
passive.  The older, deprecated, Portsentry, actually _opens_ the ports
it monitors.  This gave a few friends and me mild heart attacks a ways
back when we found a very "chatty" box run by one of us.  Turns out it
had portsentry running on it.

Moral:  open ports are not of and by themselves signs of malicious
software.

> After demonstrating that because the 31337 scan was directed at my own
> machine and because it coincided precisely with the time that I was
> running nmap and that my home machine is not vulnerable to Back
> Orifice anyway, the IT guy has still decided that because of this I
> should not be allowed to use a Linux workstation at my desk (despite
> the fact that I maintain two Solaris servers and two Linux servers as
> part of my job).  For sanity's sake, I did run a full chkrootkit and
> system log scan on my machine just to make sure it hadn't been
> compromised.

Note that any diagnostics done from within the system / install being
inspected are themselves somewhat suspect.  The cracker might cover his
tracks in a way that you can't determine.  This is rare, but should be
considered.

Incidentally, it's probably going to be a worse problem for legacy MS
Windows users than GNU/Linux folks in the near future:

    http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html
    RSA:  Microsoft on 'rootkits':  Be afraid, be very afraid
    Paul Roberts
    February 17, 2005

    Microsoft Corp. security researchers are warning about a new
    generation of powerful system-monitoring programs or "rootkits"
    that are almost impossible to detect using current security
    products.

...the upshot being that these may be used in conjunction with adware /
spyware.
 
> So just because I'm cantankerous, I want to demonstrate that using a
> laptop running Linux is better for our network than a desktop running
> Windows.  I've already disabled all non-essential services, including
> sshd.  What other steps could I take?  

Several.  Most of which are varying levels of pain to set up and
maintain (you have to keep poking holes to allow necessary stuff
through), and which provide relatively little added benefit.

I'd suggest you find out what the expectations and concerns of your LAN
administrator are.

> I'm thinking about using IPTABLES to block all outbound traffic on
> ports other than 21, 22, 80, and 110.  

53 may be useful at times.  Similarly 443.

> And I wonder if it's possible to allow traffic on those ports to
> specific destinations only; for example, to allow port 22 to connect
> only to my home machine and to the servers I maintain here at work, or
> to allow 21 to connect only to our hosting provider (who allows only
> FTP access to our files).  

Yes.

If you're going to go this route, I'd recommend a FW tool such as
Shorewall, or one of the other IP filters helper tools, as they tend to
result in easier-to-maintain configs.

> None of this is necessary, of course, but, as I said, I'm cantankerous
> and I have a point to prove, dammit.
> 
> What are your thoughts?  Suppose this were a Linux laptop that you'd give to a 
> company employee?  What services and ports would you allow on it?

I'd simply point out that J. Random legacy MS Windows Box is likely a
greater source of vulnerabilities than a GNU/Linux system.

One step you could take which IMO _would_ be useful is to enable and use
remote logging.  Being able to show what was happening on a box at a
given point in time, on an out-of-band logging system, can be quite
useful.

I think your biggest problem isn't readily addressed by tweaking
IPTables configs or running system daemons.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   I guess "the El Pueblo de Nuestra Senora la Reina de los Angeles del Rio
   de Porciuncula diet" just doesn't have the same ring....

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.