Re: Is the default debian machine ripe for port attack?

["nate" <debian-user@aphroland.org>]

<quote who="Dan Jacobson">

> is the standard procedure to comment them out one by one in
> /etc/inetd.conf, at least the ones I would never use or worse, let folks
> connect to when i call my ISP?   I see hosts.deny is also wide open.

comment them out ..remove the ones totally that you would never
use. to find out which packages they are, check what command line
inetd.conf uses to call the package and do dpkg -S <path> it should
tell you what package


>
> Is the default debian machine a security eyesore, oren ports and all?

depends, if you do a full install i think it is yes ..also last i checked
BIND still runs as root.(by default)

> same time.  What, did I hit "I'm a major ISP" in tasksel by accident?

not sure, but i haven't used tasksel in ages, when i install a system
i do a bare install(when i get to tasksel i just go to FINISH, and let
it do the base install). then install things as i need. if i want
X on the system i install something that uses X like gnome-terminal
and apt-get tags all the dependencies for me..i get about 150 packages
in 1 go :)

>
> Anyways, do "security professionals recommend that the debian system be
> toned down by the user after installation"?

as a security person myself(not sure if i am a professional, my friends
refer to me as one though), i would highly reccomend it. or at least
firewall inbound connections. my co workers call me a security nazi so
i go well beyond just firewalling in most cases..

>
> Anyways, before I figure all that out, I suppose I'll do in
> /etc/ppp/ip-up.d/00-ipppd: echo  9 13 21 23 25 37 79 110 111 113 119 143
> 220 444 515 1024 4557 4559 8080 8081 20012|
>  xargs -n 1 ipchains -A input -i ppp0 -p  TCP --syn -j DENY -l
>  --destination-port

i would completely shut off any services you don't need and remove
the ones you won't need.

i run ssh, i don't run ftp(unless theres a specific requirement for it),
i don't run pop3 or imap4(on a public ip at least), i run sslwrap for
POP3/SSL and IMAP4/SSL and tunnel it to a localhost pop3/imap4 server,
i run identd for irc, 119 is nntp? i havent used that in years, 444
i dont know what it is, 515 is printer, would firewall or shut it off,
1024 should usually be open(its probably being used by BIND?), 4557 4559
i dont know what that is 8080 and 8081 i dunno, 200012 i dunno either.
I also firewall ports 700:1023 most of those ports are used by rpc
services, if your using any(usually UDP), rpc.statd is the worst offender
taking a new random port between ~700 and 1023 every time its loaded.
if you don't need/want NFS or other rpc stuff, take em out.

when i audit a machine i don't just depend on nmap, i love lsof, i run

lsof | grep LISTEN

and

lsof | grep UDP

to find all the services that are listening. on my really secure systems
i restrict ssh logins to key only(no passwords accepted), name servers
run as non root, in chroot, with zone transfer restrictions set to
slave nameservers only. mail server runs (as much as possible) as non
root. ldap server runs completely as non root and i use the kernel
transparent proxy to forward ports below 1024 to ports above 1024.
i install andtune logcheck to email me reports on system logs.
for more secure enviornments i use transparent bridging systems to
monitor traffic with snort/demarc/tcpdump, syslog servers, and of
course SSL/SSH for all communications

debian can do most of the above, but it takes a LOT of time to
get it done, would be nice if there was some of it set securely by
default.

nate






-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org