Hey, I have been using linux for some time now. I don't even use windows, except for customers who absolutely want it. Last week I set up a server for My parents bussiness running slack 9.0. Now this is my first time setting up a linux box with as much stuff as this one has: Firewall/Router/fileserver/ssh server.

The server was running Win 2k server - within two days it was infected with 170 viruses, and had a nasty trojan that turned it into a 24/7 port scanner for some script kiddie in orlando florida. No more winows. Period. Slack has been on this system for over a week now and runs nice and tight. Since I am still new to all the tips and tricks of securing a linux box as a full time server, I am calling for the advice of any experienced experts.

1) I do not use sendmail, is it enough to simply disable the script that runs the daemon at boot? It is an uneeded service and I want to be sure this is all I need to do to secure this little hole.

2) I set up IP chains (firewall/routing) with a "stock" firewall script from a howto online. I attached the script - I am really afraid of having something in there that is a major hole (since this is a mortgage bussiness) and I have not covered it due to simple lack of experience. If someone wants to give a quick browse on that script and give me some advice, it would be most helpfull.

3)Is there any other services I should know about that are running on slack by default that are not needed? All this server does is run a samba server, act as a firewall, router, and run the ssh daemon (for remote managemant). Anything else that is uneeded can go.

Any advice is much appreciated..

Sorry, heres the firewall script attachment...

Hi deanrantala!

From what I can tell you're letting anyone into your server but denies access to any forwarding - so that nothing nasty gets into your local network. So the ACCEPT on INPUT doesnt look reasonable in my eyes.

Could you do me one thing?
Log into the machine and go to
http://scan.sygatetech.com/ From there use all the scan options and give me a word.

Greets,
Nor


$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

set the file /etc/hosts.deny to contain ALL: ALL and make sure /etc/hosts.allow is empty. if you need docs type man hosts.allow.

then, some services (i.e. outside xinetd) should be turned off, unless needed. httpd, dhcpd, sshd and cups, come to mind.

host.deny will block all xinetd sevices, non-xinetd services are listed in directory /etc/init.d

to turn these services off, run serviceconf and uncheck the box next to the service. save the setting and restart (i.e reboot or stop each manually).


i am certain others will like to expand on that short list.

Thanks for all the advice so far. I don't have serviceconf - I'm gonna try downloading / installing it.

nors: BTW, I will change that - but instead of putting ALLOW, what do I replace that with? This firewall script was a "stock" script that I downloaded from a howto site, I understand only the first twenty lines of that script:confused: ... Well, actually now I understand the input/accept part, I just don't know how to edit it right now:) . Also, by changing that, will it affect the internet sharing (routing) any? Or does it just block people from making remote logins to internal PC's (on the LAN)?

Also, /etc/inet.d ( or variations) are nowhere on my system. All I really care about is ssh. Is that a xinet service? I am not running any FTP/Apache/ or other such servers, so That is not needed.

PS: Is sendmail a xinetd service? I don't belive slack 9 even has xinetd - I have done a whereis and it does not show up.

Take a look at nessus software. It's a security scanner. I heard good things about it. Just a thought.
http://www.nessus.org

the directory is init.d not inet.d. and it does contain ssh, httpd and sendmail, sevices like telnet and ftp are in xinetd.d

it is a bit confusing but, you have two seperate directories for turning services on/off.

i would not assume any computer is secure until both directories have been reviewed as well as the associated rc#.d directories.

Still no inetd file whatsoever. There is an init file at /usr/src/linux (my kernel sources, but I don't think there is much in there that runs sendmail).

Anyway, I am just gonna restrict all execution privilages on the 2 different sendmail files on the server - that should keep it from running.

I did find /etc/inetd.conf, and found that I had proftp running by default (I didn't even know that proftp came pre-installed with slack!!!). So I have concluded that I am using inetd rather than xinetd. But I still saw *nothing* in the inetd config file that referenced sendmail, so perhaps sendmail is a standalone service on slack 9?


garskoci: Thanks for the link, I checked it out, but it seems way beyond my comprehension. I believe you have to register and open an account. Even then, you have to use it by running some super-cryptic (almost assembly code-looking:eek: ) script from the cli that is quite a bit to do for a simple security check. Norton used to have an on-line check, but it doesn't work on linux....

Thanks so much for all the advice so far...:)

Hi!

Quoting deanrantala:

nors: BTW, I will change that - but instead of putting ALLOW, what do I replace that with? This firewall script was a "stock" script that I downloaded from a howto site, I understand only the first twenty lines of that script ... Well, actually now I understand the input/accept part, I just don't know how to edit it right now . Also, by changing that, will it affect the internet sharing (routing) any? Or does it just block people from making remote logins to internal PC's (on the LAN)?

Also, /etc/inet.d ( or variations) are nowhere on my system. All I really care about is ssh. Is that a xinet service? I am not running any FTP/Apache/ or other such servers, so That is not needed.

PS: Is sendmail a xinetd service? I don't belive slack 9 even has xinetd - I have done a whereis and it does not show up.


Before I try to give you any advice I'd like to know wich services you want to offer the outside world. But to explain my way of doing my iptables-firewall I make a new chain with

iptables -N BLOCK

And then I link from OUTPUT, INPUT and FORWARD to it using this:


iptables -I OUTPUT -j BLOCK
iptables -I INPUT -j BLOCK
iptables -I FORWARD -j BLOCK

Now, my BLOCK-chain is almost identical to what deanrantala has used:

iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A BLOCK -m state NEW -i ! eth0 -j ACCEPT
iptables -A BLOCK -j DROP

NB! My eth0 is the "internet-nic". Dont miss this one, its crucial. So if you have eth1 going on a broadband or something - use eth1 and not eth0.
In my case it means all nics BUT eth0 developing new connections are allowed. So if someone on eth0 tries to access my pc from outside he's denied access as long as I dont specifically grant access on f.ex port 22 in the INPUT chain.

Now I open up for the ports I outsiders to be able to use, like SSH:22, https: 443 or someone else....I cuould open a bunch of them...

iptables -I INPUT -j accept -p tcp --dport 22

And I can SSH into it .

Remember to cut off any other rules you dont need in iptables.

Lets say I had som rule in INPUT on line 2 and I wanted to delete it: iptables -D INPUT 2

I'm using Red Hat 8 and edited /etc/rc5.d/S08iptables to make my changes permanent, adding the BLOCK-chain.I also added
insmod ip_conntrack and made sure BLOCK was flushed when needed and its chain-rule set to DROP. And when my iptable looked ok i saved it: iptables-save > /etc/sysconfig/iptables
Because S08iptables uses this in the bootup-process.

To check my firewall and verify if its working as supposed I like to use scan.sygatetech.com (http://scan.sygatetech.com/)
and I sometimes use nmap too.

From my understanding - inetd is a daemon that sniffs attempted connections on the ports and directs their response to their respective programs - like 80 to apache. xinetd is the same but supposed to be more secure. Now, if your service has its own daemon going xinetd/inetd wont do anything about it.....

Sendmail: I'd have to come back to this one. =)



Greetings,
Nor

First: I forgot to post this, but I went to the sygate site, and here were the results:
>Detected I was running Linux i686
>Detected I was using Netscape 5.0
>Unable to find Computer name
>Detected That I was running SSH

And thats it...

Eh.. I am a little lost with all the input/forward/output stuff:eek: ... I am an ex- windows man new to the linux "server" world. Perhaps there is a site that describes this in very easy-to-understand format?

Basically, I got it set up like this:

eth0 is the WAN connection (or internet via cable modem on ethernet)

eth1 is my LAN interface that hooks to the hub, and talks to all the computers on the network - as well as providing internet conectivity and file sharing.

Samba is running on the server to provide centralized files to the "windblows PC's"

Of coarse, iptables is running to provide internet sharing (routing) and to serve as a firewall.

And I need SSH running and to be accessable to the outside world (eth0) as it is now.

Otherwise, no other service or connection needs to be made. And everything else can be locked down.

Since you lost me with the whole "making a new chain" deal, perhaps you could give me a breif descpiption of how this iptables works and the basic components of it? Just something brief - I'm pretty linux and network literate, so I just need a jist of what I'm fixing before I try working on it:)

Thanks again for all this help..:)

Ok, deanrantala - we're nearly there now! =)

The new chain is like a function the other chains can use. What I've done is linked the others to BLOCK so that when a packet comes in through your WAN (eth0 in your case) it traverses the rule - first rule is inspected - and if this rule says port 22 from anybody is ok and its actually an SSH packet then iptables allows this to continue without further checks. Now, if it was a 80 pachet (http) coming in to the INPUT chain - and you've made no explicit rules allowing it then iptables would have just traversed the rule one by one finding no-one for the 80 packet - and at last would have thrown the packet to BLOCK-chain. In the BLOCK-chain the rules are -: if this is a packet that belongs to a communication-stream originating from THIS PC then all is ok, its allowed. If not - lets say somebody else wants to enter your server - Apache - or some sort - if would deny it access just because its not originating within your pc. Read the rules above carefully and you'll understand.

Whats about the chains?
Well, first of all: they're rules - checking packets - allowing them - disallowing them or just ignoring them because different rules applies to different packets. Remember though - packets traverse DOWNWARD the "CHAIN-OF-RULES" therefore chains. So what happens when I've made a very last rule in INPUT telling it to jump to my BLOCK-chain, well then it jumps - but not before its traversed all the other rules in INPUT and made NO hit.

The INPUT-chain: EVERY packet coming to this SPECIFIC pc and NOT forwarded to some pc behind it - they go to the INPUT chain. So the rule is - you ask the packet: are you going to this pc or somebody behind me? Packet replies: "I'm going to you - not anybody behind you." Then its the INPUT-chain the packet goes to. So what if no rule in the INPUT-chain applies to this specific packet - well at the bottom of INPUT-chain I've put a "JUMP TO" BLOCK-chain, so it does. And again: The chain looks at the packet: Is this from my own initiated traffic? If not - then trash it. [basically]

The OUTPUT-chain: Every packet coming from THIS pc directly goes from the OUTPUT chain and NOT the FORWARD chain. I've linked the OUTPUT to BLOCK at the bottom - just like I did with the INPUT-chain.

FORWARD-chain: Every packet NOT ment for the pc itself but some behind it - lets say you have a router as in your case - will automatically go to the chain rules of the FORWARD-chain. I remember I had no rules to the FORWARD-chain for a long time before it hit me - what if some packet tries to enter behind the router? So I just linked the FORWARD to my BLOCK-chain.

For links on the subject:
Use www.google.com and search for: iptables howto
This is a link from one of these:
http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO-5.html

Greetins to all,
Nor

nor:

Thanks so much for the help. Even though I yet don't really fully understand the syntax and structure, I now have a jist of what this thing does, and how it works.

I edited my rc.firewall - now it gives me a bunch of error messages. I am posting the bottom half of the firewall script as well as a copy of the errors..

heres the peice of rc.firewall ....



#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -L INPUT -j ACCEPT -p tcp --dport 22
$IPTABLES -L INPUT -j BLOCK
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -L OUTPUT -j BLOCK
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -L FORWARD -j BLOCK
$IPTABLES -t nat -F


echo " FWD: Allow all connections OUT and only existing and related ones IN"
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -N BLOCK
$IPTABLES -A BLOCK -m state ESTABLISHED,RELATED -J ACCEPT
$IPTABLES -A BLOCK -m state NEW -i ! eth0 -J ACCEPT
$IPTABlES -A BLOCK -j DROP
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


That is the last 30 - 35 lines or so to my firewall script. Nothing else has been changed.

Now for the (copied) error messages I am getting...

bash-2.05b# ./rc.firewall


Loading simple rc.firewall version 0.74..

External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp, ----------------------------------------------------------------------
Done loading modules.

Enabling forwarding..
Enabling DynamicAddr..
Clearing any existing rules and setting default policy..
iptables v1.2.7a: Illegal option `-p' with this command

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.7a: Illegal option `-j' with this command

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.7a: Illegal option `-j' with this command

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.7a: Illegal option `-j' with this command

Try `iptables -h' or 'iptables --help' for more information.
FWD: Allow all connections OUT and only existing and related ones IN
iptables: Chain already exists
Bad argument `ESTABLISHED,RELATED'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `NEW'
Try `iptables -h' or 'iptables --help' for more information.
./rc.firewall: line 292: -A: command not found
Enabling SNAT (MASQUERADE) functionality on eth0

rc.firewall-2.4 v0.74 done.



I know it's probably the way I'm putting the stuff in there, so please tell me what I'm doing wrong.

I'm also gonna check out that site and start studying up on this over the next couple months since it is so important. It is just getting past this first time deal that is always the hardest