Archive for the 'Security' Category

Updating Your System

Posted by Tips on January 4th, 2007

You have probably noticed after your fresh install of Ubuntu that there may be a icon indicator in the upper right corner (Gnome) of your screen. This is the system updates available indicator and it’s there to let you know it’s time for an update. To update your system all you have to do is click on it and enter your password and just follow the instructions provided. (Basically click next or okay to progress through the installation). Once it’s done your system is updated with the latest software updates and security patches.

All Versions, Security | No Comments »

Simple way to secure your box from the CLI

Posted by Tips on November 16th, 2006

This applies to all *nix users. The commands are basically the same, but consult your man pages if the options are different.

While Linux is mostly invulnerable to virii and other nasties on the internet there are those who would love nothing more than to crack your box and spam the world from it. This simple guide will help you understand and mitigate any obvious openings your box may still have.

Commands used: Netstat, Grep, and a lot of |

First lets run Netstat (A tool for viewing connections on your *nix machine).

mypc:$netstat

You may see the following output.

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.148:42206 www.someserver:ssh ESTABLISHED
tcp 0 0 localhost:53830 localhost:48125 ESTABLISHED
tcp 0 0 localhost:48125 localhost:53830 ESTABLISHED
tcp 0 0 192.168.1.148:43439 oam-d09b.blue.aol.:5190 ESTABLISHED
tcp 0 0 192.168.1.148:40620 205.188.2.64:5190 ESTABLISHED
tcp 0 0 192.168.1.148:52305 cs12.msg.dcn.yahoo:5050 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 4 [ ] DGRAM 9784583 /dev/log
unix 2 [ ] DGRAM 5480 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 11439 @/org/freedesktop/hal/udev_event
unix 3 [ ] STREAM CONNECTED 10225154
unix 3 [ ] STREAM CONNECTED 10225153
unix 3 [ ] STREAM CONNECTED 10225151 /tmp/.esd-1000/socket
~~~~output cut

What we have here is basic services running on your machine. You can see a few AOL and Yahoo communicator entries and a ssh session in progress. Most servers and desktops nowdays are locked down pretty well.

Changing the options up we put in netstat -ln and the output becomes a bit different.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:867 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53830 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3689 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:55021 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:52283 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:33026 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:861 0.0.0.0:*
udp 0 0 0.0.0.0:864 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 11103 /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 12655 /tmp/.X11-unix/X93
unix 2 [ ACC ] STREAM LISTENING 12668 /tmp/.X11-unix/X0
Now we can see what ports are actually running.

Look at the one below.

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN

Port 631 is what is to the right of the : 127.0.0.1 is obviously the loopback address of the box.

Basically this is your cups service for printing waiting for a connection.

Since it’s listening locally it’s not a real problem. However if you saw 0.0.0.0:631 it would be different. Is it still a problem?

Depends. If you were using the Linux machine to act as a print server than it’s okay to have the service exposed. If you’re not behind a firewall then you may want to consider one or look up how you can restrict which ip’s can connect to your server on that port.

Other things you may want to look out for are services you do not need.

Consider 0.0.0.0:21 FTP if you’re not running a ftp server then shut it down. If you’re using ftp to maintain your website then scp or winscp are better options since they’re secure and lessen the likelyhood of a man in the middle attack grabbing your passwords when your config files are being uploaded.

0.0.0.0:23 Telnet! okay it’s time to learn about SSh or openssh (Another article)

0.0.0.0:25 SMTP are you running a mail server? If not then keeping this running opens you up to being used as a relay or worse for spam.

What if you dont know which program has these ports open?

Great question.

try netstat -lnp

You can get something like

tcp 0 0 0.0.0.0:3689 0.0.0.0:* LISTEN 3096/rhythmbox
We’ll if you have rythmbox sharing music to another computer in the house you’re fine. It will show most applications that are holding that port open.

I hope this helps you towards securing your servers and desktops. As with all tips they’re provided as-is and the user takes all responsibility.

Enjoy!

Security | No Comments »