Re: securing the system, stopping unnecessary services and closing open ports.

To: debian-user@lists.debian.org
Subject: Re: securing the system, stopping unnecessary services and closing open ports.
From: Chris Brennan <xaero@xaerolimit.net>
Date: Sat, 27 Aug 2011 12:18:24 -0400
Message-id: <[🔎] 4E5918D0.2060407@xaerolimit.net>
In-reply-to: <[🔎] CAKmZw+asW+iBN8VoaZ6Jjw8DThx5duDk-n0u+z9vrUrwVoMWbA@mail.gmail.com>
References: <[🔎] CACo--mvqoi4DRk66R8CGdfCJdzd0fM8ZTw+GuaYZpt14iyaQ2A@mail.gmail.com> <[🔎] CAKmZw+asW+iBN8VoaZ6Jjw8DThx5duDk-n0u+z9vrUrwVoMWbA@mail.gmail.com>

On 8/27/2011 11:38 AM, Brad Alexander wrote:
> Ports 139, 445 and 901 are samba running. Port 631 is cups, your printer
> driver. 111 and 2049 are for NFS.  If you don't need them, you should be
> able to turn them off...If you do need it, then you should be able to
> firewall it, using iptables to limit access to the hosts or subnets you
> need.
> 
> On Sat, Aug 27, 2011 at 11:05 AM, yudi v <yudi.tux@gmail.com
> <mailto:yudi.tux@gmail.com>> wrote:
> 
>     Nmap suggests the following ports are open:
> 
>     25/tcp   open  smtp
>     111/tcp  open  rpcbind
>     139/tcp  open  netbios-ssn
>     445/tcp  open  microsoft-ds
>     631/tcp  open  ipp
>     901/tcp  open  samba-swat
>     2049/tcp open  nfs
> 
>     I run a desktop email client that uses smtp apart from that I do not
>     know why rest of the above services are open.
> 
>     it even had SSH listening on 22, changed the port # and also 
>     changed PermitRootLogin to no in /etc/ssh/sshd_config after looking
>     at the following output:
>     also installed gufw and set it to deny as default.
> 
>     root@computer:/home/user# grep -ir "Failed password" /var/log/*
>     /var/log/auth.log.1:Aug 14 13:50:37 computer sshd[3553]: Failed
>     password for root from 60.242.242.121 port 56631 ssh2
>     /var/log/auth.log.1:Aug 15 22:13:10 computer sshd[5129]: Failed
>     password for invalid user admin from 190.24.225.223 port 22792 ssh2
>     root@computer:/home/user# grep -ir BREAK-IN /var/log/*
>     /var/log/auth.log.1:Aug 15 22:13:08 computer sshd[5129]: reverse
>     mapping checking getaddrinfo for corporat190-24225223.sta.etb.net.co
>     <http://corporat190-24225223.sta.etb.net.co> [190.24.225.223] failed
>     - POSSIBLE BREAK-IN ATTEMPT!
> 
> 
>     how can I find out if this system has been compromised?
> 
> 
> If you are looking for ssh attempts, you shoud peruse /var/log/auth.log
> and look for unusual logins. The ones like you mention above are failed.
> You could run fail2ban or another one that watches your ssh port and in
> the event of too many failed attempts, can block the IP through
> iptables. Be careful, because if someone spoofs the address, then you
> could block some site that you need to access.
> 
> Another idea would be to run a Host-based Intrusion Detection System
> (HIDS). Tripwire is a classic example, as it does md5sums of critical
> files and you run it against your machine looking for changes. However,
> I have come to prefer OSSEC (http://ossec.net), which does md5summing in
> the background:
> 
> OSSEC HIDS Notification.
> 2011 Aug 25 07:25:59
> 
> Received From: (013hornet) 192.168.224.13->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
> 
> Integrity checksum changed for: '/etc/sudoers'
> Size changed from '552' to '692'
> Old md5sum was: 'fc78e5599202f204e48df73a15e81533'
> New md5sum is : '377364efbaefe7138d3fe4081d98b592'
> Old sha1sum was: '9053767a81a35ded809dd7269d984589a8f09d13'
> New sha1sum is : '6bcc831d9407626328
> <callto:9407626328>651b68dc73763472b11374'
> 
> but also watches your logs for events:
> OSSEC HIDS Notification.
> 2011 Aug 25 06:43:57
> 
> Received From: (056worf) 192.168.224.56->/var/log/auth.log
> Rule: 40101 fired (level 12) -> "System user successfully logged to the
> system."
> Portion of the log(s):
> 
> Aug 25 06:43:56 worf su[9338]: + ??? root:nobody
> 
> Having said all of that, if you suspect your machine was compromised
> (the failed logins messages in the logs only indicate that you had some
> failed attempts), nuke it and rebuild. After you rebuild, set up
> iptables, ossec, run nmap or nessus on it and put it back in service.
> 
> Regards,
> --b
> 
> 
>     what are the steps I need to take to secure it?
>     -- 
>     Kind regards,
>     Yudi
> 
> 

If you need to actively scan for a rootkit, you can check out rkhunter ,
ckrootkit or sleuthkit, just to name a few.

If you want to get creative with tools, my gentoo box has this in
app-forensic:

afflib  air      chkrootkit  examiner  galleta  lynis       magicrescue
 metadata.xml  ovaldi  rdd      rkhunter  sleuthkit  zzuf
aide    autopsy  cmospwd     foremost  libewf   mac-robber  memdump
 openscap      pasco   rifiuti  scalpel   yasat

You can try some of these if you want, but I've only used the three I
initially mentioned.

-- 
> Chris Brennan
> --
> A: Yes.
> >Q: Are you sure?
> >>A: Because it reverses the logical flow of conversation.
> >>>Q: Why is top posting frowned upon?
> http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/
> GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8  9E4A EECD 9A84 D5B2 0C0C)
------------------------------------------------------------------------

Attachment: 0xD5B20C0C.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- securing the system, stopping unnecessary services and closing open ports.
  - From: yudi v <yudi.tux@gmail.com>
- Re: securing the system, stopping unnecessary services and closing open ports.
  - From: Brad Alexander <storm16@gmail.com>

Prev by Date: Re: securing the system, stopping unnecessary services and closing open ports.
Next by Date: Re: A Question about Journalling File Systems and Flash Drives
Previous by thread: Re: securing the system, stopping unnecessary services and closing open ports.
Next by thread: Re: securing the system, stopping unnecessary services and closing open ports.
Index(es):
- Date
- Thread