Feature: They Can't Crack What They Can't Find

"The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine virtually disappear from the crackers view."

They Can't Crack What They Can't Find noeld@rootprompt.org The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine virtually disappear from the crackers view. In this article I will describe how to hide a machine running Linux that uses PPP over a modem to connect to the Internet. I will use ipchains and the firewalling built into the Linux kernel to protect the services that are running on this machine from connections across the PPP interface. For this example, I will use a Debian system with a 2.2.15 Linux kernel on a Debian system. You should note that the firewalling code in the 2.4 Kernel has undergone a rewrite, but that the examples in this article will still work by loading the ipchains compatibility module. We begin right after you have installed Linux on your machine and before you have connected to the Internet. Any connections to the Internet could leave your machine compromised so it is important to secure your machine before you connect for the first time. After the install you should turn off all of the services and daemons that you do not need. Each service that is running is one more that could be vulnerable and will require monitoring for security advisories and updating as new versions are released. To find where to turn off these services look at what inetd is providing and then look at what daemons the sysV init processes starts. The file /etc/inetd.conf controls what daemons are started by inetd. Open this file in vi or your favorite editor and comment out all the lines that you do not need by adding a # to the start of the line. I usually turn off all of the things such as echo, chargen, finger, talk, rsh, rexec, etc. If I am not going to need them I will also turn off FTP and telnet. If you end up turning all of the services off then we can turn off inetd itself in the next step. Example (/etc/inetd.conf): Before: echo stream tcp nowait root internal echo dgram udp wait root internal chargen stream tcp nowait root internal chargen dgram udp wait root internal discard stream tcp nowait root internal discard dgram udp wait root internal ... After: #echo stream tcp nowait root internal #echo dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal ... If you still have services being started by inetd then restart inetd. You can do this by using ps to see what the Process ID (PID) is for inetd and then sending it a HUP signal with the kill command. This will cause it to re-read it's configuration file. # ps axwww |grep inetd 345 ? S 0:00 /usr/sbin/inetd 535 pts/1 S 0:00 grep inetd # kill -HUP 345 Then look at the SysV init system to see what daemons you do not need. One of the easiest ways to do this is to use ksysv. Ksysv is a graphical manager for the SysV run levels written in tk by Peter Putzer. If for some reason you can not use this then look inside your /etc directory for a group of directories named /etc/rc1.d /etc/rc2.d etc. The rc2.d directorie on the example machine looks like this: $ ls /etc/rc2.d/ S01ipchains S19nfs-common S20inetd S20makedev S89atd S10sysklogd S20alsa S20linuxconf S20nfs-kernel-server S89cron S14ppp S20dictd S20logoutd S20xfs S91apache S18portmap S20gpm S20lpd S20xfstt S99rmnologin To prevent a daemon from starting, look for a file in these directories that starts with an S and remove it. For example if we wanted to turn off inetd we would find all of the startup files for inetd and then remove them: # ls /etc/rc*.d/S*inetd /etc/rc2.d/S20inetd /etc/rc4.d/S20inetd /etc/rc3.d/S20inetd /etc/rc5.d/S20inetd # rm /etc/rc*.d/S*inetd Once you have reached this point reboot your machine to test the startup scripts. Then use the ps command to see what you have running and use the netstat command to see what ports are open on your network. # netstat -ln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7101 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2628 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:928 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:926 0.0.0.0:* udp 0 0 0.0.0.0:1024 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 213 /tmp/.font-unix/fs7100 unix 0 [ ACC ] STREAM LISTENING 171 /dev/log unix 0 [ ACC ] STREAM LISTENING 275 /tmp/.X11-unix/X0 unix 0 [ ACC ] STREAM LISTENING 200 /dev/gpmctl unix 0 [ ACC ] STREAM LISTENING 208 /dev/printer unix 0 [ ACC ] STREAM LISTENING 224 fs7101 In this example we see at the top the list of TCP and UDP ports that are open. The Active UNIX domain sockets are not listening on the network so we can ignore them. Once you have all the unneeded daemons turned off and have things the way you want them we can set up our firewall rules using ipchains. The ipchains program allows you to control the IP firewall rules in the Linux kernel. It seems much more complicated than it is. In this article I am going to keep things very simple. If you would like to learn more details about ipchains or look at some more complicated examples then take a look at the How To. A simple rule to firewall a TCP port from