[vox] Basic security issues

Karsten M. Self kmself at ix.netcom.com
Mon May 30 22:08:21 PDT 2005 

on Wed, May 11, 2005 at 12:58:57PM -0700, Richard Crawford (rscrawford at mossroot.com) wrote:
> Long story short:  last week I ran nmap from my Linux box at work to
> check for open ports on my home network.  

As you've probably discovered, an activity which carries some risks,
most of which are cultural rather than technical.  Depending on politics
and personalities, you may want prior approval to do such things in
future.

> One of the ports nmap scanned was 31337.  Because that's the port that
> Back Orifice uses, our department's IT -- a Microsoft zealot --
> decided that someone was trying to hack into our network to use Back
> Orifice on one of our systems.  

I'm impressed that he detected the scan.

Just one additional note of caution.  There are a few port scan
detectors for GNU/Linux.  Snort is probably the better one, and is
passive.  The older, deprecated, Portsentry, actually _opens_ the ports
it monitors.  This gave a few friends and me mild heart attacks a ways
back when we found a very "chatty" box run by one of us.  Turns out it
had portsentry running on it.

Moral:  open ports are not of and by themselves signs of malicious
software.

> After demonstrating that because the 31337 scan was directed at my own
> machine and because it coincided precisely with the time that I was
> running nmap and that my home machine is not vulnerable to Back
> Orifice anyway, the IT guy has still decided that because of this I
> should not be allowed to use a Linux workstation at my desk (despite
> the fact that I maintain two Solaris servers and two Linux servers as
> part of my job).  For sanity's sake, I did run a full chkrootkit and
> system log scan on my machine just to make sure it hadn't been
> compromised.

Note that any diagnostics done from within the system / install being
inspected are themselves somewhat suspect.  The cracker might cover his
tracks in a way that you can't determine.  This is rare, but should be
considered.

Incidentally, it's probably going to be a worse problem for legacy MS
Windows users than GNU/Linux folks in the near future:

    http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html
    RSA:  Microsoft on 'rootkits':  Be afraid, be very afraid
    Paul Roberts
    February 17, 2005

    Microsoft Corp. security researchers are warning about a new
    generation of powerful system-monitoring programs or "rootkits"
    that are almost impossible to detect using current security
    products.

...the upshot being that these may be used in conjunction with adware /
spyware.
 
> So just because I'm cantankerous, I want to demonstrate that using a
> laptop running Linux is better for our network than a desktop running
> Windows.  I've already disabled all non-essential services, including
> sshd.  What other steps could I take?  

Several.  Most of which are varying levels of pain to set up and
maintain (you have to keep poking holes to allow necessary stuff
through), and which provide relatively little added benefit.

I'd suggest you find out what the expectations and concerns of your LAN
administrator are.

> I'm thinking about using IPTABLES to block all outbound traffic on
> ports other than 21, 22, 80, and 110.  

53 may be useful at times.  Similarly 443.

> And I wonder if it's possible to allow traffic on those ports to
> specific destinations only; for example, to allow port 22 to connect
> only to my home machine and to the servers I maintain here at work, or
> to allow 21 to connect only to our hosting provider (who allows only
> FTP access to our files).  

Yes.

If you're going to go this route, I'd recommend a FW tool such as
Shorewall, or one of the other IP filters helper tools, as they tend to
result in easier-to-maintain configs.

> None of this is necessary, of course, but, as I said, I'm cantankerous
> and I have a point to prove, dammit.
> 
> What are your thoughts?  Suppose this were a Linux laptop that you'd give to a 
> company employee?  What services and ports would you allow on it?

I'd simply point out that J. Random legacy MS Windows Box is likely a
greater source of vulnerabilities than a GNU/Linux system.

One step you could take which IMO _would_ be useful is to enable and use
remote logging.  Being able to show what was happening on a box at a
given point in time, on an out-of-band logging system, can be quite
useful.

I think your biggest problem isn't readily addressed by tweaking
IPTables configs or running system daemons.


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   I guess "the El Pueblo de Nuestra Senora la Reina de los Angeles del Rio
   de Porciuncula diet" just doesn't have the same ring....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox/attachments/20050530/af96a141/attachment.bin

More information about the vox mailing list