Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to access website through LAN and security issues?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 545
Location: France

PostPosted: Thu Feb 04, 2016 3:05 pm    Post subject: Reply with quote

pmam wrote:
CneGroumF,

I get this output:
Code:
 netstat -anlp | grep 80
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      2760/nginx: master 
udp        0      0 0.0.0.0:38008           0.0.0.0:*                           -                   

First please advise if nginx conf is ok according above output?

Now you know 127.0.0.1 is only a local IP address. :wink:
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Thu Feb 04, 2016 7:05 pm    Post subject: Reply with quote

CneGroumF,

I suspected this output: 127.0.0.1 and saw in your output 0.0.0.0 -
but I saw in all nginx's wikis 127.0.0.1 and thought it is ok -
Probably wikis introduces nginx.conf with 127.0.0.1 to be on the safe side for the first stage - working locally till web site is prepared...
Anyway, analysing tools that you offered me here, are useful and looks I will need them in the future
At the moment, I put 'listen 0.0.0.0;' - hope it is ok -
Now that I worked on nginx/wordpress/php/mysql web site - I quite worry regarding security issues:
I have no idea where to start from - how to get a safe web site?
Neddy well explained the process and gave good ideas and directions,
I found some info here and there, but still do not have a whole security concept to work on.

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42559
Location: 56N 3W

PostPosted: Thu Feb 04, 2016 8:45 pm    Post subject: Reply with quote

pmam,

Good security is like the layers of an onion. It is not to keep out the determined bad guys that may target you.
Its to make clear to an attacker that you have done something to make their task more difficult.
Once they get past the first layer, there is another layer ... and so on.

Eventually, the attacker will get the message that there are easier targets out there and move on.
When that happens, your security has done its job ... it was good enough.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 545
Location: France

PostPosted: Fri Feb 05, 2016 1:04 pm    Post subject: Reply with quote

pmam wrote:
Now that I worked on nginx/wordpress/php/mysql web site - I quite worry regarding security issues:
I have no idea where to start from - how to get a safe web site?

As NeddySeagoon said, the more you do to slow down the attacker's work, the more you'll discourage him/it before the worst happens.
As I'm a pessimist, I'm giving you lots of homework. :lol:

Ideally, you should act everywhere you can. Be paranoid, do not count on only one or two securisation parts to feel quiet. Installing an armored door on a tent is counterproductive.
To secure a system, you first need to understand how it works, how its components work themselves and together, how that interacts with its environment, and what an attacker is likely to do when he/it wants to go into it, or to break it. Then, you'll be able to close as many useless open doors as possible, or at least to reduce the size of the entrances. So, you should start your securisation process by finding and reading some docs on the subject. The keywords "hardening" + <something> on your favorite web search engine are a good start.

The first component to secure is obviously your web service. I don't know nginx, I'm much more comfortable with apache. But I suppose there are roughly the same security enhancement capabilities on nginx. Some research may help you to set the appropriate options with the appropriate values (avoid giving its version to the client, for example), and to add some securisation plugins (on apache, I often use mod_security and mod_evasive).
Apply the same method for PHP, mysql (begin with launching mysql_secure_installation, and saying "yes" to all the questions), and wordpress. If web administration interfaces are provided, try to forbid the access to them from anywhere else than your LAN stations. Set reasonably long and complex passwords for all of the accounts set. Change them regularly. If you can, change the default login names.

Then, the other parts interacting with the rest of the world. Ssh (PermitRootLogin, AllowTcpForwarking, and so on), and, if so, mail services, file services... That implies you know exactly what is running on your system.

Your system, by the way.
- Keep it up-to date. Make inquiries on security breaches (GLSA), fix them as soon as possible.
- Uninstall all you don't _really_ need.
- If not already done, switch to a hardened Gentoo profile. The programs compiled with the hardened toolchain will be more secure, and the hardened kernel offers a lot of useful components (grsecurity, for example), which can restrict the effects of security breaches. Once again, take the time to understand what you are doing before doing it. Inappropriate actions may have unexpected results, such as neutralizing other securisation parts (false-negatives), or making your service too much sensitive to DOS or other attacks (false-positives).
- Set up a firewall (netfilter/iptables), which forbids all you don't have explicitely permitted. Install and configure fail2ban.
- Restrict as more as possible the number of users able to log in, and restrict as more as possible the rights of those users. Set reasonably long and complex passwords for all of them. Change them regularly.
- Configure you syslog server to write every potentially interesting action, and have a look on logwatch, to parse the log files.
- Run an auditing tool, like lynis. It will show you what you forgot.
- (a bit off-topic, but...) Make backups !

Ok, now, your network.
- Be sure all the stuff between your server and internet (especially your router) is properly configured. Disable all you don't _really_ need. Restrict to the minimum the rest. Did I already say anything about passwords ?
- Think as if your server is contaminated. Avoid or forbid access to all it doesn't need to work (especially your private data). Ideally, put it in a separated network (DMZ), controlled by a firewall (for lack of anything better, your internet router should be able to do that).
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42559
Location: 56N 3W

PostPosted: Fri Feb 05, 2016 6:18 pm    Post subject: Reply with quote

pmam,

I wasn't going to set homework but since this thread is going that way ...

Run a gentoo-hardened kernel with a fully hardened install. When the hardened user space spots something nasty going on, the kernel is signalled to kill the process, so you need both bits.
If you overdo it, the box may never boot and if it boots, you may not be able to log in, and if you can log in, you way not be able to access some/all services.
You will get it wrong setting this up ... at least once.

Run a paranoid firewall, rather than a default half open firewall. A half open firewall allows anything out.
The idea is to stop bad things that do get in from phoning home. There is no need to wrestle with IPtables directly. I use Shorewall.
If you don't lock yourself out at least once, you are doing it wrong.

If you are doing this on a remote box, get yourself some IPv6 support. IPv4 and IPv6 firewalls are completely separate entities.
You can arrange to get in over IPv6 when you mess up IPv4 and vice versa.

Do not allow root ssh logins at all. When you need root, log in as a normal user and use su or sudo.

Do not allow password logins over ssh. Insist your users use keys with good passwords. (The password here is associated with the secret key).

Do not run any services listening to the outside world that you do not absolutely need. They should be blocked by your firewall anyway.
Consider every package you install could be compromised and have an exploit that can be used against you.

Use paranoid mount options so that users cannot install and run random packages. e.g. Mount /home and /tmp -o nodev,noexec. There are other no options too.

All of the above is just general advice to make life difficult for an attacker.

Keep your user space up to date. GLSAs are published only after a fix is known. By keeping up to date you may well get the fix in advance of the GLSA.

Security and useability are tradeoffs. You choose how much useability you are prepared to lose far the security you decide you need.

e.g. If you don't connect your system to the insternet, its very secure but its not very useful as a server.
In the middle, you may decide not to install gcc on your server, so attackers cannot compile code on it that they can then use to extend the attack.
Depending on how you update the server, that may be a price you are willing to pay.

Any package (wordpress?) that assembles web pages by running programs (php) or scripts on the server has vulnerabilities of their own.
Consider what can happen if an attacker to get wordpress to run a program of their choosing?

That's a get you started ... There is much more.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Fri Feb 05, 2016 7:43 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Any package (wordpress?) that assembles web pages by running programs (php) or scripts on the server has vulnerabilities of their own. Consider what can happen if an attacker to get wordpress to run a program of their choosing?

pmam, Neddy, et al ... wordpress would be a bad choice imo, particularly as it's a major target for exploitation (and, based on the fact that this is a current issue, I mean ongoing target). Way back I had to ban users from using wordpress, it was just too much work, and too big a target ... lots of tears, boo-hoo, but sorry there was no way to keep both the users from installing whatever plugin they liked the look of (those are just for 2016) and then not updating, and be able to keep the number of attacks down to something managable.

So, I would choose something other than wordpress for a first attempt at a self-hosted site, and of course keep it simple. BTW, if you're planing this for a LAN then I wouldn't worry so much, but world accessable then I'd suggest against it.

best ... khay
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Sun Feb 07, 2016 11:35 am    Post subject: Reply with quote

CneGroumF & NeddySeagoon,

Yes! That what I need – homework… :) I like to see the big picture before starting – It is a real starter.
Your precious info is very useful for me and hope for other Gentoo's forum members -
I added 'security' to topic name for better searching result…

As you said, first need to figure out how it works, what I am doing and what is needed. Then do it step by step.
'Security and useability are tradeoffs.' - Need to achieve this tradeoffs very carefully.
It will take time to well understand this process but you have sketched the path!

I have seen some of your tips (and already have done some) in other tutorials,
and yours comments increase my confidence that this is the right thing to do.
e.g: 'mysql (begin with launching mysql_secure_installation, and saying "yes" to all the questions)' and '(avoid giving its version to the client, for example)' – I found this tip also here: http://arstechnica.com/gadgets/2012/11/how-to-set-up-a-safe-and-secure-web-server/4/ - However as you may see this tutorial does not recommend on DMZ: 'It might be tempting to use the "DMZ host" function in your NAT router to open all of its ports to the Internet, but this is a terrible idea. It robs your host of much of the protection from attack it gains by being behind a NAT router.' I am still not familiar with DMZ, and no worry :) - If I need to decide I will definitely more trust on your tip... However, maybe DMZ has some 'dialectic' aspects... and here where I need your point of views!

'e.g. If you don't connect your system to the internet, its very secure but its not very useful as a server.'
At the first stage I would prefer to limit access only to LAN users -
Please advise how to do it - how verify that any port is not opened or etc?
And need to see how enable web administration interfaces to LAN users?

khayyam,

Quote:
BTW, if you're planing this for a LAN then I wouldn't worry so much, but world accessible then I'd suggest against it.

I am planning this web server for world accessible -
Please advise what do you recommend instead of wordpress - joomla or any other?

Thanks a lot to all
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”


Last edited by pmam on Sun Feb 07, 2016 3:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sun Feb 07, 2016 12:15 pm    Post subject: Reply with quote

pmam wrote:
khayyam wrote:
BTW, if you're planing this for a LAN then I wouldn't worry so much, but world accessible then I'd suggest against it.

I am planning this web server for world accessible - At the first stage I would prefer to limit access only to LAN users. What do you recommend instead of wordpress - joomla or any other?

pmam ... I'm very much out-of-the-loop as far as CMS are concerned, it has been over seven years since I did any server administration. The advice above is based purely on what specific CMS are most targeted, wordpress seems to be top of this list, though I imagine there are others that suffer similarly, and attract a lot of attention. I guess it really depends on what type of content you're serving, and so the type of CMS that will fit your needs. I would look around for something that fits that need, but is less commonly used, and simpler than, wordpress. There are CMS (one in particular comes to mind, but the name escapes me) which uses a markup but generates static pages (so, no mysql, php, or what-have-you, involved) ... something of this nature will offer less of an attack surface, but as Neddy says above, its a tradeoff against ease-of-use, etc.

So, basically, do some research before hand, try and focus on what you actually need from a CMS, rather than opt for something that you're inclined to think everyone uses for such things.

best ... khay
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Sun Feb 07, 2016 7:35 pm    Post subject: Reply with quote

Hope this limit access to LAN-only users (for the construction stage) - Need to verify ports status?
Code:
server {
      #listen 127.0.0.1;
      listen 0.0.0.0;
      server_name localhost;

      access_log /var/log/nginx/localhost.access_log main;
      error_log /var/log/nginx/localhost.error_log info;

         root /var/www/localhost/htdocs;
         autoindex on;
                     
      location ~ \.php$ {
                       # Test for non-existent scripts or throw a 404 error
                       # Without this line, nginx will blindly send any request ending in .php to php-fpm
                      try_files $uri =404;
                      include /etc/nginx/fastcgi.conf;
                      fastcgi_pass unix:/run/php-fpm.socket;
                      allow 192.168.1.0/24;
                      allow 127.0.0.1;
                      deny all;
           }   
         
   }


khayyam,
I see your point: The more popular CMS the more vulnerable - need to consider this tradeoff...

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 545
Location: France

PostPosted: Mon Feb 08, 2016 2:34 pm    Post subject: Reply with quote

pmam wrote:
However as you may see this tutorial does not recommend on DMZ: 'It might be tempting to use the "DMZ host" function in your NAT router to open all of its ports to the Internet, but this is a terrible idea. It robs your host of much of the protection from attack it gains by being behind a NAT router.' I am still not familiar with DMZ, and no worry :) - If I need to decide I will definitely more trust on your tip... However, maybe DMZ has some 'dialectic' aspects... and here where I need your point of views!

I understand why Lee Hutchinson said that : on my ISP box, there are two ways to redirect requests from internet to a local service. One is called "NAT", but should be named "NAPT", or "PAT" (P for "Port") : I can set up some rules to redirect internet requests to one specified TCP/UDP port towards one given local IP address. The other is called "DMZ", but should be named "total NAT" : if I enable that, _all_ the incoming traffic from internet is sent to one specified local IP address. None of these capabilities provides a semblance of a real DMZ, and the second one can be very dangerous if not well controlled.

Then what do I call "DMZ" (DeMilitarized Zone) ? A DMZ is an isolated network, in which we put all the services that should be available on internet. The network is separated from the LAN and from internet by a firewall (which is firsly a router). For example :
Code:
      ( internet )
           |
           |
       192.0.2.1
       ____|_____
      |          |
      | Firewall |
      |__________|
      ___|    |____
     |             |
192.168.1.1   192.168.2.1
     |             |
     |             |
  ( LAN )       ( DMZ )


There's only one way for a computer in the DMZ to join a computer in the LAN : the firewall. And the firewall, if well configured, disagrees.

Last, but not least, "demilitarized" doesn't mean "open house" from internet (that's the main "problem" if you use the "DMZ" capability as defined by my ISP). The firewall must also filter all the traffic (incoming and outgoing) between the DMZ and internet.

I don't know if and how an ISP box is able to do that. Personally, I set up my own firewall (a Gentoo box with several NICs) between my ISP stuff and mine.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42559
Location: 56N 3W

PostPosted: Mon Feb 08, 2016 9:33 pm    Post subject: Reply with quote

pmam,

For the time being, its your router that determines if the outside world can reach you website, no its settings.
If you forward port 80 (http) and/or port 443 (https) from your public IP to your website, the outside world can reach it.
If your router has these ports closed, you website is only available on your LAN.
Its a little more complex than that but you need to walk before you can run.

On the basis that ISP provided routers are not very good firewalls, you can replace the router with your own firewall.
You can also continue to use the ISP provided router and add a firewall to the web server.

I run my router/firewall in a KVM. I don't have a physical router.
Engineers from BT don't understand how it works and my ISP doesn't care as long as I don't ask them for support.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Tue Feb 09, 2016 8:33 am    Post subject: Reply with quote

CneGroumF,

Thanks for your nice clarification - I am going to learn about DMZ and see if it is suitable to my settings.

NeddySeagoon,

Just to be sure I am understanding what you said regarding router -
At the moment, I want LAN-only without any access of the outside world to my web site -
Here a copy of current port status in my router - Please inform me if this is the minimum necessary 'opening' ports,
in order to enable browsing internet, or need to change some ports settings (This is the default router's settings)?
Code:

Application                             Protocol   Port   Tx Throughput (Kbps)   Rx Throughput (Kbps)   
   
Web Server, Web access by HTTP/HTTP proxy   TCP   80      10.9                              7.4
Domain Name Server, UDP Domain Name Server   UDP   53      2.9                            2.9
Secured Web Server                            TCP    443      0.3                            0.2

And as you said: If I want to enable outside world's access (after construction stage),
need to 'forward port 80 (http) and/or port 443 (https) from your public IP to your website'

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Tue Feb 09, 2016 12:39 pm    Post subject: Reply with quote

A normal ISP provided router will not set up a DMZ as drawn by CneGroumF. Their implementation of "DMZ" is a single machine on the LAN to which all incoming traffic from the internet is forwarded unconditionally. You must therefore run a strict firewall on this machine, as anyone that can get access to it will have access throughout your whole LAN.

As far as Wordpress is concerned: this appears to be something of a hacker's magnet. BUT, the chances that any serious hacker would notice a site that is not owned by some big name organisation is rather small. What you should be concerned about are script kiddies, people using compromised computers to brute force scan the internet for exposed ports and common vulnerabilities. So here are a few tricks to make their life less easy:

  1. If you need to expose a service such as ssh, limit where a connection can originate from. Ideally this would only be LAN, but you could also add the fixed IP from your work, holiday home etc. If you require access from dynamically assigned addresses you can use the netfilter 'geoip' target from xtables_addons. Yes that will typically allow several millions of people having access to a computer in your own country to try hack into your server, but you no longer need to worry about the other seven billion.
  2. Use the netfilter 'recent' target to identify port scanners and automatically add the originating IPs to a blacklist. You can also use the 'recent' target to implement a technique known as 'knocking' to shield e.g. the ssh port. There are several examples for this on the net
  3. Another netfilter trick: use string match on port 80 to find a GET for 'w00tw00t'. This is a common used request to identify that you are running a web server, after which the attacker script will try to find vulnerabilities in php, wordpress and other CMS systems or web based apps you might run.
  4. Saving the best trick for last: configure your web server for vhosts and let the default host point to meaningless static content with no CGI support. Like the 'It Works!' page. Put 'Go Away!' on it if you like, just remember that the script kiddies will never read it. In all the years that I have been monitoring attempts on my home server I've never seen them use anything other than my public IP. Not even the reverse DNS name for it, which in my case translates to <connection-type>-<reversed-ip>.my-isp.com and would be just as useless for them.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42559
Location: 56N 3W

PostPosted: Tue Feb 09, 2016 8:36 pm    Post subject: Reply with quote

pmam,

I'm not sure what you are showing me here.
Post the make and model of your router. That will allow us to read the manual.

Security by obscurity is really no security at all. Do not follow that route.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Tue Feb 09, 2016 10:31 pm    Post subject: Reply with quote

NeddySeagoon,

My router info: VTech IAD303+ or IAD303A+ (It has also phone line oner ip)
I did not find its manual - Hope you can find some info.

I would like to have two setups:
1) No access from outside world to web site - LAN-only
2) In the next stage: Enable outside world access to web site, with the minimum necessary access

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Wed Feb 10, 2016 8:40 am    Post subject: Reply with quote

NeddySeagoon,

If there is no user manual of VTech on the net, I have another (more popular) router that can be used: D-Link DSL-2650U -
http://www.google.co.il/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiR_cvx4ezKAhWFdpoKHXSsBTUQFggiMAA&url=http%3A%2F%2Fwww.netcheif.com%2Fdownloads%2FDSL-2650U-UG.pdf&usg=AFQjCNGJzD9dlqVBQL0g2jXCGdTz1bAdlw&bvm=bv.113943665,d.bGs
Please advise security tips regarding this router.

I saw in TV report on Kaspersky Lab's Security Analyst Summit 2016 -
A lot of cybern's panic in the air - It is good for his business - However - Can we sleep well?

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Thu Feb 11, 2016 9:10 am    Post subject: Reply with quote

NeddySeagoon wrote:
Security by obscurity is really no security at all. Do not follow that route.

As stated: Not against a serious hacker, but it does keep the script kiddies off your back. Don't confuse a hobby site with that of a big name corporation or government.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 545
Location: France

PostPosted: Thu Feb 11, 2016 9:47 am    Post subject: Reply with quote

Yes and no. For more quietness, you can, for example, make sshd listen on another TCP port than 22. But even script kiddies know nmap.
So you must secure sshd alike, and consider these options only as additions to a correct securing, not as replacements.
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Thu Feb 11, 2016 9:51 am    Post subject: Reply with quote

pmam wrote:

Please advise security tips regarding this router.


