FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-27-2011, 03:05 PM
yudi v
 
Default securing the system, stopping unnecessary services and closing open ports.

Nmap suggests the following ports are open:

25/tcp** open* smtp
111/tcp* open* rpcbind
139/tcp* open* netbios-ssn
445/tcp* open* microsoft-ds
631/tcp* open* ipp
901/tcp* open* samba-swat
2049/tcp open* nfs


I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open.

it even had SSH listening on 22, changed the port # and also*





changed PermitRootLogin to no





in /etc/ssh/sshd_config after looking at the following output:
also installed gufw and set it to deny as default.

root@computer:/home/user# grep -ir "Failed password" /var/log/*

/var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2
/var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2

root@computer:/home/user# grep -ir BREAK-IN /var/log/*
/var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT!



how can I find out if this system has been compromised?

what are the steps I need to take to secure it?
--
Kind regards,
Yudi
 
Old 08-27-2011, 03:38 PM
Brad Alexander
 
Default securing the system, stopping unnecessary services and closing open ports.

Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer driver. 111 and 2049 are for NFS.* If you don't need them, you should be able to turn them off...If you do need it, then you should be able to firewall it, using iptables to limit access to the hosts or subnets you need.


On Sat, Aug 27, 2011 at 11:05 AM, yudi v <yudi.tux@gmail.com> wrote:

Nmap suggests the following ports are open:

25/tcp** open* smtp
111/tcp* open* rpcbind
139/tcp* open* netbios-ssn
445/tcp* open* microsoft-ds
631/tcp* open* ipp
901/tcp* open* samba-swat
2049/tcp open* nfs



I run a desktop email client that uses smtp apart from that I do not know why rest of the above services are open.

it even had SSH listening on 22, changed the port # and also*





changed PermitRootLogin to no





in /etc/ssh/sshd_config after looking at the following output:
also installed gufw and set it to deny as default.

root@computer:/home/user# grep -ir "Failed password" /var/log/*

/var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed password for root from 60.242.242.121 port 56631 ssh2
/var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed password for invalid user admin from 190.24.225.223 port 22792 ssh2


root@computer:/home/user# grep -ir BREAK-IN /var/log/*
/var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co [190.24.225.223] failed - POSSIBLE BREAK-IN ATTEMPT!




how can I find out if this system has been compromised?

If you are looking for ssh attempts, you shoud peruse /var/log/auth.log and look for unusual logins. The ones like you mention above are failed. You could run fail2ban or another one that watches your ssh port and in the event of too many failed attempts, can block the IP through iptables. Be careful, because if someone spoofs the address, then you could block some site that you need to access.


Another idea would be to run a Host-based Intrusion Detection System (HIDS). Tripwire is a classic example, as it does md5sums of critical files and you run it against your machine looking for changes. However, I have come to prefer OSSEC (http://ossec.net), which does md5summing in the background:


OSSEC HIDS Notification.
2011 Aug 25 07:25:59

Received From: (013hornet) 192.168.224.13->syscheck

Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/etc/sudoers'
Size changed from '552' to '692'
Old md5sum was: 'fc78e5599202f204e48df73a15e81533'

New md5sum is : '377364efbaefe7138d3fe4081d98b592'
Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13'
New sha1sum is : '6bcc831d9407626328651b68dc73763472b11374'


but also watches your logs for events:
OSSEC HIDS Notification.
2011 Aug 25 06:43:57


Received From: (056worf) 192.168.224.56->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
Portion of the log(s):

Aug 25 06:43:56 worf su[9338]: + ??? root:nobody


Having said all of that, if you suspect your machine was compromised (the failed logins messages in the logs only indicate that you had some failed attempts), nuke it and rebuild. After you rebuild, set up iptables, ossec, run nmap or nessus on it and put it back in service.


Regards,
--b


what are the steps I need to take to secure it?
--

Kind regards,
Yudi
 
Old 08-27-2011, 04:16 PM
Joe
 
Default securing the system, stopping unnecessary services and closing open ports.

On Sun, 28 Aug 2011 01:05:47 +1000
yudi v <yudi.tux@gmail.com> wrote:

> Nmap suggests the following ports are open:
>
> 25/tcp open smtp
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 631/tcp open ipp
> 901/tcp open samba-swat
> 2049/tcp open nfs
>
> I run a desktop email client that uses smtp apart from that I do not
> know why rest of the above services are open.

An email *client* needs no ports open, assuming the firewall is a
stateful one, as pretty well all are. Nothing connects to it, it
connects to other servers as needed.

