They Can't Crack What They Can't Find

They Can't Crack What They Can't Find
noeld@rootprompt.org

The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking
for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine
virtually disappear from the crackers view.

In this article I will describe how to hide a machine running Linux that uses PPP over a modem to connect to the Internet. I will
use ipchains and the firewalling built into the Linux kernel to protect the services that are running on this machine from
connections across the PPP interface.

For this example, I will use a Debian system with a 2.2.15 Linux kernel on a Debian system. You should note that the firewalling
code in the 2.4 Kernel has undergone a rewrite, but that the examples in this article will still work by loading the ipchains
compatibility module.

We begin right after you have installed Linux on your machine and before you have connected to the Internet. Any connections to the
Internet could leave your machine compromised so it is important to secure your machine before you connect for the first time.

After the install you should turn off all of the services and daemons that you do not need. Each service that is running is one more
that could be vulnerable and will require monitoring for security advisories and updating as new versions are released. To find
where to turn off these services look at what inetd is providing and then look at what daemons the sysV init processes starts.

The file /etc/inetd.conf controls what daemons are started by inetd. Open this file in vi or your favorite editor and comment out
all the lines that you do not need by adding a # to the start of the line. I usually turn off all of the things such as echo,
chargen, finger, talk, rsh, rexec, etc. If I am not going to need them I will also turn off FTP and telnet. If you end up turning
all of the services off then we can turn off inetd itself in the next step.

Example (/etc/inetd.conf):

Before:


echo           stream  tcp     nowait  root    internal
echo           dgram   udp     wait    root    internal
chargen        stream  tcp     nowait  root    internal
chargen        dgram   udp     wait    root    internal
discard        stream  tcp     nowait  root    internal
discard        dgram   udp     wait    root    internal
....
After:

#echo           stream  tcp     nowait  root    internal
#echo           dgram   udp     wait    root    internal
#chargen        stream  tcp     nowait  root    internal
#chargen        dgram   udp     wait    root    internal
#discard        stream  tcp     nowait  root    internal
#discard        dgram   udp     wait    root    internal
....
If you still have services being started by inetd then restart inetd. You can do this by using ps to see what the Process ID (PID)
is for inetd and then sending it a HUP signal with the kill command. This will cause it to re-read it's configuration file.

# ps axwww |grep inetd
  345 ?        S      0:00 /usr/sbin/inetd
  535 pts/1    S      0:00 grep inetd
# kill -HUP 345
Then look at the SysV init system to see what daemons you do not need. One of the easiest ways to do this is to use ksysv. Ksysv is
a graphical manager for the SysV run levels written in tk by Peter Putzer.

If for some reason you can not use this then look inside your /etc directory for a group of directories named /etc/rc1.d /etc/rc2.d
etc. The rc2.d directorie on the example machine looks like this:

$ ls /etc/rc2.d/
S01ipchains  S19nfs-common  S20inetd      S20makedev            S89atd
S10sysklogd  S20alsa        S20linuxconf  S20nfs-kernel-server  S89cron
S14ppp       S20dictd       S20logoutd    S20xfs                S91apache
S18portmap   S20gpm         S20lpd        S20xfstt              S99rmnologin
To prevent a daemon from starting, look for a file in these directories that starts with an S and remove it. For example if we
wanted to turn off inetd we would find all of the startup files for inetd and then remove them:

# ls /etc/rc*.d/S*inetd
/etc/rc2.d/S20inetd  /etc/rc4.d/S20inetd
/etc/rc3.d/S20inetd  /etc/rc5.d/S20inetd
# rm /etc/rc*.d/S*inetd
Once you have reached this point reboot your machine to test the startup scripts. Then use the ps command to see what you have
running and use the netstat command to see what ports are open on your network.


# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State
tcp        0      0 0.0.0.0:6000            0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:7101            0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:515             0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:2628            0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:928             0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:1024            0.0.0.0:* LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:* LISTEN
udp        0      0 0.0.0.0:926             0.0.0.0:*
udp        0      0 0.0.0.0:1024            0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
raw        0      0 0.0.0.0:1               0.0.0.0:*              7
raw        0      0 0.0.0.0:6               0.0.0.0:*              7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  0      [ ACC ]     STREAM     LISTENING     213
/tmp/.font-unix/fs7100
unix  0      [ ACC ]     STREAM     LISTENING     171    /dev/log
unix  0      [ ACC ]     STREAM     LISTENING     275
/tmp/.X11-unix/X0
unix  0      [ ACC ]     STREAM     LISTENING     200    /dev/gpmctl
unix  0      [ ACC ]     STREAM     LISTENING     208    /dev/printer
unix  0      [ ACC ]     STREAM     LISTENING     224    fs7101
In this example we see at the top the list of TCP and UDP ports that are open. The Active UNIX domain sockets are not listening on
the network so we can ignore them.

Once you have all the unneeded daemons turned off and have things the way you want them we can set up our firewall rules using
ipchains.

The ipchains program allows you to control the IP firewall rules in the Linux kernel. It seems much more complicated than it is. In
this article I am going to keep things very simple. If you would like to learn more details about ipchains or look at some more
complicated examples then take a look at the How To.

A simple rule to firewall a TCP port from any connection on the ppp0 interface uses something like the following command replacing
$portnumber with the portnumber you want to firewall. It does not matter that the ppp0 interface is not up when you set up the
firewall rules. When the interface does come up the rules will be applied.

ipchains -A input -i ppp0 -p TCP -d 0.0.0.0/0 $portnumber -j DENY
For UDP change the -p TCP to -p UDP.
ipchains -A input -i ppp0 -p UDP -d 0.0.0.0/0 $portnumber -j DENY
To see what rules are defined by using ipchains -L. To suppress DNS and port name lookups use a -n.

This is the output of ipchains -L -n on my example machine.

# ipchains -L -n
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   6
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   80
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   111
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   515
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   928
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1024
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   2628
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   6000
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   7101
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   6
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   111
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   926
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1024
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
One more needed ipchains option is used to flush a chain -F. To remove all of the rules on the example machine we would use
'ipchains -F input'.
To save your rules for the next time you boot use the ipchains-save program and save the output into /etc/ipchains.rules.

# ipchains-save > /etc/ipchains.rules
When you boot you will restore the rules with ipchains-restore. The following script is from the how to you can place it in
/etc/init.d and then set it up to run by placing a link to the script in the run level of your choice.

#! /bin/sh
  # Script to control packet filtering.

  # If no rules, do nothing.
  [ -f /etc/ipchains.rules ] || exit 0

  case "$1" in
      start)
          echo -n "Turning on packet filtering:"
          /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
          echo 1 > /proc/sys/net/ipv4/ip_forward
          echo "."
          ;;
      stop)
          echo -n "Turning off packet filtering:"
          echo 0 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -F
          /sbin/ipchains -X
          /sbin/ipchains -P input ACCEPT
          /sbin/ipchains -P output ACCEPT
          /sbin/ipchains -P forward ACCEPT
          echo "."
          ;;
      *)
          echo "Usage: /etc/init.d/packetfilter {start|stop}"
          exit 1
          ;;
  esac

  exit 0
When your rules are set up the way you want them you should check them with a port scanner such as nmap. If you do not have a
machine on the net that you can scan your PPP connection from then you can apply the same rules to the lo (local) interface. Just
make sure you do not save the rules with ipchains-save or you may find some things not working.

This is an example of scanning using nmap without any firewall rules in place:

# nmap  hostname

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on hostname (10.0.0.1):
(The 1517 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http
111/tcp    open        sunrpc
515/tcp    open        printer
928/tcp    open        unknown
1024/tcp   open        kdm
6000/tcp   open        X11

Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
What it looks like when we scan with the firewall rules in place:
# nmap  hostname

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds
We can however still ping the machine. Ping uses icmp echo which we have not firewalled. We can turn off responding to icmp echos
with an ipchains rule or by doing 'echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all'. However even that will not make us invisible.
There is more than one kind of icmp packet. An example of this is that tools such as icmpush can be used to "ping" using other icmp
types such as Time Stamp Request.

# ping hostname
PING hostname (10.0.0.0): 56 data bytes

--- hostname ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

# ./icmpush -tstamp hostname
hostname -> 18:11:22
Turning off icmp_echo does go a long way towards making us invisible but we can firewall more icmp types using ipchains. We can also
use ipchains to insure that icmp packets will never be returned by our machine.

ipchains -A output -i ppp0 -p icmp -j DENY
The downside to doing this is that you will not be able to ping other systems as the firewall rule will stop all outgoing icmp
packets not just replies to packets from the outside.

We do not want to filter all incoming icmp packets because if we do then we will not get host-unreachable and no-route-to-host
messages and all of our connections will just wait for a reply that never comes. We could write a more complicated set of rules that
blocks the icmp packets with more care, but for this example we will not.

By restricting what connections we allow on our exposed interfaces we restrict what we expose to the world. This can have some
advantages in preventing people from finding or exploiting services that we need to run but do not need to share with the Internet.

Using ipchains can get very complicated but it does not need to be used in a complicated way to allow a significant amount of
protection for your machine from a system Cracker's probes and a Script Kiddie's scans.


--
Regard: Joh@nnes´┐Ż
1216771 Ont.Inc.
"Nothing is more damaging to a new truth than an old error"
0
Johannes
3/25/2002 8:43:00 PM
grc.techtalk 27358 articles. 1 followers. Follow

0 Replies
757 Views

Similar Articles

[PageSpeed] 15

Reply:

Similar Artilces:

I can't get no cache, I can't get no cache. 'Cause I try and I try and I try and, I can't get no, I can't get no cache.
I have fiddled out for days tinkering with the setting in about:config trying to get FireFox 12 to use the disk cache. I have NOT found the trick. This One Trick Pony ain't doing it like it used to up until recently. Pray tell anyone, What information can I share that will point a knowledgeable person to aid me in getting FF to disk.cache? I have also tried restarting FF with add-ons disabled, (There were NOT too many to do this to, so it was quick and easy) Here is my stab at trying to convey the information that MIGHT govern matters Using about:cache Informatio...

Re: I can't get no cache, I can't get no cache. ' Cause I try and I try and I try and, I can't get no, I can't get no cache.
<div>please com e see me about htis<br /> <br /> ------- Original Message f= rom the Global Relay Archive -------<br /> From: Hp &lt;ferd@farkel.net&gt;= <br /> To: "support-firefox@lists.mozilla.org" &lt;support-firefox@lists.mo= zilla.org&gt;<br /> Sent: Sun, 27 May 2012 18:30:18 -0700<br /> Subject: I = can't get no cache, I can't get no cache. 'Cause I try and I try and I try = and, I can't get no, I can't get no cache.<br /> <br /></div> <pre class=3D"gr-maex-body-pre&qu...

2010: Can't register - can't download the software - can't register until I have the software
I have active maintenance on Rad Studio: From: Vicky Rassmisaengthong [mailto:Vicky.Rassmisaengthong@EMBARCADERO.COM] Sent: Wednesday, February 25, 2009 1:58 PM To: rgrossman Cc: amer.supportadmin@codegear.com; Ashley Cosentino Subject: Software Assurance Support for Tech III Inc PO# Credit Card Dear Embarcadero Technologies Support Customer, Welcome! You have been registered as the primary contact on support account number AM####### Herewith we confirm your Embarcadero Technologies support agreement covering: Qty 1 RAD Studio Enterprise Named User licens...

Two things,Why do I keep getting emails that I don't want. can't get rid of them? Why can't I get my email when I am out of town? Or can I?
Name: Ed Leech Email: ELCraftatzoominternetdotnet Product: Thunderbird Summary: Two things,Why do I keep getting emails that I don't want. can't get rid of them? Why can't I get my email when I am out of town? Or can I? Comments: I am getting frusted with all the emails coming in that I do not want, I am using the tools to get thme out but they keep coming. They just use different names or whatever. I have been thinking of just switching to something else but my business intrusts know this email and it is tooo confusing to change. Every time I go out of town on bu...

Tomcat can't find novlwww and Httpd2 can't find wwwrun at boot time
Hello, After installing NSS services, when my OES Linux SP2 server finishes loading I see "Failed services in runlevel 3: novell-tomcat4 apache2" Looking in /var/log/boot.msg I see: <notice>start services (novell-tomcat4 novell-nss apache2) Starting tomcat4: chown: `novlwww:www': invalid user su: user novlwww does not exist Starting httpd2 (worker) httpd2-worker: bad user name wwwrun The command line was: /usr/sbin/httpd2-worker -f /etc/apache2/httpd.conf -DSSL failed This is the first OES Linux server on which NSS was installed, and there is no n...

Can't rename variables and can't find references
Hello. I can't rename any parameters or variables. The menu entries for renaming or finding (local) references are disabled in the context menu and the key bindings does not work either. I'm using Delphi2010. Is there a way to fix this? Best Reagards. Martin S. wrote: > Hello. > > I can't rename any parameters or variables. The menu entries for > renaming or finding (local) references are disabled in the context > menu and the key bindings does not work either. > > I'm using Delphi2010. Is there a way to fix this? > Can you bui...

