[lug] Interesting Crash Report

D. Stimits stimits at idcomm.com
Wed Mar 21 12:57:02 MST 2001

David wrote:
> First, thank you Scott and D. Stimits for confirming my fears and also
> for the advice.  I failed all those tests, except lsof, which appears
> not to be on my machine; what/where is it?  I have re-installed 6.2,
> changed my password, killed rpc.statd (how do I disable it, please),
> and renamed nfslock.  I hope to be safe for another ten minutes or so.

If you don't use rpc and NFS, remove the rpm's. There is also the
chkconfig utility, run "chkconfig --list" to view nfs and portmap
entries; disable them with chkconfig also, at all runlevels, 0-6.

lsof on my machine is in /usr/sbin, it might be in /sbin on some
machines. It is a target for crackers, since it can expose them. lsof
looks at an open file, and tells about the process that is opening it.

> I have studiously avoided security issues until now because I have
> plenty of other things to do with my time and I know that a good
> number of hours will be consumed by it.  I have trusted in a quick
> connect and disconnect policy for my security.  This has worked quite
> well really: I was caught when I started surfing a little.  However, I
> suppose the hour cometh, so I have more questions.

I used to do only basic security. I had logging on, and discovered later
how many times I was tested, and ended up worrying.

> What I should like to do is have a two or three machine local network
> in the house connected to the outside world via the television cable;
> the latter for speed and to avoid preventing use of the telephone.
> The local network must accomodate MS NT etc. as well as Linux.  I
> assume that this is a very common setup.  Is that true?  Is it a
> sensible way to go?  Is there something better, and why is it better?
> Do I tie myself to AT&T, or can I use my present ISP, etc?

That's a really big question. Full of things to comment on. The setup is
common, and that is why crackers can use port scanners so effectively.
For one thing, the interface that connects the cable modem should block
anything to do with ports 137 through 139 as a target, whether the
target is inbound or outbound. Anything to do with rpc or nfs should be
blocked on that interface, whether the port destination is inside or
outside. Your imap or pop3 should be completely blocked except for your
ISP's exact mail ip's. Your DNS ports should also be blocked except when
going to your known ISP DNS. Don't even let "bind" on your system if it
isn't the most recent version, and also firewalled against anyone except
it's know connection to the ISP. Disable all telnet and ftp to the
outside world if you don't need it. If you do need them, be sure to
remove all guest and anonymous, and get the most recent versions of the
servers. Kill all printer port access outside of your local net. Etc,
etc, etc.

> I should like to understand what I am doing, rather than simply follow
> a procedure.  Although, in truth, that is only because I know that I
> shall have to fiddle with it later.  So, a question is: where do I
> read about what to do?  What is the best starting point; HOWTOs, buy a
> book (which one), BLUG archives, or what?

I suggest turning on logging for your firewall, and each time it logs
something, checking out what it was that caused the event. For example,
if you see port 113 hit, you might look in /etc/services, see it is
AUTH, and then read about it. I actually prefer AUTH to be available and
not blocked, but I do log it.

> I have read the term ipchains many times; are they part of a good
> technique?  What about tummy's isinglass?  I have heard that a router
> is a good security device; and I have heard that a router is a bad
> security device.  How secure is RedHat 7.1?

ipchains is indispensable. It is the rule set that is created to deny or
accept port packets, or to log them. iptables is the next generation for
2.4 kernels, though ipchains still run.

RH 7.1 in insecure, but it is far better than 7.0 was. Many wiser
choices were made on what services to run by default, and it even offers
an ability to firewall by default during the install. If you tell it
high security during the install, you are actually somewhat safe, though
you'd need to adjust the firewall rules to allow outside connections.
You still need to turn on only needed services, e.g., don't install bind
if you can just point at your ISP's name servers. I think a 7.1 install
stands a chance of defeating some script kiddies, but not all, e.g.,
since you still have to keep up with versions and making the right
choices during install. There isn't a single distribution I'd put on the
net though without some adjustments.

> Yours in ignorance, but hopeful.
> dajo
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list