139, 445 and 901 suggest you are running samba, which is not normally
necessary on a desktop machine, unless you are making network shares
available from it. If that's not what you intend, remove or disable
samba. If you need to connect to Windows shares on the same subnet,
install smbclient. If you use shares between subnets, you may need the
full samba for its nmbd component, which can use WINS servers or even
be one.

ipp is CUPS, the network printing server, and you know whether you need
that. RPCbind is needed with nfs. I wouldn't have thought you'd need
that, as it's the *nix network filing system, and you wouldn't be using
that by accident.

>
> it even had SSH listening on 22, changed the port # and also changed
> PermitRootLogin to no in /etc/ssh/sshd_config after looking at the
> following output:
> also installed gufw and set it to deny as default.
>
> root@computer:/home/user# grep -ir "Failed password" /var/log/*
> /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed
> password for root from 60.242.242.121 port 56631 ssh2
> /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed
> password for invalid user admin from 190.24.225.223 port 22792 ssh2
> root@computer:/home/user# grep -ir BREAK-IN /var/log/*
> /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse
> mapping checking getaddrinfo for
> corporat190-24225223.sta.etb.net.co[190.24.225.223] failed - POSSIBLE
> BREAK-IN ATTEMPT!
>
>
> how can I find out if this system has been compromised?

You can try chkrootkit and rkhunter, but the latter at least works
better if it has scanned the system in a known clean state. Neither are
automatic: you either run them manually or use a cron job. Booting from
a live CD will allow you to compare ps and other normally-compromised
binaries with the correct hashes as shown by whatever repository you
use. The bottom line is that you cannot be completely sure, but if ps
hasn't been touched you are probably OK.

>
> what are the steps I need to take to secure it?

As you say, deny root logins, but I would strongly recommend dropping
passwords altogether and using keys. If you connect from Windows, you
will already know about puTTY, which generates its own keypairs and
(currently I believe) can't use *nix-generated keys. The change of port
number is often denigrated as 'security by obscurity', but then what
else is a digital certificate? If running ssh on an obscure port
prevents pretty much all automated password brute-forcing (and it does)
then you're better off than many other people have been.

What Internet connection do you have, and what is forwarded? If you are
only forwarding ssh from a stateful packet filtering NAT router, then
you already have quite a lot of protection to other services, but I'd
still use at least a second line of filtering, as you have now done.
The gufw application and several other 'firewalls' are front ends to
iptables/netfilter, the actual packet filter.

Use netstat to check what services you have listening, and on which
interfaces. Most services can be configured to listen only to some
interfaces, and many only need to use localhost, so they can be closed
off from outside access. The open ports you need depend on what local
networking you do.

There's more, of course, but it's a lifetime study. Others will no
doubt offer more suggestions.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110827171616.293b2fc9@jretrading.com">http://lists.debian.org/20110827171616.293b2fc9@jretrading.com
 
Old 08-27-2011, 04:18 PM
Chris Brennan
 
Default securing the system, stopping unnecessary services and closing open ports.

On 8/27/2011 11:38 AM, Brad Alexander wrote:
> Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer
> driver. 111 and 2049 are for NFS. If you don't need them, you should be
> able to turn them off...If you do need it, then you should be able to
> firewall it, using iptables to limit access to the hosts or subnets you
> need.
>
> On Sat, Aug 27, 2011 at 11:05 AM, yudi v <yudi.tux@gmail.com
> <mailto:yudi.tux@gmail.com>> wrote:
>
> Nmap suggests the following ports are open:
>
> 25/tcp open smtp
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 631/tcp open ipp
> 901/tcp open samba-swat
> 2049/tcp open nfs
>
> I run a desktop email client that uses smtp apart from that I do not
> know why rest of the above services are open.
>
> it even had SSH listening on 22, changed the port # and also
> changed PermitRootLogin to no in /etc/ssh/sshd_config after looking
> at the following output:
> also installed gufw and set it to deny as default.
>
> root@computer:/home/user# grep -ir "Failed password" /var/log/*
> /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed
> password for root from 60.242.242.121 port 56631 ssh2
> /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed
> password for invalid user admin from 190.24.225.223 port 22792 ssh2
> root@computer:/home/user# grep -ir BREAK-IN /var/log/*
> /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse
> mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co
> <http://corporat190-24225223.sta.etb.net.co> [190.24.225.223] failed
> - POSSIBLE BREAK-IN ATTEMPT!
>
>
> how can I find out if this system has been compromised?
>
>
> If you are looking for ssh attempts, you shoud peruse /var/log/auth.log
> and look for unusual logins. The ones like you mention above are failed.
> You could run fail2ban or another one that watches your ssh port and in
> the event of too many failed attempts, can block the IP through
> iptables. Be careful, because if someone spoofs the address, then you
> could block some site that you need to access.
>
> Another idea would be to run a Host-based Intrusion Detection System
> (HIDS). Tripwire is a classic example, as it does md5sums of critical
> files and you run it against your machine looking for changes. However,
> I have come to prefer OSSEC (http://ossec.net), which does md5summing in
> the background:
>
> OSSEC HIDS Notification.
> 2011 Aug 25 07:25:59
>
> Received From: (013hornet) 192.168.224.13->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/etc/sudoers'
> Size changed from '552' to '692'
> Old md5sum was: 'fc78e5599202f204e48df73a15e81533'
> New md5sum is : '377364efbaefe7138d3fe4081d98b592'
> Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13'
> New sha1sum is : '6bcc831d9407626328
> <callto:9407626328>651b68dc73763472b11374'
>
> but also watches your logs for events:
> OSSEC HIDS Notification.
> 2011 Aug 25 06:43:57
>
> Received From: (056worf) 192.168.224.56->/var/log/auth.log
> Rule: 40101 fired (level 12) -> "System user successfully logged to the
> system."
> Portion of the log(s):
>
> Aug 25 06:43:56 worf su[9338]: + ??? root:nobody
>
> Having said all of that, if you suspect your machine was compromised
> (the failed logins messages in the logs only indicate that you had some
> failed attempts), nuke it and rebuild. After you rebuild, set up
> iptables, ossec, run nmap or nessus on it and put it back in service.
>
> Regards,
> --b
>
>
> what are the steps I need to take to secure it?
> --
> Kind regards,
> Yudi
>
>

