Jon Galt on Mon, 4 Mar 2002 23:02:58 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: security tips - Re: [PLUG] serving webpages from home


Darxus,

Thanks for all the tips.  Comments/questions interspersed below.

On Mon, 4 Mar 2002 Darxus@chaosreigns.com wrote:

> * Portscan your box (probably with nmap) and verify that there are no ports
>   open that you do not need open.  If you do not know why a port is open,
>   close it. Removing a port from /etc/services *may* work, but it is the
>   *wrong* way.

With all my machines behind a linksys router, I would think what I need to
port scan is the linksys router on the WAN side, although I'm not sure how
to do this, unless it would be to unplug from the DSL modem and plug a
computer in place of it and scan from there.  I don't think it's possible
to run nmap from within my LAN and scan the WAN side of the router, or is 
it?

> * Make sure that at least the software you have listening on open ports is
>   updated religeously.  You want to minimize the time between new exploits
>   being found and you upgrading to avoid them being used against you.  I
>   upgrade all software on all of my linux boxes about daily (with
>   the command "apt-get update;apt-get dist-upgrade" under debian).

I'm running Apache, sshd, and Postfix, and the appropriate ports for
those are forwarded from my router to my server.  My Linux distribution is
Trustix 1.5, so I have subscribed to the tsl-announce list.

> * Google.com search for linux security, subscribe to a few mailing lists
>   that announce new security holes in things, especially one that is
>   specific to your linux distribution.  Read everything.

Thank you, I already see security advisories, at linuxsecurity.com.  Do
you have an opinion on SWUP?

> Do not ever use telnet or ftp.  They transmit your username and password
> in cleartext - unencrypted and easily sniffable.  Uninstalling any
> telnet or ftp server applications is a good idea, and many of us do.
> Use ssh and scp (or anything else encrypted that you like) instead.  If you
> need to access your box from a windows machine, I suggest putty (GPLed
> windows ssh client, google.com search for it).

I do have ftpd running (but not forwarded from outside) so that I can
easily transfer files between computers on my LAN (via WS_FTP on the
Win98 box).  I just found proftpd in my /etc/rc.d/init.d directory.  The
man page says it is supposed to be enhanced and be "secure", but I don't
see anything about security.  It is not running.

> A good step to take is to remove all software that you don't need.  Any
> program that is on the system is another possible security vulnerability.

Is this still true with the Linksys router (BEFSR41) in place?  One thing
I'm sure I should do is keep the Firmware up to date on the router.

In my router logs, I notice a lot of attempted accesses of various ports,
one port (137) repeatedly attempted from 207.217.77.82.  Since that port 
(the Netbios SMB service) is not forwarded anywhere, I should be OK wrt to
that, right?  There are others as well, and I'm guessing that anything
other than 80 (http), 25 (smtp), and 22 (ssh) should not constitute a
security risk...?

Thanks,
Wayne



______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug