Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 14 of 14
The server was blocked (by MAC) so 'netstat -ltun' got nothing. HTTPD and FTPD are open to internet. I was th only person who uses SSHD at my office computer. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7

    The server was blocked (by MAC) so 'netstat -ltun' got nothing.

    HTTPD and FTPD are open to internet. I was th only person who
    uses SSHD at my office computer.

    Quote Originally Posted by anomie View Post
    I'd highly recommend performing another new install. This time, before putting the box on the network, perform some basic hardening.

    Post the results of netstat -ltun here after the fresh install.



    Is the purpose of the box to provide those three services? If so, who (users / networks) should each be available to?

  2. #12
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7
    Hi, could you please explain the following issues? Specifically how to do all these:
    [*] Shell access is restricted/hardened.
    [*] Packet filtering rules are appropriately set.
    [*] MAC policies are correctly set.
    [*] Suid binaries are disabled or somehow contained.
    [*] Public services are hardened to great extent.
    [*] Physical access is properly controlled.


    Quote Originally Posted by anomie View Post
    Ok, you are asking about a hypothetical case (because it sounds to me like OP is running a box with several services wide open to the world). The ease at which it is getting cracked sounds like he has work to do.

    Let me put it this way. If:
    • All unused services are shut off.
    • Shell access is restricted/hardened.
    • Packet filtering rules are appropriately set.
    • MAC policies are correctly set.
    • Suid binaries are disabled or somehow contained.
    • Public services are hardened to great extent.
    • Physical access is properly controlled.
    • (the theme here is that "Everything is denied unless specifically allowed")
    • Auditing and logging is in place.


    ... then I think 99.9% of crackers will move on to a much easier target, unless you've really got something they want. Like anything in life, there is no perfect security solution. But you can increase the odds of protecting yourself so dramatically that you are not a good candidate to be targeted/compromised.

  3. #13
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by renbenzhuyi
    The server was blocked (by MAC) so 'netstat -ltun' got nothing.
    I don't follow. You have MAC policies preventing netstat from doing its standard job?

    Quote Originally Posted by renbenzhuyi
    HTTPD and FTPD are open to internet. I was th only person who
    uses SSHD at my office computer.
    Quote Originally Posted by renbenzhuyi
    ...could you please explain the following issues? Specifically how to do all these...
    Since you are the only person who requires ssh access, there should be firewall packet filtering rules in place that allow connections to tcp port 22 only from your client IP. And/or you should allow only pubkey authentication. And you should disable ssh protocol 1 and disallow root logins.

    Since httpd and ftpd need to serve up the world, they will need to be hardened properly. A book could be written (and several have been) on this topic.

    A couple basic ideas for httpd. You'll want to:
    • Completely understand the (apache?) configuration directives you're using.
    • Stay current with security updates.
    • Blacklist abusers (with iptables or tcp_wrappers rules).


    A couple basic points for ftpd. You'll want to:
    • Allow only anonymous authentication.
    • Serve up only non-sensitive files.
    • Keep transfer directory on its own filesystem/partition.
    • If your requirements include regular user authentication, then you should be looking at sftp (ssh subsystem) or require ftps (ftp over ssl) rather than plain-text logins.
    • Stay current with security updates.
    • Blacklist abusers.


    I'm not going to get into MAC policies (not even sure what Mandriva admins prefer in that arena). That's another book.

    My suggestion on suid binaries is that you search for them and remove the suid/sgid bit, unless you really need them for some reason.

    Regarding packet filtering rules, if you want to post your finished ruleset here I am sure we'd be happy to review and offer suggestions.

    As for physical access, the box needs to be in a trusted, secured location.

  4. #14
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7
    Quote Originally Posted by anomie View Post
    I don't follow. You have MAC policies preventing netstat from doing its standard job? .
    The super network administrator blocked the MAC address of this server.

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •