[gentoo-user] Protecting my server against an individual

[gentoo-user] Protecting my server against an individual

[Grant]

It has come to my attention that a particular person I know may be
intent on attacking my server/website in any way possible.  He doesn't
know much about Linux but does know Windows.  What kind of things
should I lock down to protect my remote hosted server?  I don't have
time to get too crazy with security right now, but what kinds of
simple tricks might this fellow learn by asking around on forums, etc?
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Protecting my server against an individual

[James]

Grant <emailgrant <at> gmail.com> writes:

> 
> It has come to my attention that a particular person I know may be
> intent on attacking my server/website in any way possible.  He doesn't
> know much about Linux but does know Windows.  What kind of things
> should I lock down to protect my remote hosted server?  I don't have
> time to get too crazy with security right now, but what kinds of
> simple tricks might this fellow learn by asking around on forums, etc?


Hello Grant,

I assuming your server is a web host and it only is using port 80 (http) traffic.

If so you can follow this iptables-newbie site and set up pretty good security
just on that server:

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart

Others will suggest using one of the ebuilds found in /usr/portage/net-firewall

such as 'fwbuilder' or shorewall.

hth,

James



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Protecting my server against an individual

[Grant]

> > It has come to my attention that a particular person I know may be
> > intent on attacking my server/website in any way possible.  He doesn't
> > know much about Linux but does know Windows.  What kind of things
> > should I lock down to protect my remote hosted server?  I don't have
> > time to get too crazy with security right now, but what kinds of
> > simple tricks might this fellow learn by asking around on forums, etc?
>
> I assuming your server is a web host and it only is using port 80 (http) traffic.

I do log in via ssh (port 22 I think) and it's also a mail server.
How can I check which ports are open?  Does shorewall handle that?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Protecting my server against an individual

[Dale]

Grant wrote:
>> > It has come to my attention that a particular person I know may be
>> > intent on attacking my server/website in any way possible.  He doesn't
>> > know much about Linux but does know Windows.  What kind of things
>> > should I lock down to protect my remote hosted server?  I don't have
>> > time to get too crazy with security right now, but what kinds of
>> > simple tricks might this fellow learn by asking around on forums, etc?
>>
>> I assuming your server is a web host and it only is using port 80
>> (http) traffic.
>
> I do log in via ssh (port 22 I think) and it's also a mail server.
> How can I check which ports are open?  Does shorewall handle that?

This is my theory.  If you can, install webmin and shorewall.  You can
use webmin to configure shorewall from what I have read.  Basically you
want to block all but what you need to keep open, including ssh.

Hope that helps.

Dale
:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Protecting my server against an individual

[Thomas Cort]

[-- Attachment #1: Type: text/plain, Size: 754 bytes --]

On Tue, 4 Jul 2006 17:38:28 -0700
Grant <emailgrant@gmail.com> wrote:
> How can I check which ports are open?

nmap can do this. Just `emerge nmap` and run `nmap yourdomain.com`
Below is what the output looks like:

tcort@pan ~ $ nmap cs.ubishops.ca

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-07-04
22:14 EDT Interesting ports on cs.ubishops.ca (206.167.194.132):
(The 1662 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https
465/tcp open  smtps
993/tcp open  imaps
995/tcp open  pop3s

Nmap finished: 1 IP address (1 host up) scanned in 5.906 seconds

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

[gentoo-user] Re: Protecting my server against an individual

[James]

Grant <emailgrant <at> gmail.com> writes:

> 
> > > It has come to my attention that a particular person I know may be
> > > intent on attacking my server/website in any way possible.  He doesn't
> > > know much about Linux but does know Windows.  What kind of things
> > > should I lock down to protect my remote hosted server?  I don't have
> > > time to get too crazy with security right now, but what kinds of
> > > simple tricks might this fellow learn by asking around on forums, etc?
> >
> > I assuming your server is a web host and it only is using port 80 (http)
traffic.
> 
> I do log in via ssh (port 22 I think) and it's also a mail server.
> How can I check which ports are open?  Does shorewall handle that?


You may want to try a tool I just found:


kmyfirewall:

et-firewall/kmyfirewall
     Available versions:  0.9.6.2-r1 ~1.0-r2 ~1.0.1
     Installed:           0.9.6.2-r1
     Homepage:            http://kmyfirewall.sourceforge.net/
     Description:         Graphical KDE iptables configuration tool

I just installed it, so I'm going to play around with it. In the handbook you 
can use the advanced features to config a firewall
for a remote system.....

ymmv,


James




I 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Protecting my server against an individual

[Alexander Skwar]

Grant wrote:

> I do log in via ssh (port 22 I think) and it's also a mail server.
> How can I check which ports are open?  Does shorewall handle that?

You know, you shouldn't be asking such questions, if you operate
a server, which is accessible via the internet. But that's IMO.

Anyway. "netstat -tulpen" on the server and "nmap" are your friends.

Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Ryan Tandy]

Grant wrote:
> It has come to my attention that a particular person I know may be
> intent on attacking my server/website in any way possible.  He doesn't
> know much about Linux but does know Windows.  What kind of things
> should I lock down to protect my remote hosted server?  I don't have
> time to get too crazy with security right now, but what kinds of
> simple tricks might this fellow learn by asking around on forums, etc?

Assuming your packages are all up to date security-wise (glsa-check) and 
you're running a firewall of some kind (and you'd be crazy not to for 
any publically accessible box), there isn't much stuff you can do 
(without investing a bunch of time and effort in learning new things) 
besides change your passwords a bit more frequently and keep a close eye 
on logs from network-accessible programs (sshd, httpd, firewall).
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Alexander Skwar]

Ryan Tandy wrote:

> you're running a firewall of some kind (and you'd be crazy not to for 
> any publically accessible box),

Actually, I'd disagree. If only the necessary publicly accessible services
are running on a box, what good should a "firewal" (I suppose you mean
packet filter, like iptables) do? The only useful measure I can think about,
is to do rate limiting. But what else?

Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Trenton Adams]

I would move ssh to a very high port number of your choice.  Most ssh
port scanners do not bother checking anything other than port 22, as
it is too time consuming.  I have not had any weird hits on my ssh
port in years.  It was hammered daily, even with attempted logins and
such, with it running on port 22.  Now, pretty much nothing.  Why not
use something like 65350 or some random high port like that?

And yes, you probably shouldn't be asking these questions if you have
an important linux computer on the internet.  Because if it is
important, you should know what you are doing before you put it on the
internet.

If on the other hand, you're just getting to know linux, and the
computer is not all that important, then you should be asking these
questions.

On 7/5/06, Alexander Skwar <listen@alexander.skwar.name> wrote:
> Ryan Tandy wrote:
>
> > you're running a firewall of some kind (and you'd be crazy not to for
> > any publically accessible box),
>
> Actually, I'd disagree. If only the necessary publicly accessible services
> are running on a box, what good should a "firewal" (I suppose you mean
> packet filter, like iptables) do? The only useful measure I can think about,
> is to do rate limiting. But what else?
>
> Alexander Skwar
> --
> The more laws and order are made prominent, the more thieves and
> robbers there will be.
>                 -- Lao Tsu
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Alexander Skwar]

Trenton Adams wrote:
> I would move ssh to a very high port number of your choice.  Most ssh
> port scanners do not bother checking anything other than port 22, as
> it is too time consuming.  I have not had any weird hits on my ssh
> port in years.  It was hammered daily, even with attempted logins and
> such, with it running on port 22.  Now, pretty much nothing.  Why not
> use something like 65350 or some random high port like that?

ACK. Good idea. One more thing though: I'd not use a "strange" port
like 65350, but rather a port, which might be legitimately open.
Suppose you've got a web server and DON'T use ssl. In this case,
https (443) would be available. Or if you don't have a usenet server,
you could use 119.