any connection on the ppp0 interface uses something like the following command replacing $portnumber with the portnumber you want to firewall. It does not matter that the ppp0 interface is not up when you set up the firewall rules. When the interface does come up the rules will be applied. ipchains -A input -i ppp0 -p TCP -d 0.0.0.0/0 $portnumber -j DENY For UDP change the -p TCP to -p UDP. ipchains -A input -i ppp0 -p UDP -d 0.0.0.0/0 $portnumber -j DENY To see what rules are defined by using ipchains -L. To suppress DNS and port name lookups use a -n. This is the output of ipchains -L -n on my example machine. # ipchains -L -n Chain input (policy ACCEPT): target prot opt source destination ports DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 80 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 111 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 515 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 928 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 2628 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6000 DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 7101 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 111 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 926 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024 Chain forward (policy ACCEPT): Chain output (policy ACCEPT): One more needed ipchains option is used to flush a chain -F. To remove all of the rules on the example machine we would use 'ipchains -F input'. To save your rules for the next time you boot use the ipchains-save program and save the output into /etc/ipchains.rules. # ipchains-save > /etc/ipchains.rules When you boot you will restore the rules with ipchains-restore. The following script is from the how to you can place it in /etc/init.d and then set it up to run by placing a link to the script in the run level of your choice. #! /bin/sh # Script to control packet filtering. # If no rules, do nothing. [ -f /etc/ipchains.rules ] || exit 0 case "$1" in start) echo -n "Turning on packet filtering:" /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 echo 1 > /proc/sys/net/ipv4/ip_forward echo "." ;; stop) echo -n "Turning off packet filtering:" echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F /sbin/ipchains -X /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo "." ;; *) echo "Usage: /etc/init.d/packetfilter {start|stop}" exit 1 ;; esac exit 0 When your rules are set up the way you want them you should check them with a port scanner such as nmap. If you do not have a machine on the net that you can scan your PPP connection from then you can apply the same rules to the lo (local) interface. Just make sure you do not save the rules with ipchains-save or you may find some things not working. This is an example of scanning using nmap without any firewall rules in place: # nmap hostname Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on hostname (10.0.0.1): (The 1517 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 111/tcp open sunrpc 515/tcp open printer 928/tcp open unknown 1024/tcp open kdm 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds What it looks like when we scan with the firewall rules in place: # nmap hostname Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds We can however still ping the machine. Ping uses icmp echo which we have not firewalled. We can turn off responding to icmp echos with an ipchains rule or by doing 'echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all'. However even that will not make us invisible. There is more than one kind of icmp packet. An example of this is that tools such as icmpush can be used to "ping" using other icmp types such as Time Stamp Request. # ping hostname PING hostname (10.0.0.0): 56 data bytes --- hostname ping statistics --- 12 packets transmitted, 0 packets received, 100% packet loss # ./icmpush -tstamp hostname hostname -> 18:11:22 Turning off icmp_echo does go a long way towards making us invisible but we can firewall more icmp types using ipchains. We can also use ipchains to insure that icmp packets will never be returned by our machine. ipchains -A output -i ppp0 -p icmp -j DENY The downside to doing this is that you will not be able to ping other systems as the firewall rule will stop all outgoing icmp packets not just replies to packets from the outside. We do not want to filter all incoming icmp packets because if we do then we will not get host-unreachable and no-route-to-host messages and all of our connections will just wait for a reply that never comes. We could write a more complicated set of rules that blocks the icmp packets with more care, but for this example we will not. By restricting what connections we allow on our exposed interfaces we restrict what we expose to the world. This can have some advantages in preventing people from finding or exploiting services that we need to run but do not need to share with the Internet. Using ipchains can get very complicated but it does not need to be used in a complicated way to allow a significant amount of protection for your machine from a system Cracker's probes and a Script Kiddie's scans.