Jump to content
imported_ZbeNg

They Can't Crack What They Can't Find

By imported_ZbeNg, in Tutoriale in engleza

Recommended Posts

imported_ZbeNg Newbie

imported_ZbeNg

Posted
Posted

SCZ CAI IN ENGLEZA DA MI SA PARUT INTERESANT

The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine virtually disappear from the crackers view.

In this article I will describe how to hide a machine running Linux that uses PPP over a modem to connect to the Internet. I will use ipchains and the firewalling built into the Linux kernel to protect the services that are running on this machine from connections across the PPP interface.

For this example, I will use a Debian system with a 2.2.15 Linux kernel on a Debian system. You should note that the firewalling code in the 2.4 Kernel has undergone a rewrite, but that the examples in this article will still work by loading the ipchains compatibility module.

We begin right after you have installed Linux on your machine and before you have connected to the Internet. Any connections to the Internet could leave your machine compromised so it is important to secure your machine before you connect for the first time.

After the install you should turn off all of the services and daemons that you do not need. Each service that is running is one more that could be vulnerable and will require monitoring for security advisories and updating as new versions are released. To find where to turn off these services look at what inetd is providing and then look at what daemons the sysV init processes starts.

The file /etc/inetd.conf controls what daemons are started by inetd. Open this file in vi or your favorite editor and comment out all the lines that you do not need by adding a # to the start of the line. I usually turn off all of the things such as echo, chargen, finger, talk, rsh, rexec, etc. If I am not going to need them I will also turn off FTP and telnet. If you end up turning all of the services off then we can turn off inetd itself in the next step.

Example (/etc/inetd.conf):

Before:

echo stream tcp nowait root internal

echo dgram udp wait root internal

chargen stream tcp nowait root internal

chargen dgram udp wait root internal

discard stream tcp nowait root internal

discard dgram udp wait root internal

After:

#echo stream tcp nowait root internal

#echo dgram udp wait root internal

#chargen stream tcp nowait root internal

#chargen dgram udp wait root internal

#discard stream tcp nowait root internal

#discard dgram udp wait root internal

If you still have services being started by inetd then restart inetd. You can do this by using ps to see what the Process ID (PID) is for inetd and then sending it a HUP signal with the kill command. This will cause it to re-read it's configuration file.

# ps axwww |grep inetd

345 ? S 0:00 /usr/sbin/inetd

535 pts/1 S 0:00 grep inetd

# kill -HUP 345

Then look at the SysV init system to see what daemons you do not need. One of the easiest ways to do this is to use ksysv. Ksysv is a graphical manager for the SysV run levels written in tk by Peter Putzer.

If for some reason you can not use this then look inside your /etc directory for a group of directories named /etc/rc1.d /etc/rc2.d etc. The rc2.d directorie on the example machine looks like this:

$ ls /etc/rc2.d/

S01ipchains S19nfs-common S20inetd S20makedev S89atd

S10sysklogd S20alsa S20linuxconf S20nfs-kernel-server S89cron

S14ppp S20dictd S20logoutd S20xfs S91apache

S18portmap S20gpm S20lpd S20xfstt S99rmnologin

To prevent a daemon from starting, look for a file in these directories that starts with an S and remove it. For example if we wanted to turn off inetd we would find all of the startup files for inetd and then remove them:

# ls /etc/rc*.d/S*inetd

/etc/rc2.d/S20inetd /etc/rc4.d/S20inetd

/etc/rc3.d/S20inetd /etc/rc5.d/S20inetd

# rm /etc/rc*.d/S*inetd

Once you have reached this point reboot your machine to test the startup scripts. Then use the ps command to see what you have running and use the netstat command to see what ports are open on your network.

# netstat -ln

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address

State

tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:7101 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:2628 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:928 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

udp 0 0 0.0.0.0:926 0.0.0.0:*

udp 0 0 0.0.0.0:1024 0.0.0.0:*

udp 0 0 0.0.0.0:111 0.0.0.0:*

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

Active UNIX domain sockets (only servers)

Proto RefCnt Flags Type State I-Node Path

unix 0 [ ACC ] STREAM LISTENING 213

/tmp/.font-unix/fs7100

unix 0 [ ACC ] STREAM LISTENING 171 /dev/log

unix 0 [ ACC ] STREAM LISTENING 275

/tmp/.X11-unix/X0

unix 0 [ ACC ] STREAM LISTENING 200 /dev/gpmctl

unix 0 [ ACC ] STREAM LISTENING 208 /dev/printer

unix 0 [ ACC ] STREAM LISTENING 224 fs7101

In this example we see at the top the list of TCP and UDP ports that are open. The Active UNIX domain sockets are not listening on the network so we can ignore them.

Once you have all the unneeded daemons turned off and have things the way you want them we can set up our firewall rules using ipchains.

The ipchains program allows you to control the IP firewall rules in the Linux kernel. It seems much more complicated than it is. In this article I am going to keep things very simple. If you would like to learn more details about ipchains or look at some more complicated examples then take a look at the How To.

A simple rule to firewall a TCP port from any connection on the ppp0 interface uses something like the following command replacing $portnumber with the portnumber you want to firewall. It does not matter that the ppp0 interface is not up when you set up the firewall rules. When the interface does come up the rules will be applied.

ipchains -A input -i ppp0 -p TCP -d 0.0.0.0/0 $portnumber -j DENY

For UDP change the -p TCP to -p UDP.

ipchains -A input -i ppp0 -p UDP -d 0.0.0.0/0 $portnumber -j DENY

To see what rules are defined by using ipchains -L. To suppress DNS and port name lookups use a -n.

This is the output of ipchains -L -n on my example machine.

# ipchains -L -n

Chain input (policy ACCEPT):

target prot opt source destination ports

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 80

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 111

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 515

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 928

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 2628

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6000

DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 7101

DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1

DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6

DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 111

DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 926

DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024

Chain forward (policy ACCEPT):

Chain output (policy ACCEPT):

One more needed ipchains option is used to flush a chain -F. To remove all of the rules on the example machine we would use 'ipchains -F input'.

To save your rules for the next time you boot use the ipchains-save program and save the output into /etc/ipchains.rules.

# ipchains-save > /etc/ipchains.rules

When you boot you will restore the rules with ipchains-restore. The following script is from the how to you can place it in /etc/init.d and then set it up to run by placing a link to the script in the run level of your choice.

#! /bin/sh

# Script to control packet filtering.

# If no rules, do nothing.

[ -f /etc/ipchains.rules ] || exit 0

case "$1" in

start)

echo -n "Turning on packet filtering:"

/sbin/ipchains-restore < /etc/ipchains.rules || exit 1

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "."

;;

stop)

echo -n "Turning off packet filtering:"

echo 0 > /proc/sys/net/ipv4/ip_forward

/sbin/ipchains -F

/sbin/ipchains -X

/sbin/ipchains -P input ACCEPT

/sbin/ipchains -P output ACCEPT

/sbin/ipchains -P forward ACCEPT

echo "."

;;

*)

echo "Usage: /etc/init.d/packetfilter {start|stop}"

exit 1

;;

esac

exit 0

When your rules are set up the way you want them you should check them with a port scanner such as nmap. If you do not have a machine on the net that you can scan your PPP connection from then you can apply the same rules to the lo (local) interface. Just make sure you do not save the rules with ipchains-save or you may find some things not working.

This is an example of scanning using nmap without any firewall rules in place:

# nmap hostname

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Interesting ports on hostname (10.0.0.1):

(The 1517 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

111/tcp open sunrpc

515/tcp open printer

928/tcp open unknown

1024/tcp open kdm

6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds

What it looks like when we scan with the firewall rules in place:

# nmap hostname

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds

We can however still ping the machine. Ping uses icmp echo which we have not firewalled. We can turn off responding to icmp echos with an ipchains rule or by doing 'echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all'. However even that will not make us invisible. There is more than one kind of icmp packet. An example of this is that tools such as icmpush can be used to "ping" using other icmp types such as Time Stamp Request.

# ping hostname

PING hostname (10.0.0.0): 56 data bytes

--- hostname ping statistics ---

12 packets transmitted, 0 packets received, 100% packet loss

# ./icmpush -tstamp hostname

hostname -> 18:11:22

Turning off icmp_echo does go a long way towards making us invisible but we can firewall more icmp types using ipchains. We can also use ipchains to insure that icmp packets will never be returned by our machine.

ipchains -A output -i ppp0 -p icmp -j DENY

The downside to doing this is that you will not be able to ping other systems as the firewall rule will stop all outgoing icmp packets not just replies to packets from the outside.

We do not want to filter all incoming icmp packets because if we do then we will not get host-unreachable and no-route-to-host messages and all of our connections will just wait for a reply that never comes. We could write a more complicated set of rules that blocks the icmp packets with more care, but for this example we will not.

By restricting what connections we allow on our exposed interfaces we restrict what we expose to the world. This can have some advantages in preventing people from finding or exploiting services that we need to run but do not need to share with the Internet.

Using ipchains can get very complicated but it does not need to be used in a complicated way to allow a significant amount of protection for your machine from a system Cracker's probes and a Script Kiddie's scans.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...