# Lockdown!

## tomisaac

Hi all.

I've got my Gentoo desktop hooked up to an untrusted network (Uni Campus) and recently there have been outbreaks of script kiddies cracking boxes and wrecking machines over the network.

Anyway, for convenience, I leave ssh and vnc running on my box 24-7, and I also run Samba and a little ftp server. I really want to run all of these services, it's exceptionally useful to be able to get into my desktop from the other side of town. But I feel vulnerable to outside attacks.

So in short, what should I be doing to keep my box well secured? I do all the usual, such as strong passwords and keeping everything patched. But I still feel vulnerable to a brute-force attack - I don't think that I could spot it if someone tried to brute-force my user password over ssh or vnc. I've disabled remote root logins, but I have a pretty powerful user account, with lots of privileges.

Is there a way for me to monitor and spot brute force attacks? Such as a programme that sends me an email in the event of five or so incorrect passwords? Is there a way that I can set my user account to have less privileges when I'm logged in remotely, such a removing the ability to use 'su' or 'sudo'? And last of all, are any of these a good idea, or should I be doing something different.

----------

## boroshan

I think selinux does a lot of what you want using access control lists to close off a lot of privs. IIRC, this is the one where they let you telnet to the demo box and give you the root password. It's not of any use cause all the admin functions are locked down.

Iptables is essential, snort and tripwire impement intrusion detection systems (IDS) and chkrootkit will search your system for indications that you've been cracked.

Lastly if you have an old machine kicking about, you can use it as a firewall. so even if an attacker gets in, they still have to get at your real box and your data

Hope that helps

----------

## RedDawn

 *boroshan wrote:*   

> I think selinux does a lot of what you want using access control lists to close off a lot of privs. IIRC, this is the one where they let you telnet to the demo box and give you the root password. It's not of any use cause all the admin functions are locked down.
> 
> Iptables is essential, snort and tripwire impement intrusion detection systems (IDS) and chkrootkit will search your system for indications that you've been cracked.
> 
> Lastly if you have an old machine kicking about, you can use it as a firewall. so even if an attacker gets in, they still have to get at your real box and your data
> ...

 

But isnt SElinux just for servers? what about a regular desktop.. would it be a good idea to install SElinux on it?   :Confused: 

----------

## plovs

Running all these services open for anybody to use is really not secure. You can lock down your services by making it only accassible from certain addresses. This you can do with ssh and samba probably also with vnc. Better is it to close all these services accept for ssh and make ssh only accessible from your ip-address (see /etx/ssh/sshd_config). Then start the other service, eg vnc, only when you need it.

----------

## Randseed

 *Quote:*   

> But isnt SElinux just for servers? what about a regular desktop.. would it be a good idea to install SElinux on it?  

 

I think that there's a very good chance that you'll just frustrate the hell out of yourself with it. What you could do, I think, is get an old, cheap machine, and set it up as a firewall box. Install SELinux on that, and lock it down. There would be nothing really useful on that box, and it's effectively designed to sit in the DMZ and act as a buffer. Of course, this isn't foolproof, since someone who cracks the firewall box could sit there and start working on your real boxes too.

Another option is to use a rotating password system of sorts. Install PostgreSQL and secure it. That means you set passwords on the postgres superuser, and you make a 'read only' kind of user. Create a database that has a serial number and a randomly generated password. Basically, the idea is that when you connect, the system fires out a sequence number, you look in a little notebook or something for the corresponding password and supply it, it checks it, and then invalidates that sequence number forever, and gives you access. This is actually pretty simple to set up, and you can play all sorts of games with it.

Now, note that this doesn't help you with any "transparent" services like SMB, of course. I'd suggest just firewalling the things globally, then turning them on for a limited period of time from your current address. Again, PERL script.

----------

## spudicus

 *tomisaac wrote:*   

> Hi all.
> 
> Is there a way for me to monitor and spot brute force attacks? Such as a programme that sends me an email in the event of five or so incorrect passwords? Is there a way that I can set my user account to have less privileges when I'm logged in remotely, such a removing the ability to use 'su' or 'sudo'? And last of all, are any of these a good idea, or should I be doing something different.

 

There's a new gentoo program called wasabi that'll email you based on user-defined regular expressions e.g. The word "Failed" in auth.log.

It's also been suggested to only allow access to your services from trusted IP's. This can be taken a step further, by using Iptables mac address matching. However, both IP and MAC address can be easily spoofed, so this shouldn't be solely relied on.

You could also have a look at portknocking. This way Iptables will only open the port when a correct packet sequence is sent.

The use of the grsecurity/pax patches can also help by making ISN's/port numbers more random, and general hardening.

One of the key elements to security is keeping things as simple as possible. Therefore complex authentication systems (kerberos), MAC based permissions (Selinux) etc. should be avoided unless you really know what your doing.

