Results 1 to 4 of 4

Thread: how to harden a Linux box

  1. #1
    Newbie
    Join Date
    Oct 2008
    Location
    Quebec, Canada
    Posts
    5

    how to harden a Linux box

    Recently, my Linux box was hacked.
    Now I have Ubuntu 8.04 on a single-user
    computer with OSSEC intrusion detection.

    In the Debian Users elist, I was advised
    by someone to "harden the system".

    I don't need an HTTPS server, mail server,
    web server. I administer my own computer,
    and I'm the only user.

    Thanks,

    David Bernier

  2. #2
    What do you want to achieve in hardening? Do you just want to permanently turn off those services?

  3. #3
    Newbie
    Join Date
    Oct 2008
    Location
    Quebec, Canada
    Posts
    5
    Quote Originally Posted by dragonaire View Post
    What do you want to achieve in hardening? Do you just want to permanently turn off those services?
    Yes, i.e. the daemons I don't need. I ran the
    'netstat' command and the output is very long.

    Here are the first few lines:

    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 1 0 192.168.0.104:38878 a24-200-251-11.depl:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:54211 66.198.156.161:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:52505 66.198.156.155:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:52506 66.198.156.155:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:39123 a24-200-251-26.depl:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:49996 66.198.156.147:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:39017 ns-vip5.hitbox.com:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:57125 s3.amazonaws.com:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:57126 s3.amazonaws.com:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:55537 66.198.156.162:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:39208 66.198.156.145:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:45503 211.136.108.242:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:48321 yx-in-f127.google.c:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:55536 66.198.156.162:www CLOSE_WAIT
    tcp 0 0 192.168.0.104:52858 69.59.161.242.pi.ze:www ESTABLISHED
    tcp 1 0 192.168.0.104:57963 216.246.87.59:www CLOSE_WAIT
    tcp 1 0 192.168.0.104:45502 211.136.108.242:www CLOSE_WAIT

    Perhaps someone can interpret those results.

    Thanks,

    David

  4. #4
    On Ubuntu you'll need to run the sysv-rc-conf command to determine what is running at boot time. Once you shut down the unnecessary daemons both at boot time using sysv-rc-conf and those running immediately using the scripts in /etc/init.d then you should be OK.

    The link has more information on simple hardening and determining what processes are listening on what ports.

    Your output seems to be related to your system making connections out to the net on TCP port 80 (WWW). This is normal. A quick way to determine what network ports your stysem is listening on would be to grep the netstat output for the 0.0.0.0 address like this:

    Code:
    # netstat -an | grep 0.0.0.0
    Then you can use lsof to determine what daemons are attached to each port listed form the output and then shut down the ones you don't need.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •