A little security help please

[rick420]

Well now that I have been running Linux for over a year now (YES!) I would like to start getting more into securing my box. And this little wanna-be hacker has made me want to do it even more. Let me start by explaing my connection:

Cable Modem into Linksys Router, 3 boxes connected to router, Win98 (family) Win2k (does movie editing) and Mandrake 8.1 (my baby) Domian name high-on-linux.net points to me.

The mandrake box is also My mail server and FTP server. The only ports I opened up from the router is 20-21, 110, 25, 443 (ssh from work) 143, and a range in the 104xs for DCC sends on irc.

For starters, there is this young hacker wannabe that I used to chat with on IRC. He likes to mess around and packet the hell out of me from a T3 connection he has access to. Is there a way to stop this from affecting me? Can I block pings as well? I think it might be impossible since the Linksys is whats exposed to the net.

Also, can I make it so only rick420 can su to root?? So that all other users would get "bash, command not found" ?

Is there anything else I should do to secure this baby up?? Thanks a lot in advance for pointing me into the right directions

[Ashcrow]

Here is some basic information on securing your box.

1.) Stop any uneeded services (like telnetd, r-services, etc...).
2.) Scan your box with nmap+nessus to find any basic security holes.
3.) Use sudo and deny access to su from just any user.
4.) Use iptables to run a nice firewall. If you can't run a firewall for xyz reasons use portsentry.
5.) set up syslog to also print messages to /dev/tty10 for real time log reading.
6.) Check Mandrakes website for new security problems and update!
7.) Know whats installed on your box.
8.) Deny certian ICMP packets ;-).

A trick that I've done before is to forward all data from a certian address back to the adress thats sending it. You can watch your little cracker friend DOS himself :-P.

[rick420]

Thanks for the quick response! Let me go thru your suggestions:

1) I already have removed telnet (i use ssh instead) But I dont know what else I could stop
2) When scanning w/ NMAP, I only see the ports open I stated above
3) I wish I knew what sudu meant, and yes I would like to only allow rick420 (me) to su to root
4) Need to learn about iptables and what I would block with them
5) syslog? real time logging, sweet!!! Is syslog what would show the ips attempting to connect to me???
6) Will do when I get home!
7) I think I know whats installed, dont know what all those 72 procs running are doing though
8) YES INDEED! Need to learn how to do that

Also forwarding all data back to a certain IP would be great! Would I learn the ips by syslog?

Thanks, I will start reading up on iptables as soon as I can !

Definetly wanna only let rick420 su to root, also isnt there a way to deny people from sshing into me as root??

[Feztaa]

Definetly wanna only let rick420 su to root, also isnt there a way to deny people from sshing into me as root??

I don't know about ssh, but for your 'su' troubles, do this:

1. as root, create a new group called "wheel" if you don't already have it. Then make su be owned by the wheel group (chown root.wheel /bin/su), then put only the "rick420" user into the wheel group, nobody else. Finally, change su so that it can only be executed by it's owner or it's group (chown 750 /bin/su).

Now only rick420 and root accounts can use su, it will just say "permission denied" if you try it from any other user.

[Schotty]

s there a way to stop this from affecting me? Can I block pings as well? *I think it might be impossible since the Linksys is whats exposed to the net.

If you block all from a specific IP, yea pings wiuld be returned as a unreachable host. *Now, as far as the linksys, create a filter rule that blocks all (possibly called dropping all) for the IP's that are 'evil.'

Also, can I make it s only rick420 can su to root?? *So that all other users would get "bash, command not found" ?

Do what Feztaa said, but my reccomendation is to generate a really whacky groupname. *Why *?? *Well, everybody and their brother knows that wheel is the security group. *Why give any info to the asshole hackers than what is ABSOLUTELY necessary? *I rotate thru on each box a 10 digit random string.

Is there anything else I should do to secure this baby up?? Thanks a lot in advance for pointing me into the right directions

Well, as mentioned earlier, figure out what each daemon is and disable anything not necessary. *Use shadowpasswords, tripwire, sudo. *Really the only way to truly get it secure is to block shit from all IPs not being accessed. *And still those that are left open should have the ports blocked that are not used. *Anal as all fuck, but heh, it will work to a good degree.

[Feztaa]

Well, everybody and their brother knows that wheel is the security group. Why give any info to the asshole hackers than what is ABSOLUTELY necessary? I rotate thru on each box a 10 digit random string.

This has absolutely no effect, other than to drive you batty if you ever have to try and remember what it is. Any hacker worth his salt would simply do a ls -alF /bin/su and see what the name of the group he has to crack is.

I suggest you just go with "wheel", because anything else is security through obscurity, which doesn't work at all.

[Ashcrow]

People cannot ssh into you as root by default. You have to allow for it.

Security through obscurity doesn't work but it can confuse script kiddies. I don't think it is a solution at all but it can't hurt. Yes, you can obtian the IP from your logs ... or if he is on IRC you can /dns nick to get his IP address. You might want to write a script to listen on ports and warn people off .... it's pretty simple to do in perl with IO::Socket and tcp wrappers.

[tolstoy]

I would do the following if you want a pretty secure box:

1) Not only disable services that you don't need, uninstall them completely. Even if you have an iptables fireall and services turned off, if someone gets a small foothold on your box and elevates their privladges to root, they can edit your iptables rules as well as start services that give them greater access to your box. If the services don't exist, then its that much harder.

2) Build an iptables firewall and block all unneeded incoming, as well as outgoing, packets. Set up rules for logging anything interesting.

3) Use PAM to only allow su by members of the wheel group.

4) Run nmap against your box regularly. Scan all ports from 1-65535, upd as well as tcp. Do a nmap localhost -sU -sT -p 1-65535

5) Run as many services as possible through tcp wrappers. Use hosts.deny and .allow when you can.

6) Install all the latest patches, this includes fixes for local as well as remote vunerabilities.

7) Run nessus or saint to spot vunerabilities on any services offered.

8 ) run startx as startx -- -nolisten-tcp, so that port 6000 does not open.

This will make your box pretty tight, though nothing is completely secure. The idea is not to have an impenetrable fortress, but to make your box hard enough to get into that everyone except the most dedicated will give up.

There are probably some other things you can do, like one-time-passwords-for-everything, SNORT, tripwire, etc. but for a home box, they may be a bit of overkill.

[rick420]

Well I dont know what I did wrong, but I cant su to root anymore myself But if I run a program that needs root privledges it works though. When I open up a console and su, it says incorrect pass?? It doesnt give me permission denied though, just incorrect password??? All I did was chown root.wheel /bin/su and went to userdrake and added rick420 to the already existing wheel group that had root in it already. I then tried deleting wheel group and recreating, but no luck still .... I wonder what the hell I did that it says incorrect password now?

[tolstoy]

Well I dont know what I did wrong, but I cant su to root anymore myself But if I run a program that needs root privledges it works though. When I open up a console and su, it says incorrect pass?? It doesnt give me permission denied though, just incorrect password??? All I did was chown root.wheel /bin/su and went to userdrake and added rick420 to the already existing wheel group that had root in it already. I then tried deleting wheel group and recreating, but no luck still .... I wonder what the hell I did that it says incorrect password now?

I believe su runs as a setuid. I would not muck around with changing its permissions, but instead look into configuring its security with PAM. By the sound of your error, it seems that PAM is what's causing it to fail. (PAM gives you an incorrect passwod error when you cannot su to root, even if the user does not have permission to su. It's part of their security by obsecurity plan, which, as someone already pointed out, is never obscure at all).

If you are not using PAM, use it. It will give you what you want (restricting su use to the wheel group), and will log access to it. Edit /etc/pam.d/su. You will see the line you need to umcomment to get pam and su working correctly together correctly. As for your current problems with su. Just set its permissions back and make sure that wheel has the same GID as the last wheel group.