You could run the sftp instead of ftp. Run SSH with public key authentication.

It may be possible to run the other services over SSH as well, but that's an exercise for the reader.

You could run the LSAT program on your box to check for certain common security mistakes.

In short, Keep It Simple, tomiSaac! The more complex your setup becomes, the more likely someine can slip past.

Also, Backup, Backup, Backup. Plan for the worst case!

----------

## tomisaac

Thanks for all that advice.

I think that Wasabi is exactly what I'm looking for in terms of break-in detection, and I'll certainly try it. As for firewalling, I think that my iptables configuration could do with a once-over. I don't really have the space or the hardware available to run a separate firewall box, though that's a definite for the future.

Randseed- your rotating password system sound pretty cool. Personally I'd be slightly worried about locking myself out when I lost the little notebook, and also couldn't someone who got hold of the notebook break in easily?

I also have a problem with trusted IP's. The main reason that I run these services is so that I can get into my machine from all over campus - such as the communal computer labs and also from friends machines. I can't set all of these as trusted IP's, so that route is difficult to implement.

I would try running everything over ssh if I could. However, most of the machines are Windows and Mac, so I can't run an X session over them, and VNC is the only way. The FTP server is about to go anyway - I don't use it enough.

----------

## Boris27

You know you can tunnel the VNC connection over SSH?

You should, as VNC is cleartext, so your (for instance) hotmail password goes over the net in cleartext if you type it in.

Then you can enable SSH compression, which helps VNC a bit.

----------

## Randseed

 *tomisaac wrote:*   

> 
> 
> Randseed- your rotating password system sound pretty cool. Personally I'd be slightly worried about locking myself out when I lost the little notebook, and also couldn't someone who got hold of the notebook break in easily?
> 
> 

 

Valid on both counts. The way I would do it is still allow local logins at the console using a standard password. For the remote access, you'd supply a password you memorize, then the one-time password from the notebook. That covers you from keyboard logging, losing the notebook, and someone just trying to brute-force their way in. The only liability at that point is someone who logs your memorized password and then rips off your notebook, but nothing is perfect. At that point, you remotely lock the system down. (Hint: Remember one or two one-time passwords that aren't written down for this purpose.)

Sounds more complicated than it is.

----------

## davidblewett

There is already a system like what Randseed is describing. It's called S/Key, and ssh can be configured for it when emerged. S/Key is a form of one-time use passwords, you can google for more info.

If you want pure S/Key and no usage of your normal system password, emerge ssh with 

```
#USE="skey -pam" 
```

I would recommend using a combination of S/Key and Public Key authentication. Use Public Key when logging in from a machine you trust, ie you believe has no key-logging software running. Use S/Key when logging in from an untrusted machine, like in a computer lab. 

I believe there are some forum topics about this. Basically, the idea is to connect through ssh to do *all* things on the box. Only have your other servers listen to the internal network address. You can then use ssh's port forwarding to forward packets from the local machine to your internal network.

----------

## allan_q

 *davidblewett wrote:*   

> There is already a system like what Randseed is describing. It's called S/Key, and ssh can be configured for it when emerged. S/Key is a form of one-time use passwords, you can google for more info.

 

Check out the following thread for setting up SSH with SKey.

https://forums.gentoo.org/viewtopic.php?t=103232

----------

## Kope

here's a fundamental point of network security. Don't use insecure protocols. FTP for example, is notoriously insecure.

why run an ftp server when you can use Ssh for sftp?

If you must run ftp for some reason, then do everything over ssh with port forwarding.

If you really want thos services, get a cheap used system to do one thing -- sit as a proxy between you and your server. Set up that box with 2 nics, and configure it to only accept ssh connections inbound and allow port forwarding outbound. You can set up the outside interface to use S/Key for authentication to make it even more secure.

----------

## switchblade1983

Unhook your network connection,

lock youself in your room

and weld the door closed.

Oh, and remember to board up the window using big metal boards, nuclear proof breeze blocks and make sure youhave a steady supply of coffee for the next few hundred years!  :Razz: 

----------

## madmango

Actually, that won't even work. A few years ago the military figured out how to determine what you were doing on your computer simply by the fluctuations running through the power cord. Whenever you do something on your compy, the amount of power it sucks changes, and the military was able to decode those changes. Scary.

But let's be realistic. Also: remember to iptables outgoing connections too, that way if your box is compromised they can't use it as a base for attacking others.

----------

## TJNII

 *Kope wrote:*   

> If you really want thos services, get a cheap used system to do one thing -- sit as a proxy between you and your server.

 

That's what I do, seems to work well.  Also, changing your ssh port to something other than 22 halts many many scripted attacks.  My proxy system used to get belted by brute-force ssh attacks all the time, I changed the port, and they went away.

----------

