Void's Forums

[agent007]

hi all,

I need to know if my Redhat9 box is fully secure. Have disabled nearly every service which I dont need. The following are the ones enabled..Would it be possible to exploit any of the services below and gain root? Also, are there any other ways one can gain r00t?

syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

thanks.

[Void Main]

Theoretically if you keep your system up to date with all the latest security patches daily, and you expose the minimal ports necessary to the internet and you use encryption and good passwords you should be pretty safe but still *anything* connected to a network can potentially be cracked. You just have to make it as difficult as possible by minimizing the risk.

You have done one of many pieces of the security puzzle. You have reduced the number of services you have running to a minimum. Although important, I believe it to be slightly less important than having a good firewall that reduces the number of open listening ports to the internet. The best number to have would be "0". Have someone nmap your external address and see what ports are exposed. For instance if you nmap me you will see that my port 80 is exposed (voidmain.is-a-geek.net/Apache) and you might also see that port 22 is in the "filtered" state. Nothing else should be open.

That means no matter how many services I have running on any of my machines behind that firewall, if someone were to break in from the internet they would have to do it through Apache. They could also try and spoof an IP address to the one that I allow in on ssh but it would be highly unlikely that they would be able to figure out which source IP address(s) I allow to come through my firewall. Even if they were to figure out which address(es) I allow in via ssh, successfully doing anything over a spoofed address would be extremely unlikely.

Now, since Apache is the most exposed service, I put the machine that it is running on in a separate network called a "DMZ" which is connected to a 3rd Ethernet inface on my firewall. The reason I put it into a (DMZ) is so if someone were to actually break into that machine via an Apache exploit or misconfiguration, they will still not get to the rest of the machines behind my firewall in my private network. It's almost like having multiple firewalls. Having it in the DMZ also allows me to expose more services on the machine that can only be used from my other machines on my private network. Usually the access level logic for a 3 interface firewall go something like this:

Internet -> Private network - No Access
Internet -> DMZ - Minimal Access
DMZ -> Private network - No Access
DMZ -> Internet - Minimal Access
Private Network -> DMZ - Anywhere from Minimal to Full Access (various reasons)
Private Network -> Internet - Anywhere from Minimal to Full access (various reasons)

Obviously, the closer you can come to "No Access" in all of the above areas without it being too painful then your security increases.

As far as your question about gaining root. There are several ways of becoming root on a machine, but if your services are all up to date with the latest security patches (no known holes) *and* you have them properly configured, and you use good password security for any service that you have exposed that allow logins then there shouldn't be much of a chance of gaining root remotely. Of course if they can gain local user access their chances of gaining root increases because they could try and gain root via a local exploit (again keep your system up to date). And lastly, if they have physical access to the machine then getting administrative access on any machine regardless of OS is fairly trivial.

The third/fourth big pieces of the security puzzle that work from the other end is good logging and intrusion detection. The best logging is to have a separate log server where all of your machines log to remotely. This prevents a cracker from wiping out the logs on the machine they gained access to and makes it easier to hunt them down. Intrusion detection can detect unusual network events and alert you that someone is trying to do something fishy like trying to hack into your system (see "snort" and "acid").

But when it comes down to it, I am convinced that every program on every operating system is vulnerable. Hopefully the good guys find the vulnerability before the bad guys and you can fix it before the bad guys can exploit it. You'll know what needs to be done if you think like that (paranoia is under rated).

I know you were looking for a short answer, but that question didn't have a short answer. I guess if you asked the question "Is my Red Hat 9 box fully secure?" and wanted a short answer I would have to say "no". But that is the answer I would give to anyone that asked that question about any computer running any operating system and any software. And it would be the correct answer.

Now, if you do all of the things I mention above, you will be more secure than 99% of the rest of the internet. 90% of the internet can be exploited trivially. If you don't believe me see:

http://voidmain.is-a-geek.net/spam/
http://voidmain.is-a-geek.net/codered/

Odds are, if they can't break into your system easily, they will move on to another system that *is* easy to break in to. There are plenty of them out there. But then if someone wants to target you directly they may spend more time trying. That's where the intrusion detection system comes in handy.