Reason: It's "normal" that such ports are open. If I were a
script kiddie, I wouldn't bother looking at normally open
ports. But if there's something strange like 65350, I *would*
look.

> And yes, you probably shouldn't be asking these questions if you have
> an important linux computer on the internet.  Because if it is
> important, you should know what you are doing before you put it on the
> internet.
> 
> If on the other hand, you're just getting to know linux, and the
> computer is not all that important, then you should be asking these
> questions.

Yes, he *CERTAINLY* should be asking those questions - but he
shouldn't have a server on the internet. Reason: It might be
so, that the system is less secure than it ought to be and thus
might be already part of a botnet or somesuch. And if it were
part of a botnet, it might be used to attack other systems or
to simply relay spams.

Because of that, I find it somewhat irresponsible or at the
very least questionable, when users with not so much knowledge
operate servers. And it doesn't matter if all, if the system
is important to the OP - it matters only, if it might be used
to do things, which the OP doesn't want.


Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[jarry]

Alexander Skwar <listen@alexander.skwar.name> wrote:

> ... If I were a
> script kiddie, I wouldn't bother looking at normally open
> ports. But if there's something strange like 65350, I *would*

imho, if someone wants to attack your server, he will scan
all ports and will try to find which apps are using them...

> Yes, he *CERTAINLY* should be asking those questions - but he
> shouldn't have a server on the internet.

At least not before he knows answers and make use of them...

> Because of that, I find it somewhat irresponsible or at the
> very least questionable, when users with not so much knowledge
> operate servers.

I would not restrict it to servers. There is a lot of home-users
with broad-band connections, many of them never switch computer
off and are running windows (or any badly configured OS). A few
hundred of such zombies can make a very efficient botnet, able
to kick down any victim-server using ddos/drdos attack...

Jarry

-- 


"Feel free" – 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Daniel da Veiga]

On 7/5/06, Alexander Skwar <listen@alexander.skwar.name> wrote:
> Trenton Adams wrote:
> > I would move ssh to a very high port number of your choice.  Most ssh
> > port scanners do not bother checking anything other than port 22, as
> > it is too time consuming.  I have not had any weird hits on my ssh
> > port in years.  It was hammered daily, even with attempted logins and
> > such, with it running on port 22.  Now, pretty much nothing.  Why not
> > use something like 65350 or some random high port like that?
>
> ACK. Good idea. One more thing though: I'd not use a "strange" port
> like 65350, but rather a port, which might be legitimately open.
> Suppose you've got a web server and DON'T use ssl. In this case,
> https (443) would be available. Or if you don't have a usenet server,
> you could use 119.
>
> Reason: It's "normal" that such ports are open. If I were a
> script kiddie, I wouldn't bother looking at normally open
> ports. But if there's something strange like 65350, I *would*
> look.
>

I completely agree with Alexander. On my young (and stupid) days I
would scan computers around my network for vulnerabilities, and open
ports where known services run were only targeted by specific attacks.
Trying to run (for example) a brute-force scan outside of 22, 23, 21
and other known ports were considered just waste of time. But as the
OP stated that this guy would target his machine only, you can safely
assume it won't be a non-assisted method.

Few years later, as a lab administrator, I've learn that you may block
whatever you want, but you gotta keep in mind that a server is there
for serve. Those services are the targets of attacks, and thus,
they're the real concerns. It doesn't matter how hard you implement a
firewall if you left a SQL Inject hole in your web server, you must be
more careful with what you OFFER than possible backdoors, I say that
because nowadays most servers run behind router firewalls blocking
traffic that is strange to the server, and those who don't have this
usually implement some way to write rules about traffic (iptables for
instance).

So, keep an eye open for security on your services software (ssh,
apache, dbs, etc).

> > And yes, you probably shouldn't be asking these questions if you have
> > an important linux computer on the internet.  Because if it is
> > important, you should know what you are doing before you put it on the
> > internet.
> >
> > If on the other hand, you're just getting to know linux, and the
> > computer is not all that important, then you should be asking these
> > questions.
>
> Yes, he *CERTAINLY* should be asking those questions - but he
> shouldn't have a server on the internet. Reason: It might be
> so, that the system is less secure than it ought to be and thus
> might be already part of a botnet or somesuch. And if it were
> part of a botnet, it might be used to attack other systems or
> to simply relay spams.
>
> Because of that, I find it somewhat irresponsible or at the
> very least questionable, when users with not so much knowledge
> operate servers. And it doesn't matter if all, if the system
> is important to the OP - it matters only, if it might be used
> to do things, which the OP doesn't want.
>

Again, I agree. But not only Servers, Desktops and any machine
connected to the internet should have security, and people running
this machines should have knowledge, but that is simply not the case,
specially with people running windows (wich is 90% of the personal
computers connected). All this computer power can be used (and has
been) for botnets, hacker attacks, etc.

Adaptative firewalls, service blocks, traffic control, every single
way to try and stop this is encouraged and good. I think the OP is a
step ahead by simply asking this questions.

My tips:

1) Block everything that you do not need (least open ports, least risk).

2) Check what you have open for specific security holes. Keep logs,
check them often, index them, make reports so you don't need to scroll
every single line (try Cacti, it is awesome).

3) Think as a cracker, if you would try to break your server, what would you do?

-- 
Daniel da Veiga
Computer Operator - RS - Brazil
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
------END GEEK CODE BLOCK------
-- 
gentoo-user@gentoo.org mailing list

Re: Re: [gentoo-user] Protecting my server against an individual

[jarry]

Alexander Skwar <listen@alexander.skwar.name> wrote:

> > you're running a firewall of some kind (and you'd be crazy not to for 
> > any publically accessible box),
> 
> Actually, I'd disagree. If only the necessary publicly accessible
> services
> are running on a box, what good should a "firewal" (I suppose you mean
> packet filter, like iptables) do? The only useful measure I can think
> about, is to do rate limiting. But what else?

Just to name a few:
-permitting certain services for certain hosts (ip/mac based)
-time/cpu-load based restriction on certain services
-filtering malformed/fragmented packets
-implementing port-knocking feature
-statistical evaluation of traffic (ip/protocol/service based)
etc.

All of the above mentioned is probably possible to do using
different method, but why not use iptables for it?

Jarry

-- 


Echte DSL-Flatrate dauerhaft für 0,- Euro*!
"Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl
-- 
gentoo-user@gentoo.org mailing list

Re: Re: [gentoo-user] Protecting my server against an individual

[W.Kenworthy]

and to add another (a biggy!)

defence in depth: if something goes wrong, its another barrier in the
way of the troublemakers.  What can go wrong?:

1. redhat used to install an anonymous ftp server by default (years
back).  Came in the next morning to the sysadmin swaring about traffic,
its the ones you dont know about/and a gig of warez on the drive
2. fault finding x problems you set xhost +
3. ...

Whilst 1 and 2 (in gentoo anyway) wont trouble you so much these days,
its the ones you dont know about/misconfigure that will get you ...

BillK



On Wed, 2006-07-05 at 12:49 +0200, jarry@gmx.net wrote: 
> Alexander Skwar <listen@alexander.skwar.name> wrote:
> 
> > > you're running a firewall of some kind (and you'd be crazy not to for 
> > > any publically accessible box),
> >
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Ryan Tandy]

Alexander Skwar wrote:
> Ryan Tandy wrote:
> 
>> you're running a firewall of some kind (and you'd be crazy not to for 
>> any publically accessible box),
> 
> Actually, I'd disagree. If only the necessary publicly accessible services
> are running on a box, what good should a "firewal" (I suppose you mean
> packet filter, like iptables) do? The only useful measure I can think about,
> is to do rate limiting. But what else?
> 
> Alexander Skwar

Point taken, and agreed with.  I retract the "crazy not to" part; 
however, some netfilter/iptables features can be very handy in limiting 
access to said services (e.g. dropping all SSH connections not coming 
from your IP).