Can't base report on stored procedure--'Can't create Datawindow'
I installed IM65 today to give it a try. I made a db config to our local ASE 11.9.2 engine via Sybase' odbc driver that came with 11.9.2. I start a new report, tell it to be tabular and to get data from a SP. It asks which SP and I tell it. The result is an odbc error: Cannot create DataWindow Intersolv SQL ODBC driver: Incorrect syntax near '='. 1 execute dbo.sp_si_addressbest_;0 RETURN_VALUE = :RETURN_VALUE' I can execute the SP fine from SQL Advantage or from Crytal Reports. Thanks. -- Frank Burleigh Indiana University School of Law Bloomi...

Can't find assemblies, then becomes can't copy pagefile.sys?
 I had a working project, a web service with a .vbproj_deploy project around it and a setup around that that produced an .msi file that worked like a champ.I left to work on another project, and when I came back I started working on a new computer and had to get VS2005 installed there.  Pulled in the old project from source safe and everything built correctly except this one part, where I was told it couldn't find anything to assemble.    Then, going into source safe, I checked in what minor changes I'd made and the next time I loaded VS2005 it told me that d...

Can't add Satellite Server (can't even find option)
Hi there, I have a little Prolem managing a Satellite Server. First of all here's my Environment: I'm using a SLES 10 SP2 as OS with ZCM 10.0.3 installed on it. The server's location is the central DMZ of my Test-Environment of my fictive Company. There are several further Subnets, representing external locations of my fictive Company. In each Subnet there is a Windows XP-Client with the ZCM-Agent installed on it. The devices are listed correctly in the "Devices"-Section. Now I want to make my Windows-Clients a Satellite-Server. In the Admin-Guide t...

USB-DVD: "Can't find the openSUSE Repository", can't install.
Greetings, A happy openSUSE user on my laptop, I want to use it on a new desktop computer / home server. It doesn't have an optical drive, so I've created a bootable USB stick out of a DVD ISO, based on the instructions at 'SDB:Live USB stick - openSUSE' (http://tinyurl.com/7zyvyt5) I can boot without problem from the USB stick, but I'm getting the error "Could not find the openSUSE Repository. Activating manual setup program". It then leads me to a basic, text-only interface, but I can't continue the install. A helpful soul in #suse suggeste...

Can't find EDM wizard (can't add ADO.NET Entity Data Model)
I'm having trouble getting started with EDM.  I'm ultimately trying to experiment with ASP.NET Data Services.  I have never installed any ASP.NET 3.5 Extensions CTPs.  However, I have installed VS2008 SP1 Beta1 and .NET 3.5 SP1 Beta 1.  Based on the list of features in SP1 Beta 1 (http://www.microsoft.com/downloads/details.aspx?familyid=8C36ACA4-E947-4760-9B05-93CAC04C6F87&displaylang=en ) I believe I should have both EDM support and Data Services support. When I try to add a new item to my VS2008 project, ADO.NET Entity Data Model is not in the list.&nb...

Can't install opensuse 12.1 from DVD, installer can't find DVD devices?
Hi, I have an HP pavilion dv7 laptop (3 years old) with Windows and Linux mint in a dual boot mode, and I wanted to install opensuse 12.1 from a DVD over my mint partition. When I boot with the 64bit KDE live CD in my DVD I can get to the menu where I can choose to try the live session or install. If I choose either, I see the linux kernel loading successfuly, then a green screen with opensuse logo, and after about 10 seconds the screen becomes a black text screen, and I see an error message saying that my DVD device wasn't found, and that the system is restarting in 120 se...

Can't load package from repos. Yast2 can't find file /repodata/repomd.xml
I usually use PClinuxOS but I just installed Suse 12.1 and am trying to find and load Cinelerra or Open Shot When I try to add programs I get an error from Yast2: "Cannot access installation media 'Index of /distribution/12.1/repo/non-oss' (http://download.opensuse.org/distribution/12.1/repo/non-oss/) (medium 1) Check whether the server is accessible. URL 'Index of /distribution/12.1/repo/non-oss' (http://download.opensuse.org/distribution/12.1/repo/non-oss/) File '/repodata/repomd.xml' not found on medium 'http://download.opensuse.org/d...

Can't open Can't delete
Name: Mike Gordon Email: mikeatmgendodotcodotnz Product: Thunderbird Summary: Can't open Can't delete Comments: HELP I cannot open thunderbird after latest update. It has an error message thunderbird.exe is not a Win 32 command. I also cannot delet it to reload it I need some help Please Browser Details: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) ...

Web resources about - They Can't Crack What They Can't Find - grc.techtalk

Resources last updated: 12/24/2015 7:50:49 PM