Like I said:
Quote:
A normal ISP provided router will not set up a DMZ as drawn by CneGroumF. Their implementation of "DMZ" is a single machine on the LAN to which all incoming traffic from the internet is forwarded unconditionally. You must therefore run a strict firewall on this machine, as anyone that can get access to it will have access throughout your whole LAN.


On page 53 of the manual you linked it clearly states that the DMZ host must be well protected to keep the other PCs on your LAN from being infected through the DMZ. If you are worried about security, your DMZ must be in a completely separate LAN where you can use the firewall to prohibit the DMZ from initiating connections to PCs in your normal working LAN environment and of course the firewall itself. A not completely safe alternative to a single firewall handling routing between two LANs and the internet is to use two independent firewalls: the outside firewall serving between internet and DMZ and the inner firewall serving between DMZ and LAN. The unsafe element here being that the management interface of the outside firewall will be accessible to one gaining control of any machine in the DMZ.
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Thu Feb 11, 2016 11:00 am    Post subject: Reply with quote

CneGroumF wrote:
Yes and no. For more quietness, you can, for example, make sshd listen on another TCP port than 22. But even script kiddies know nmap.
So you must secure sshd alike, and consider these options only as additions to a correct securing, not as replacements.

Honoustly I would never leave ssh open, even though many website providers do. If you do need it, knocking does provide a good method to hide it and if you do it right nmap will not be able to detect it because the knocking ports are in fact closed themselves. Let's say you need to knock three ports; even if for personal convenience you only use up to three digit port numbers that already sums up to a billion possible combinations and there's no putting tension on pins that will hint you're anywhere close to opening the lock.

As far as websites go, if script kiddies launch attacks on specific sites it will be a well known site and they will use your computer for it if they stumbled on to it during their targetless scans of the internet. If they hit port 80 on your public IP address and find Wordpress being hosted on it, their script will log it and allow them to input your IP address on other compromised machines that they dedicated for exploiting specific vulnerabilities or do password guessing. If there's nothing there, their log will show this as well and your IP may end on a list of future prospects to be checked once in a while if anything interesting is being placed on it. Which of course never will if you intentionally configured the default host to serve static content only.

Remember: script kiddies are lazy. Their main interest is to keep themselves hidden. As a result, none of the IPs you may find in any log will point to them. They will never visit your site to personally verify the non interesting content. It may take days or even weeks for them to read the log that says they breached your security. I have some experience in this area because of an unexpected feature in postfix; I was a spammer for about 90 minutes :oops:
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Sun Feb 21, 2016 9:26 am    Post subject: Reply with quote

NeddySeagoon&CneGroumF&gordonb3,

Thanks a lot for your important tips! I read each line of yours and try to figure out how to implement. You gave me nice 'homework' :)
I do not think the following issue directly refers to current discussion, however, has strong connection to security aspects:
I saw in TV (see link below of this story) that a Hollywood hospital has been attacked by hackers who demanded 3.6 M$(and probably got 17000$) - otherwise hospital will not be able to access all data in its computers (docs, images etc). Hackers send email with pdf file attached. By opening this “pdf” file, all data is encrypted and a message of demanding money is showed on screen (called Ransomware). They attack private users as well, but here they demand more 'humble' amount of money: 500-700$ - depends on the economic level of the attacked country… They give an email of their “customers service” and chat is possible as well...
They give final date to arrange the money with bit coins but have some flexibility – 'nice pirates'.. :)

So - Please try to make some order in this nasty cybernate world…
1. Does it more difficult to do it on Linux than Windows?
2. How can they encrypt files without having password? Is it possible or they crack passwords?
3. What can we do in order to defend ourselves? Some of your already mentioned tips can help?

http://www.digitaltrends.com/computing/hollywood-hospital-ransomware-attack/
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sun Feb 21, 2016 9:58 am    Post subject: Reply with quote

Quote:
1. Does it more difficult to do it on Linux than Windows?
Kinda. We tend to install "trusted" software, so you'd have to take over a repo to do something like that. However, if you managed to do that, you could could do worse than encrypting the data.
Quote:
2. How can they encrypt files without having password? Is it possible or they crack passwords?
Oh, encrypting files is easy. You can use any password you want. Decrypting is the tricky part, that's the whole point.
Quote:
3. What can we do in order to defend ourselves? Some of your already mentioned tips can help?