If you need to actively scan for a rootkit, you can check out rkhunter ,
ckrootkit or sleuthkit, just to name a few.

If you want to get creative with tools, my gentoo box has this in
app-forensic:

afflib air chkrootkit examiner galleta lynis magicrescue
metadata.xml ovaldi rdd rkhunter sleuthkit zzuf
aide autopsy cmospwd foremost libewf mac-robber memdump
openscap pasco rifiuti scalpel yasat

You can try some of these if you want, but I've only used the three I
initially mentioned.

--
> Chris Brennan
> --
> A: Yes.
> >Q: Are you sure?
> >>A: Because it reverses the logical flow of conversation.
> >>>Q: Why is top posting frowned upon?
> http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/
> GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C)
------------------------------------------------------------------------
 
Old 08-27-2011, 07:13 PM
Gilbert Sullivan
 
Default securing the system, stopping unnecessary services and closing open ports.

On 08/27/2011 02:43 PM, Brian wrote:


A natural history expedition searching for unicorns and dodos would have
as much success as these two programs are likely to have.



I was once on a natural history expedition. We found no unicorns, but we
did find dodos. We weren't looking for them, but we did find them -- one
night while we were looking at each other around the camp fire.


And I like playing with chkrootkit and rkhunter. It gives me something
to do in those moments when I miss fiddling with the vast array of
anti-malware programs I used to use in Windows.


8-D


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4E5941F6.10408@comcast.net">http://lists.debian.org/4E5941F6.10408@comcast.net
 
Old 08-27-2011, 07:28 PM
Ralf Jung
 
Default securing the system, stopping unnecessary services and closing open ports.

Hi,

> ipp is CUPS, the network printing server, and you know whether you need
> that.
Now that you mention it... I also see cups listening on all devices:
$ sudo netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
udp 0 0 0.0.0.0:631 0.0.0.0:*
1646/cupsd

I need CUPS for printing, but my laptop is for sure not a printing server, so
no open port is necessary. cups.dconf contains this

# Only listen for connections from the local machine.
Listen localhost:631

However, as you can see, it still opens the port on all interfaces. Is that a
bug, or is the configuration incorrect?

Kind regards,
Ralf


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201108272128.42920.ralfjung-e@gmx.de">http://lists.debian.org/201108272128.42920.ralfjung-e@gmx.de
 
Old 08-27-2011, 09:19 PM
Aniruddha
 
Default securing the system, stopping unnecessary services and closing open ports.

On Sat, Aug 27, 2011 at 5:05 PM, yudi v <yudi.tux@gmail.com> wrote:

Nmap suggests the following ports are open:

25/tcp** open* smtp
111/tcp* open* rpcbind
139/tcp* open* netbios-ssn
445/tcp* open* microsoft-ds
631/tcp* open* ipp
901/tcp* open* samba-swat
2049/tcp open* nfs


Which nmap command did you use? What happens when you do a 'Common Ports' scan with Shields up* ( https://www.grc.com/x/ne.dll?bh0bkyd2 )? What kind of internet connection and modem do you have?
 
Old 08-28-2011, 01:39 AM
yudi v
 
Default securing the system, stopping unnecessary services and closing open ports.

Just to clarify my post.
This is a new install and I was a bit careless while installing. It has no data on it. I was more concerned with LUKS+LVM working at install. I did not realize I selected to install SSH, I do not use Samba or NFS not sure how those got installed. Again it might have been an oversight.


On my other system I have SSH setup with fail2ban, and only using pub keys. I was going to setup same config on this system but got sidetracked.

I use postpaid mobile broadband and my IP is both the system address and the gateway. There is no NAT with postpaid service, it's only available with prepaid in Australia. Not sure why.

The only things I need are CUPS and SMTP for Zimbra.

I will disable the rest. I guess I have to use update.rc-d.

There's lot of info here I haven't heard about before. I will go through it and post back.


--
Kind regards,
Yudi
 
Old 08-28-2011, 03:12 AM
Scott Ferguson
 
Default securing the system, stopping unnecessary services and closing open ports.

On 28/08/11 11:39, yudi v wrote:

Just to clarify my post.
This is a new install and I was a bit careless while installing. It has
no data on it. I was more concerned with LUKS+LVM working at install. I
did not realize I selected to install SSH, I do not use Samba or NFS not
sure how those got installed.


With KDE by default you get libnfsidmap and nfs-common. Samba (server)
is not installed by default - though something else may have pulled it
in. One boxen that don't use them - I just remove and purge nfs and
samba (likewise ssh).



Again it might have been an oversight.

On my other system I have SSH setup with fail2ban, and only using pub
keys. I was going to setup same config on this system but got sidetracked.

I use postpaid mobile broadband and my IP is both the system address and
the gateway. There is no NAT with postpaid service, it's only available
with prepaid in Australia. Not sure why.


Not sure what you mean there.... I suspect you mean only postpaid allow
a static IP address (for some accounts). I use both prepaid and
postpaids USB UMTS modems with different ISPs - they all use the same,
weird, setup where the remote address is "defaulted to" (different dogs,
same leg action) - perhaps that's the NAT you're referring to??


ie. Could not determine remote IP address: defaulting to 10.64.64.64[*1]

eg. ppp0 inet address and p-t-p are different, and the ip I use for
remote access is different again (the one shown in http://myip.dk)



The only things I need are CUPS and SMTP for Zimbra.

I will disable the rest. I guess I have to use update.rc-d.


you could just remove them
eg:-
# apt-get --purge remove libnfsidmap2 nfs-common samba

if you don't use samba at all (cifs-utils samba samba-common
samba-common-bin smbfs) then change "samba" to "samba*"


I'd suggest using -s instead of --purge first - just in case samba was
originally pulled in by another package which you want to keep.




There's lot of info here I haven't heard about before. I will go through
it and post back.

--
Kind regards,
Yudi



NOTE: just because a port is "open" doesn't necessarily mean it's
accepting connections.


Cheers

[*1] PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED

--
"You ever noticed how people who believe in Creationism look really
unevolved? You ever noticed that? Eyes real close together, eyebrow
ridges, big furry hands and feet. "I believe God created me in one day"
Yeah, looks liked He rushed it."

— Bill Hicks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4E59B23A.8010303@gmail.com">http://lists.debian.org/4E59B23A.8010303@gmail.com
 
Old 08-28-2011, 08:37 AM
yudi v
 
Default securing the system, stopping unnecessary services and closing open ports.

I use postpaid mobile broadband and my IP is both the system address and

the gateway. There is no NAT with postpaid service, it's only available

with prepaid in Australia. Not sure why.




Not sure what you mean there.... I suspect you mean only postpaid allow a static IP address (for some accounts). I use both prepaid and postpaids USB UMTS modems with different ISPs *- they all use the same, weird, setup where the remote address is "defaulted to" (different dogs, same leg action) - perhaps that's the NAT you're referring to??




ie. Could not determine remote IP address: defaulting to 10.64.64.64[*1]



eg. ppp0 inet address and p-t-p are different, and the ip I use for remote access is different again (the one shown in http://myip.dk)

my system IP for ppp0 is 101.***.***.*** and it's not static.
but from what I can remember all postpaid accounts in Australia have 10.***.***.*** addresses and are behind NAT. The only way I could SSH was by reverse port forwarding. I eventually ended up getting postpaid.

That's how it works in Australia. I believe you are not in Aus.

See this post for more info.
http://forums.whirlpool.net.au/forum-replies.cfm?t=1488078




The only things I need are CUPS and SMTP for Zimbra.



I will disable the rest. I guess I have to use update.rc-d.




you could just remove them

eg:-

# apt-get --purge remove libnfsidmap2 nfs-common samba



if you don't use samba at all (cifs-utils samba samba-common samba-common-bin smbfs) then change "samba" to "samba*"



I'd suggest using -s instead of --purge first - just in case samba was originally pulled in by another package which you want to keep.
Thanks for the info. Will definitely uninstall samba and nfs.


--
Kind regards,
Yudi
 

Thread Tools




All times are GMT. The time now is 01:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org