Results 1 to 4 of 4
Up till now I never really had to worry about security but since I have ADSL now I should. I want to know how vulnerable my PC and server really ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 07-02-2003 #1
general security questions
I have a hardware router and I opened port 80 and 22 to my webserver.
Which oppurtunities would this give to a hacker? Is there anything you can do to a system through port 80? Let's assume there are no vulnerabilities in Apache.
There are no ports opened to my PC so should this be considered very safe? Is there a need to implement the linux firewall on my pc, even if I have a hardware one?
There are stealth entries for a lot of ports on my router as well.
I am not running FTP and I know it sends authentication in clear text but why is it considered "unsafe"? I would always make sure it is chrooted so they cannot get out of their directory.
One final question, which files on my server would I need to monitor very closely? I know /etc/passwd is one of them
- 07-02-2003 #2
- Join Date
- Oct 2001
- Täby, Sweden
Since you have a hardware router you are already a lot safer, since they cannot get to ports that you haven't specifically opened through.
In the ideal world, there wouldn't be anything for a hacker to do at either port 80 or 22. Even in our imperfect world, though, port 22 (SSH) should be very secured. There are very few things a cracker can do to sshd nowadays.
However, be aware that almost all exploits are because of bugs in the daemon. Apache has a few bugs from time to time that make it exploitable. The worst kinds of bugs often means that the attacker has complete control of the apache process, and that gives them the opportunity to do anything as the user the apache process is running as. You'll need to make sure to be running a fairly recent version of Apache to avoid the most well known bugs. The bugs need not be in the actual daemon itself. For example, my apache was cracked several times because of a bug in the OpenSSL libraries, which aren't distributed as part of Apache, but nontheless used by Apache, so you'll need to keep your kernel and core libraries up-to-date as well.
Many other exploits can be used because of incorrectly configured services as well. For example if you leave your NFS shares open to the internet, you will probably find yourself in a world of trouble.
As for FTP and TELNET, they are extremely unsafe because of their plaintext authentication. The reason is as follows:
Depending on where you are in the world, the packets from your site to your home LAN may pass far more than 10 routers along the way. If just one of these routers have been hacked (or is dishonest, in the way that a dishonest person is running it), the attacker of that router can easily scan for all FTP and TELNET logins, record your user name and password and then reuse them to log in to your computer in your name. If your password is caught over FTP, the attacker could just as well use it to log in to your SSH daemon.
You don't really have to be very careful with your /etc/passwd nowadays. Of course, you shouldn't give anyone write permission to it, but since all the passwords are stored in /etc/shadow, it doesn't really hurt if anyone reads it. And even if someone gets hold of your /etc/shadow, they can't do much with it without a serious supercomputer, since all passwords are encrypted with MD5, but it still isn't a good thing to distribute it.
Just scan your hard drive for files with something like "find -perm 0600" for files that can be considered sensitive.
- 07-02-2003 #3
I knew you would come up with a good answer. Which log files would give me an idication that something might have gone wrong?
CheersI am on a journey to mastering Linux and I got a bloody long way to go!!!
- 07-02-2003 #4
- Join Date
- Oct 2001
- Täby, Sweden
Well, all the log files essentially, but especially /var/log/messages, /var/log/secure and the apache error logs. Those filenames are assuming that you're using RH. Otherwise, check your /etc/syslog.conf for what files that authpriv messages are logged to. You would do wisely to install logwatch to watch for any attempted (or in the worst case, successful) breakins.
Don't be too certain that my answer is that good, though. I hope someone else can post some additions or possibly corrections as well. In these cases, you should rely exclusively on noone.