Good, old-fashioned backup. Preferably an off-line one, so it doesn't accidentally get damaged with a splash from the main hit.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42559
Location: 56N 3W

PostPosted: Sun Feb 21, 2016 12:40 pm    Post subject: Reply with quote

pmam,

What you describe is called "Social Engineering". Its tricking the user to run a file.

Windows is targeted more than Linux because there are more windows users.
Windows users often run as root, without even thinking about it. Then, when ransomeware gets in, it can do anything that root can do.

Linux is structured differently. You have to make some effort to run everything as root. When ransomeware gets in, it can only do whatever the user that runs it can do. That's usually no more than encrypting /home/<username>. Of course if <username> is it the root group or the disk group, that's as bad as running as root.

Its also harder to execute email attachments on Linux. This is the default on Windows. On Linux, you normally need to save an attachment and do chmod +x on it before you can run it. You can set Linux to execute email attachments ... but why would you?

The way out is validated off line backups, as it is for most disasters.
A backup means at least two offline copies. If you only have one 'backup' copy, when your working copy is not available, you no longer have a backup.
Validated because you need to know its good. You really don't want to find out you have issues with your backups when your working copy fails.

Nasty email attachments on windows are often named
Code:
file.doc                                                               .exe
so that the .exe is outside the email attachment window.

Homework. What will windows do if you double click such an email attachment?
a) Open it in Word
b) Execute it?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Sun Feb 21, 2016 5:35 pm    Post subject: Reply with quote

Quote:
That's usually no more than encrypting /home/<username>

Generally we work with DE as a user (but not root) - all database (docs, images etc) are under permissions of this user -
So in case of ransomeware gets in, it can encrypting all database! Even if it is not root...
Since encrypting is a dramatic operation even when it is taking place as a normal process by the owner itself –
e.g: Why we will not limit encryption only to root? Or at least to prompt a dialogue box with password demand
I guess somehow there is a way to block encryption - by adding an option to menuconfig...
You know better than me… Encryption should not be so easily to execute in any aspects - Do not think so?

Quote:
Its also harder to execute email attachments on Linux.

AFAIK in this case (to bypass 'exe careful') email attachment is pdf extension - If it is any matter...

Quote:
You can set Linux to execute email attachments ... but why would you?

Where this option is exist - I mean, how to check if it is not active...

Quote:
A backup means at least two offline copies.

Validated I understand, but why 2 copies? Please explain why one copy on a separate machine is not enough?
BTW: Does backup execute by a simple copying of directories to other machine?
or there is any package that facilitate backup more easily? May be some scripts can help (need to learn how to write it...)

Quote:
Homework. What will windows do if you double click such an email attachment?

According your nice 'preface' it will end with execution (of the security responsible in the company... :) )

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42559
Location: 56N 3W

PostPosted: Sun Feb 21, 2016 5:58 pm    Post subject: Reply with quote

pmam,

10 out of 10 for your homework.

The simple view of the world says that you cannot prevent encryption or anything else being run by a user.
When malware gets in as a user, it can do anything that user can do, including downloading and executing packages.
Its need not be your own encryption used against you.

If you are paranoid, you can mount /home and /tmp with the noexec option. That will prevent all the writeable space open to normal users being used as a location to run software from.
fstab fragment:
/dev/mapper/HW-home             /home                   ext4            noatime,nodev,nosuid,noexec     0 0
/dev/shm                        /tmp                    tmpfs           noatime,nodev,nosuid,noexec     0 0



Why two copies?
The definition of having a backup is that you have a spare copy. With exactly two copes, that's your working copy and one spare.
When your working copy is destroyed, you have only one copy, so you no longer have a backup.

There are an assortment of programs for creating backps ... look in /usr/portage/app-backup
You can also do you own thing.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum