Darxus on Mon, 4 Mar 2002 23:43:49 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: security tips - Re: [PLUG] serving webpages from home


On 03/04, Jon Galt wrote:
> With all my machines behind a linksys router, I would think what I need to
> port scan is the linksys router on the WAN side, although I'm not sure how
> to do this, unless it would be to unplug from the DSL modem and plug a
> computer in place of it and scan from there.  I don't think it's possible
> to run nmap from within my LAN and scan the WAN side of the router, or is 
> it?

Nope.  You still want to portscan your server, from outside, *through* your
router, to see what people would see from outside.  Well, I guess if the
only access to your server is ports forwarded from your router, then yes,
you would portscan the IP of your router.  If you would like me to portscan
it for you, let me know in private and I'd be happy to - you're posting
from the address which is listed as the admin and billing contact for the
domain, so I figure you're sufficiently authoritative to request this.  

> Thank you, I already see security advisories, at linuxsecurity.com.  Do
> you have an opinion on SWUP?

No.

> > A good step to take is to remove all software that you don't need.  Any
> > program that is on the system is another possible security vulnerability.
> 
> Is this still true with the Linksys router (BEFSR41) in place?  One thing
> I'm sure I should do is keep the Firmware up to date on the router.

I don't think it's a step many people actually take, except possibly in the
case of dedicated firewall machines.  But yes, it is always helpful.  If an
intruder manages to get non-root shell access to your box, he could use
another exploit in any installed application to gain root access.

Having a router which is forwarding only authorized ports and firewalling
everything else doesn't make you invulnerable.  An exploit could be
discovered in the latest version of apache - which you have given the
entire world access to via the forwarded port 80.  

Two of the things that are very useful for securing servers are chrooting
and chownig the application.  chrooting is telling the application
that a particular directory is actually the root of the filesystem,
and not allowing it any access to any files outside of that directory,
so if an exploit is used against it, only files within the chroot jail
can be touched.  chowning is running the application as a non-root user,
which would mean if an exploit is used against the application, they
will only get userlevel access instead of root level access.

Chowining is common for a bunch of stuff, and chrooting is common for
bind/dns, but I am wondering why chrooting apache isn't more common.  I
guess for the number of people that make user/public_html work as
http://hostname/~user.  But since I don't, it makes sense for me to chroot
apache.

> In my router logs, I notice a lot of attempted accesses of various ports,
> one port (137) repeatedly attempted from 207.217.77.82.  Since that port 
> (the Netbios SMB service) is not forwarded anywhere, I should be OK wrt to
> that, right?  There are others as well, and I'm guessing that anything
> other than 80 (http), 25 (smtp), and 22 (ssh) should not constitute a
> security risk...?

Yeah, if you see connection attempts on ports you've got blocked, don't
worry about it.  You may want to look into http://www.dshield.org/ -
they collect firewall logs and attempt to do useful things with them.

-- 
"I would believe only in a God that knows how to Dance." - Nietzsche
http://www.ChaosReigns.com

Attachment: pgpxC9vaYFKS7.pgp
Description: PGP signature