Hope this helps in some way...

[agent007]

wow! U always impress me with detailed answers VoidMain...Thanks!! Thing is I'm on a dial-up so, doing updates is just out of the question. I need to keep things secure some other way.

None of the above services are supposed to 'talk' on the internet. I mean, they are not like Apache or Sendmail. So, how is it possible to exploit them?

Following is the result from NMAP:

Port State Service
6000/tcp open X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20

Have disabled IPTABLES too, since there are some exploits floating around for it. Hence, if I cannot update it to the latest version, why run it at all?

thanks.

[Void Main]

None of the above services are supposed to 'talk' on the internet. I mean, they are not like Apache or Sendmail. So, how is it possible to exploit them?

Not exactly true. The "xfs" service can be configured to listen so you can have one font server and all your clients can access it to serve them fonts. Red Hat/Fedora comes with xfs configured to not listen on tcp ports by default so in this case you are correct. But that does not prevent any manually started applications from opening up a port and listening on it.

Following is the result from NMAP:

Port State Service
6000/tcp open X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20

Prime example of a manually (or automatically started) application not falling in the "service" category that can open a port and listen on it, in this case X. Just another piece of software a cracker could gain access to your system should they find an exploit for it or should it not be configured securely.

Have disabled IPTABLES too, since there are some exploits floating around for it. Hence, if I cannot update it to the latest version, why run it at all?

What exploit are you referring to? I can't imagine that having X opened up to the world is more secure than having iptables running. The only problem with iptables that I am aware of is a certain combination of kernel/iptables installed in RH8.0 and below:
http://www.securityfocus.com/bid/8481/info/
http://www.securityfocus.com/bid/8481/discussion/

And can be fixed by:
http://www.securityfocus.com/bid/8481/solution/

And of course the security announcements on the main iptables web site:
http://www.netfilter.org/

iptables "is" your firewall software and thus the most critical piece of your security. It also proves my point that everything is vulnerable, even firewalls have bugs (hardware and software firewalls) that can reduce security.

At minimum if the version of iptables/kernel you have installed have vulnerabilities then you could upgrade those pieces, then configure iptables to not allow any connections initiated from the internet. Then it is not as critical for you to make sure your sytem is up to date. That makes a lot more sense to me than not running iptables.

This will also cover you if you want to bring up mysql/postgresql/apache/etc for testing and forget to turn it back off. You aren't "accidentally" exposed. If you block all incoming you have a lot more freedom to use your machine any way you want.

Of course a dialup connection is a moving target and less likely than permanently connected computers to get hacked, but the possibility still exists.

[agent007]

hmm....Things are pretty much clear now. Thanks for the info as usual VoidMain!

IPTABLES up and running...Working on the ruleset...

[ZiaTioN]

To tell you the truth seeing how you are on dialup you are in no real danger of being hacked. I say this partly because of the service illiminating steps you ahve already taken but mostly because every time you dialup you recieve a new IP address. Every time. This is not the same as a DSL or cable connection where you have a constant connection to the internet and where your IP address can remain the same over an extended period of time. (I have had a so called dynamic address stay the same for over a year before).

Even if someone did do quiet a bit of work to find your address and scan it and try to exploit it they would have to do all this while you were in the middle of an active online session. If you were to log off and then log back on your IP would have changed and the cracker would have to start all over again trying to find your address.

The idea here is like void has said. Nothing is inpenetrable but the fact is most hackers are of average to very poor skill and are lazy. The crackers you would be in danger of do script kiddie things such as download an already written exploit and port scan for this specific vulnerability to run the exploit against. Now with that said if you make it hard for them to get in then 99% of the time they will move onto someonelse a little easier.

They have no real interest in hacking you specifically. All you are is a port and IP address to them. If they cannot get in in I would say like 10 or 15 minutes they will move on.

