Best way to lock-down linux. 2

[maharamDan]

Besides the obvious what are some ways from limiting hackers to get to your box. I have enabled a firewall, shutdown ssh and un-needed services. My friend said he will hack my box and does not need ssh or the root password. He also said he wont be coming in through a service that is running. Any ideas?

 

[sleipnir214]

Make sure your firewall configuration is sufficiently paranoid. It should only accept connections on the ports you specify and drop everything else.

Make sure you're running the most secure versions of all software.

It would be a good idea to run Bastille Linux on your machine.

Also, if your friend had access to your machine, he may have already installed a root kit. Run at least one of Rootkit Hunter and chkrootkit to make sure there's nothing untoward installed on your system.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[maharamDan]

Thanks for the advise sleipnir. The sob still got in a messed around with everything. I ran chkrootkit and could not get bastille to work. The firewall was on as well. Maybe I left a port open. Who knows. He is a RHCE so he must know something I don't.

Thanks again.

 

[stefanwagner]

Which services are still running?
Will he tell you how he came in?

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[maharamDan]

He said he got in through GRUB and changed the run level. He also made an account that is equivalent to root. All my commands are messed up. I can’t do ps vi anything...it comes up with various slogans.

 

[sleipnir214]

got in through GRUB"?

As in, he did this from the console of the machine?



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[stefanwagner]

..........uuuuuh.
Foul!
Hacking a machine with physical access (but without services running! attention!)!
I'm deeply impressed!

Did you know that I can hack your machine by changing the Harddisks?

Well - cause I'm super-hacker-cracker-hero!
Own a screwdriver - he he!

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[maharamDan]

Yes he did it from the console of the machine.

 

[sleipnir214]

maharamDan:
If he had access to the console, it's little wonder he got in.

Linux, as a unix-like operating system, is designed with the idea that only the system operator will have physical access to the keyboard plugged into the server. All other users will access the machine through system services, like ssh, telnet and the like.

Because of this design, by default Linux, unlike Win32, does not intercept CTRL-ALT-DELETE. If you go to a standard Linux installation and hit CTRL-ALT-DELETE, the machine will begin shutting down and rebooting. Once the boot loader prompt comes up, it is very easy to boot Linux into single-user mode, which gives the person standing at the console complete access to the system -- without needing to know the root user's login, because the system will not ask for it.

So as a first line of defense for securing Linux, NEVER EVER EVER LET ANY HOSTILE OR POSSIBLY HOSTILE AGENCY ACCESS THE CONSOLE.


The first order of business is, therefor, to physically secure the machine. In short, put it behind a locked door.

Barring that, or perhaps into addition to that, there are a couple of steps you can take to secure the console.

First is to reconfigure Linux so that it does not reboot when you hit CTRL-ALT-DELETE. All it takes is an edit to /etc/inittab. Check out this link for more information:

http://www.linux.com/howtos/Remote-Serial-Console-HOWTO/security-ctrlaltdel.shtml

Second is to add a boot loader password. Since he stated he got in through grub, that must be the boot loader you are using. See

http://fedoranews.org/contributors/chua_wen_kiat/fc2_guide/#changegrubpassword

for information on changing or setting the grub password.




Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[maharamDan]

Thanks a lot. I am going to install fedora core 2 now. I will add these features. Thanks again.

 

[franklin97355]

Make sure you password protect grub the next time.

 

[franklin97355]

Also turn off booting from the floppy and CD drives.

 

[lgarner]

And then put a password on the BIOS setup. I think that's probably about as far as I'd go.

You could get really ambitious and internally disconnect i/o devices, and then weld the case shut, and then ...

 

[LawnBoy]

Crimeny, you can break into any system from the console! The first step in computer security is PHYSICAL SECURITY. Put a boot password on it, lock the BIOS, and make sure it won't boot from anything other than your Primary drive. Then lock the entire box up in a closet that only you have the keys to (and to be absolutely secure, you should then unplug the power cord).

 

[fluid11]

haha, I'm the "hacker" who got in. I was going to do an actual hack over the network, but when he left for the day and I saw his box sitting on the desk it was too tempting to just get in through runlevel 1. Why waste my time hacking services when I can use the bootloader?

The hardest part was fixing the machine after he "secured" it from me. I don't know what he did, but he locked himself out too. When you tried to login with any user account, it drops you back to the login prompt with no error message. I finally figured out that his PAM files were screwed up. I had to edit the /etc/pam.d/system-auth file to allow logins from the console to get a user account to log in.

After that I simply aliased some commmon commands to '/bin/echo "something"' just to mess with him.

BTW, installing a GRUB password is completely useless if you have physical access to the machine. Its a minor inconvenience at best and it will take maybe 2 minutes longer to gain root access.

fyi, been kinda busy lately and haven't logged into tek-tips in months but maybe I'll start back in the Linux forums this week. Grab that top spot back.

ChrisP
RHCE, LPIC-1, CCNA, CNE, MCSE, +10 others

 

[maharamDan]

I'll take the keyboard with me and f up the ps2 ports and serial ports on the back.

(Note to everyone: fluid is my friend and I told him to do this.)

 

[fluid11]

If you really want to secure the machine from me, pull the power supply out and toss it out the window

Actually, I would run LIDS and write some strict rules, but thats no good for a workstation. It would cause more trouble than its worth, but it does work well.

Other things to note:
- LIDS
- iptables
- disable un-needed services
- run apt-get and update all of your packages
- secured physical access to the machine of course
- running chkrootkit like sleipnir suggested is a good idea. You can run this periodically from cron. Its also a good idea to write a Perl script to check for things like duplicate UID 0's in /etc/passwd, which is what I did to you to create a root-equivalent account.
- Tripwire - the king of file integrity checkers. Just make sure to copy your tripwire database to a read-only medium and run your tripwire checks from that. Also, use the siggen utility to check the signatures of the Tripwire binaries and store the sigs on the read-only medium. Then write a perl script to check those signatures on the read-only medium against the signatures on the files periodically. This will protect against a hacker changing the Tripwire binaries, such as tripwire, twadmin, and the siggen utility itself. I would run siggen from the read-only medium as well.

ChrisP
RHCE, LPIC-1, CCNA, CNE, MCSE, +10 others

 

[flugh]

The root-hack-via-physical-access is very similar to the denial-of-service-via-physical-access. If you approach the physical terminal, you pick it up, take it out into the parking lot, tie it to the bumper of your '73 Pinto, and drag it around the block a few times. Hehe, let 'em try to hit yahoo.com after a few of those pot-hole-packets curb-side-pings ;-)

----
JBR