I guess sometimes my Windows days do come back to haunt me... ;)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Lord Sauron]

Sorry to be a bit elementary, but if you're not colocating your box,
and you don't often use SSH, you might want to consider disabling
remote administrative things.

All your Windoze "friend" will try to do is exploit MySQL to pop a DOS
shell into your system.  It's an older trick, however, it works
marvelously.  Coax SQL into leaving a DOS shell in your web directory,
then you have total control.  I haven't personally had any experience
with it (never bothered to try and hack - not exciting or rewarding)
but I did read a hacker paper which outlined that tactic.

If you can't disable SSH for some reason, then limit MySQL access to
localhost only.  You'd have to use SSH/RDesktop to mess with your
database, but I think that would close down a very big part of the
Windoze zombie's main attack route.

Also watch out for denial-of-service attacks.  There's been a lot of
those problem in the Silicon Valley Linux Users' Group, which I am a
member of.

Also, are you sure you're working with a "real" hacker.  I met a
"real" hacker at school once, and even with physical access to my
laptop he couldn't crack it.  Dumb Windows slave...

Nonetheless, if you use PHP, you should also be extra-careful to strip
potentially malicious things from web submit forms.

If you can, what I'd do is try and get the guy's MAC Address or
something and then totally block that off.  That's send him away right
quickly.  I don't know enough to know if that'd be totally possible,
but if the guy isn't terribly intelligent, that'll send him packing.

Hope I could be of help there!

-- 
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
                DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Ryan Tandy]

Lord Sauron wrote:
> If you can, what I'd do is try and get the guy's MAC Address or
> something and then totally block that off.  That's send him away right
> quickly.  I don't know enough to know if that'd be totally possible,
> but if the guy isn't terribly intelligent, that'll send him packing.

net-analyzer/macchanger ;)

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Steven Susbauer]

On Wed, 5 Jul 2006, Ryan Tandy wrote:

> Lord Sauron wrote:
> > If you can, what I'd do is try and get the guy's MAC Address or
> > something and then totally block that off.  That's send him away right
> > quickly.  I don't know enough to know if that'd be totally possible,
> > but if the guy isn't terribly intelligent, that'll send him packing.
>
> net-analyzer/macchanger ;)
>

What's this? Portage on Windows?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Ryan Tandy]

Steven Susbauer wrote:
> 
> On Wed, 5 Jul 2006, Ryan Tandy wrote:
> 
>> Lord Sauron wrote:
>>> If you can, what I'd do is try and get the guy's MAC Address or
>>> something and then totally block that off.  That's send him away right
>>> quickly.  I don't know enough to know if that'd be totally possible,
>>> but if the guy isn't terribly intelligent, that'll send him packing.
>> net-analyzer/macchanger ;)
>>
> 
> What's this? Portage on Windows?

More just to mention that there is such a thing out there.  And if it 
exists for us, chances are he has a similar tool available.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Lord Sauron]

On 7/5/06, Ryan Tandy <tarpman@gmail.com> wrote:
> Steven Susbauer wrote:
> >
> > On Wed, 5 Jul 2006, Ryan Tandy wrote:
> >
> >> Lord Sauron wrote:
> >>> If you can, what I'd do is try and get the guy's MAC Address or
> >>> something and then totally block that off.  That's send him away right
> >>> quickly.  I don't know enough to know if that'd be totally possible,
> >>> but if the guy isn't terribly intelligent, that'll send him packing.
> >> net-analyzer/macchanger ;)
> >>
> >
> > What's this? Portage on Windows?
>
> More just to mention that there is such a thing out there.  And if it
> exists for us, chances are he has a similar tool available.

However, if you block his mac without an error message, then he can't
know how you're identifying him to block him.  He probably won't know
what to do, and just might give up then.  Worth a try, if nothing
else.

-- 
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
                DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Daniel da Veiga]

On 7/6/06, Lord Sauron <lordsauronthegreat@gmail.com> wrote:
> On 7/5/06, Ryan Tandy <tarpman@gmail.com> wrote:
> > Steven Susbauer wrote:
> > >
> > > On Wed, 5 Jul 2006, Ryan Tandy wrote:
> > >
> > >> Lord Sauron wrote:
> > >>> If you can, what I'd do is try and get the guy's MAC Address or
> > >>> something and then totally block that off.  That's send him away right
> > >>> quickly.  I don't know enough to know if that'd be totally possible,
> > >>> but if the guy isn't terribly intelligent, that'll send him packing.
> > >> net-analyzer/macchanger ;)
> > >>
> > >
> > > What's this? Portage on Windows?
> >
> > More just to mention that there is such a thing out there.  And if it
> > exists for us, chances are he has a similar tool available.
>
> However, if you block his mac without an error message, then he can't
> know how you're identifying him to block him.  He probably won't know
> what to do, and just might give up then.  Worth a try, if nothing
> else.
>

Yeah, that's pretty much true. For a LAN. Doying it at the Internet
would most probably blacklist a entire subnet that's routed to you
with that MAC. So, not worth a try, it would be something more to
configure, and get you no benefit at all, while risking making your
machine invisible for people who could use the services you are trying
to securely provide.

-- 
Daniel da Veiga
Computer Operator - RS - Brazil
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
------END GEEK CODE BLOCK------
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Devon Miller]

[-- Attachment #1: Type: text/plain, Size: 2250 bytes --]

An option for ports that don't need to be open constantly (like 80 & 443) is
to use net-misc/knockd.
Portknocking allows a port to be opened on demand in response to a series of
attempted port opens.
There's a wiki page on it here: http://gentoo-wiki.com/HOWTO_Port_Knocking.
Note, if he is on the same LAN as you or the machine you're trying to
secure, this will only slow him down, not stop him. (he can sniff packets
and determine the knock sequence.)

dcm

On 7/6/06, Daniel da Veiga <danieldaveiga@gmail.com> wrote:
>
> On 7/6/06, Lord Sauron <lordsauronthegreat@gmail.com> wrote:
> > On 7/5/06, Ryan Tandy <tarpman@gmail.com> wrote:
> > > Steven Susbauer wrote:
> > > >
> > > > On Wed, 5 Jul 2006, Ryan Tandy wrote:
> > > >
> > > >> Lord Sauron wrote:
> > > >>> If you can, what I'd do is try and get the guy's MAC Address or
> > > >>> something and then totally block that off.  That's send him away
> right
> > > >>> quickly.  I don't know enough to know if that'd be totally
> possible,
> > > >>> but if the guy isn't terribly intelligent, that'll send him
> packing.
> > > >> net-analyzer/macchanger ;)
> > > >>
> > > >
> > > > What's this? Portage on Windows?
> > >
> > > More just to mention that there is such a thing out there.  And if it
> > > exists for us, chances are he has a similar tool available.
> >
> > However, if you block his mac without an error message, then he can't
> > know how you're identifying him to block him.  He probably won't know
> > what to do, and just might give up then.  Worth a try, if nothing
> > else.
> >
>
> Yeah, that's pretty much true. For a LAN. Doying it at the Internet
> would most probably blacklist a entire subnet that's routed to you
> with that MAC. So, not worth a try, it would be something more to
> configure, and get you no benefit at all, while risking making your
> machine invisible for people who could use the services you are trying
> to securely provide.
>
> --
> Daniel da Veiga
> Computer Operator - RS - Brazil
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
> PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
> ------END GEEK CODE BLOCK------
> --
> gentoo-user@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 3033 bytes --]

Re: [gentoo-user] Protecting my server against an individual

[Alexander Skwar]

Lord Sauron wrote:
> Sorry to be a bit elementary, but if you're not colocating your box,
> and you don't often use SSH, you might want to consider disabling
> remote administrative things.

Of course - disable everything, that you don't need. ESPECIALLY, if it
is reachable over the network.

> All your Windoze "friend" will try to do is exploit MySQL to pop a DOS
> shell into your system.

How do you know?