The hackers/crackers that would be a threat to all do not wasite their time on home users. There is nothing in it for them. The script kiddies hack home users to try and prove they can do it. The pros already know they can do it so they point their efforts in more lucrative areas (like governments and companies).

All in all I would say you are relatively safe. If you ever find out you have been hacked and the hacker keeps coming back then more than likely he installed a poisoned shell or added himself to the root group or just knows your root password, etc.. You can simply disconnect your machine denying physical access to the box and clean your machine.

Governments and companies are not as luckey. They cannot just disconnect. They have system that cannot go offline and customers they cannot afford to inconvenience with downtime.

[Void Main]

I agree partly with what you say. The part that I agree with is the chances are low that someone will have an easy time of cracking his system specifically. Many cracks are automated though and he would be just as susceptible to one of those as any system. They take about 2 seconds to install through a known exploit/hole/default configured network service. If they can root your system, anything is possible, even if only to damage your system. Personally I am just as security concious on a dialup connection as I am any other even though chances are fewer hack attempts would be successful.

My dad runs Windows on a dialup network. I believe he's had every virus/worm known to Microsoft. Yes, many of those were installed via email attachments but some have been installed via exploits in known network service vulnerabilities and surely automated as part of the exploit/worm/virus. Same thing can happen in Linux if it isn't kept up to date and proper security measures aren't followed. Of course for each step you take you are that much safer. The first step is to no run Windows. The second step is to have a good firewall. The third step is to keep your system up to date. etc...

[ZiaTioN]

oh yeah for sure. I thought we were talking specific crack attempts made by another person with the intent to exploit your system. I was not talking about worms or virii.

Although most worms do use known exploits to propagate I was not including worms in what I stated. The most basic anti virus updates should cover you on that. Subscribe to a news letter too like bugtraq or securityfocus. They usually have more up2date info on the newest exploits and worms.

Like the blaster worm used the vulnerable rpc (remote procedure call) which is a service that runs by default on port 135 on all Windows Operating Systems. The actual code for that exploit (which I got my hands on) did the spreading of the worm but then a second file all together was downloaded to the exploited machine and then run. This second file was the actual virus or worm code. This is the code that did the random port scans and buried itself into the system and everything else that worm did.

I view the 2 files as being seperate entities. First being the exploit, the second being the Worm. And yes you are right the blaster worm is an excellent example of an automated "hack" or exploit. And again you are also right because I ran just the exploit code against one of my Windows boxes I left unpatched for testing and it took less than 2 seconds to gain root on the system.

I however was not succeptable to this worm from outside my internal network due to my firewall and NAT router.

[Void Main]

Well again I agree partly with what you say. :) I really shouldn't have brought Windows into the conversation as he is working with Linux. I just brought it up because it is more susceptible to the problems. Also antivirus usually doesn't help for a couple of reasons, one being we are talking about Linux and two being the automated type of attack (blaster like if you will) usually spread extremely fast, and on vulnerabilities that the virus vendor doesn't even know about yet.

I should have used the "Mafia Boy" as an example. If you don't remember, the Mafia Boy was a kid from Canada that brought YaHoo and several other big name sites to their knees for several hours due to a DDoS attack. He used automated scanners and root kits to exploit Linux machines with a specific vulnerability (in BIND if I recall). It worked similar to blaster in that it would exploit one machine, turn that machine into a scanner to exploit other machines and at a certain time they would start flooding certain target sites with ICMP. A couple of things would have prevented this. 1) not running bind (minimal services running), 2) iptables configured to not allow incoming internet traffic, 3) a system that was up to date with the latest security patches. It didn't discriminate, dialup users were effected along with everyone else.

[agent007]

Thing is I always try to rule out the 'ifs' So, by removing the 'if' from the equation, and if the cracker wanted to have some fun, I'd say he would be sucessful if I had things like APACHE, sendmail etc running..

Even if someone did do quiet a bit of work to find your address and scan it and try to exploit it they would have to do all this while you were in the middle of an active online session. If you were to log off and then log back on your IP would have changed and the cracker would have to start all over again trying to find your address.