> If you can't disable SSH for some reason, then limit MySQL access to
> localhost only.

I'd even suggest to make MySQL "skip-networking". If that's set
in my.cnf, MySQL won't be available via TCP over a network and
can only be reached over a Unix socket. Maybe that's what you
meant, but I just fealt like adding that :)

> If you can, what I'd do is try and get the guy's MAC Address or
> something and then totally block that off.

How should *THAT* help? In 99.9999999999999999999999999999999% of
the times, the attacker won't be on the same subnet, and thus the
MAC isn't available.

You can try to block me, my MAC will be either 00:12:17:D4:21:D4
or 00:12:17:D4:21:D2. Just tell me, where you blocked me using
my MAC and I'll see if I can still access.

Alexander Skwar
-- 
"But this one goes to eleven."
-- Nigel Tufnel
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Lord Sauron]

On 7/5/06, Alexander Skwar <listen@alexander.skwar.name> wrote:
> Lord Sauron wrote:
> > Sorry to be a bit elementary, but if you're not colocating your box,
> > and you don't often use SSH, you might want to consider disabling
> > remote administrative things.
>
> Of course - disable everything, that you don't need. ESPECIALLY, if it
> is reachable over the network.
>
> > All your Windoze "friend" will try to do is exploit MySQL to pop a DOS
> > shell into your system.
>
> How do you know?

I read a hacker article.  It was terribly interesting, but nothing I'd
actually want to do.  I don't think hacking is a worthwhile use of my
time, however, since I do aspire to host my own server and website, I
decided it would be good to bone up on attack methods a little bit.

> > If you can't disable SSH for some reason, then limit MySQL access to
> > localhost only.
>
> I'd even suggest to make MySQL "skip-networking". If that's set
> in my.cnf, MySQL won't be available via TCP over a network and
> can only be reached over a Unix socket. Maybe that's what you
> meant, but I just fealt like adding that :)

I'm no pro, but that works.  I don't have a lot of experience, so I
oftentimes just end up speculating on a bunch of educated guesses.

> > If you can, what I'd do is try and get the guy's MAC Address or
> > something and then totally block that off.
>
> How should *THAT* help? In 99.9999999999999999999999999999999% of
> the times, the attacker won't be on the same subnet, and thus the
> MAC isn't available.

Couldn't hurt.  You never know what you'll find when you tear apart
some networking packets.  I was so alarmed at what I found that I quit
doing it altogether.  Ignorance is bliss, I decided.  No, I won't say
what I found for reasons of protecting the egos of innocent people.

> You can try to block me, my MAC will be either 00:12:17:D4:21:D4
> or 00:12:17:D4:21:D2. Just tell me, where you blocked me using
> my MAC and I'll see if I can still access.

I'll try it someday when I can figure out enough about linux
networking to do something like that.

-- 
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
                DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Alexander Skwar]

Lord Sauron wrote:
> On 7/5/06, Alexander Skwar <listen@alexander.skwar.name> wrote:
>> Lord Sauron wrote:

>> How should *THAT* help? In 99.9999999999999999999999999999999% of
>> the times, the attacker won't be on the same subnet, and thus the
>> MAC isn't available.
> 
> Couldn't hurt.

Well, as it doesn't buy you anything, I'd disagree: It would hurt.
It would make the setup more complex with no gain.

>  You never know what you'll find when you tear apart
> some networking packets.

You won't find the MAC adress of the attacker. You'll find the MAC
adress of your upstream router/switch.

>> You can try to block me, my MAC will be either 00:12:17:D4:21:D4
>> or 00:12:17:D4:21:D2. Just tell me, where you blocked me using
>> my MAC and I'll see if I can still access.
> 
> I'll try it someday when I can figure out enough about linux
> networking to do something like that.

Don't spend too much time, as it's a waste. You will NOT see
my MAC address. Not because I try to disguise it, but because
it won't be available to you. That's simply how TCP/IP works.

Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Protecting my server against an individual

[Daevid Vincent]

 
> Don't spend too much time, as it's a waste. You will NOT see
> my MAC address. Not because I try to disguise it, but because
> it won't be available to you. That's simply how TCP/IP works.

There is one caveat to this, I if you are running a 802.11 wifi, the MAC is
sent in the packets and then MAC filtering could be a rudimentary deterrent
for basic attacks. As mentioned however, it is absolutely possible and
trivial to 'spoof' a MAC. 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Protecting my server against an individual

[Thomas Cort]

[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]

On Tue, 4 Jul 2006 15:56:02 -0700
Grant <emailgrant@gmail.com> wrote:

> It has come to my attention that a particular person I know may be
> intent on attacking my server/website in any way possible.  He doesn't
> know much about Linux but does know Windows.  What kind of things
> should I lock down to protect my remote hosted server?

Locking down ssh is a must. There are thousands of computers scanning
the internet attempting to log into any computer running sshd by using
brute force (dictionary) attacks. Just look at /var/log/sshd/current
and you will see ;) Luckily, this is pretty easy to protect against.
In /etc/ssh/sshd_config set PermitRootLogin to 'no' or
'without-password' (without-password means using key based
authentication). `emerge denyhosts`, configure it
in /etc/denyhosts.conf, start it up, and added it to the default run
level. It should be noted that this only goes so far. You need good
passwords too. Passwords should be at least 7 characters long and
contain upper and lower case with punctuation. You can check for weak
passwords with a package called johntheripper. Making sure your
software is up to date is also critical. Web-apps are especially prone
to security holes.

Good Luck!
-tcort

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-user] Protecting my server against an individual

[Daniel]

Grant wrote:
> It has come to my attention that a particular person I know may be
> intent on attacking my server/website in any way possible.  He doesn't
> know much about Linux but does know Windows.  What kind of things
> should I lock down to protect my remote hosted server?  I don't have
> time to get too crazy with security right now, but what kinds of
> simple tricks might this fellow learn by asking around on forums, etc?

1) Use firewall to block access to everything but the services you need
to be accessible.(be very careful here so you DO NOT disable YOUR access)
2) Update your packages to their latest stable versions.
3) Check the configuration of your services - they should deny all
functionality but the one you intended to provide.
4) Enable activity logging - this would help you find out the way
somebody is trying to penetrate you system and give you opportunity to
take counter measures.
5) Pray :)

--
Best regards
Daniel
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Protecting my server against an individual

[dnlt0hn5ntzhbqkv51]

On Tue, 04 Jul 2006 18:56:02 -0400, Grant <emailgrant@gmail.com> wrote:

> It has come to my attention that a particular person I know may be
> intent on attacking my server/website in any way possible.  He doesn't
> know much about Linux but does know Windows.  What kind of things
> should I lock down to protect my remote hosted server?  I don't have
> time to get too crazy with security right now, but what kinds of
> simple tricks might this fellow learn by asking around on forums, etc?

A Windows guy has all of the techniques/tools that a 'nix guy has - he'll
figure out what servers you have, which ports, which software, what
vulnerabilities ...... all of it. He'll even use some of the same tools
(e.g. nmap).

If your server is misconfigured (e.g allows root logon); if passwords are
trivial; if software is out-of-date with known vulnerabilities; he could
break in and deface the site; erase the OS; install a root kit and hide a
key logger.............................


Suggest that you shut this thing down 'til you have a security plan that
you understand, and with which you are comfortable.

If that is not possible, then implement the items mentioned earlier, and
additionally assure:

1. that your passwords are at least 15 characters long with capitals and
numerics. A repeated password is fine (e.g. gentoo becomes
gEnt0*gEnt0*gEnt0*)

2. that you can easily and confidently restore your backups (you do have
backups!?)

3. that you can tell if you've been hacked (e.g. samhain, tripwire).

4. And that your software is up to date.

After that, you can look into IDS, Trojan scanning, chroot jails,
hardening, and other things that servers under attack might consider.
-- 
gentoo-user@gentoo.org mailing list