# RootPrompt.org   Nothing but Unix.[Home] [Features] [Programming] [Mac OS X] [Search]


 Feature: They Can't Crack What They Can't Find

"The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine virtually disappear from the crackers view."

 (Submitted by Noel Mon Sep 11, 2000 )

  

They Can't Crack What They Can't Find

noeld@rootprompt.org

The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine virtually disappear from the crackers view.

In this article I will describe how to hide a machine running Linux that uses PPP over a modem to connect to the Internet. I will use ipchains and the firewalling built into the Linux kernel to protect the services that are running on this machine from connections across the PPP interface.

For this example, I will use a Debian system with a 2.2.15 Linux kernel on a Debian system. You should note that the firewalling code in the 2.4 Kernel has undergone a rewrite, but that the examples in this article will still work by loading the ipchains compatibility module.

We begin right after you have installed Linux on your machine and before you have connected to the Internet. Any connections to the Internet could leave your machine compromised so it is important to secure your machine before you connect for the first time.

After the install you should turn off all of the services and daemons that you do not need. Each service that is running is one more that could be vulnerable and will require monitoring for security advisories and updating as new versions are released. To find where to turn off these services look at what inetd is providing and then look at what daemons the sysV init processes starts.

The file /etc/inetd.conf controls what daemons are started by inetd. Open this file in vi or your favorite editor and comment out all the lines that you do not need by adding a # to the start of the line. I usually turn off all of the things such as echo, chargen, finger, talk, rsh, rexec, etc. If I am not going to need them I will also turn off FTP and telnet. If you end up turning all of the services off then we can turn off inetd itself in the next step.

Example (/etc/inetd.conf):

Before:

echo           stream  tcp     nowait  root    internal
echo           dgram   udp     wait    root    internal
chargen        stream  tcp     nowait  root    internal
chargen        dgram   udp     wait    root    internal
discard        stream  tcp     nowait  root    internal
discard        dgram   udp     wait    root    internal
...

After:

#echo           stream  tcp     nowait  root    internal
#echo           dgram   udp     wait    root    internal
#chargen        stream  tcp     nowait  root    internal
#chargen        dgram   udp     wait    root    internal
#discard        stream  tcp     nowait  root    internal
#discard        dgram   udp     wait    root    internal
...

If you still have services being started by inetd then restart inetd. You can do this by using ps to see what the Process ID (PID) is for inetd and then sending it a HUP signal with the kill command. This will cause it to re-read it's configuration file.

# ps axwww |grep inetd
  345 ?        S      0:00 /usr/sbin/inetd
  535 pts/1    S      0:00 grep inetd
# kill -HUP 345

Then look at the SysV init system to see what daemons you do not need. One of the easiest ways to do this is to use ksysv. Ksysv is a graphical manager for the SysV run levels written in tk by Peter Putzer.

If for some reason you can not use this then look inside your /etc directory for a group of directories named /etc/rc1.d /etc/rc2.d etc. The rc2.d directorie on the example machine looks like this:

$ ls /etc/rc2.d/
S01ipchains  S19nfs-common  S20inetd      S20makedev            S89atd
S10sysklogd  S20alsa        S20linuxconf  S20nfs-kernel-server  S89cron
S14ppp       S20dictd       S20logoutd    S20xfs                S91apache
S18portmap   S20gpm         S20lpd        S20xfstt              S99rmnologin

To prevent a daemon from starting, look for a file in these directories that starts with an S and remove it. For example if we wanted to turn off inetd we would find all of the startup files for inetd and then remove them:

# ls /etc/rc*.d/S*inetd
/etc/rc2.d/S20inetd  /etc/rc4.d/S20inetd
/etc/rc3.d/S20inetd  /etc/rc5.d/S20inetd
# rm /etc/rc*.d/S*inetd

Once you have reached this point reboot your machine to test the startup scripts. Then use the ps command to see what you have running and use the netstat command to see what ports are open on your network.

# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State      
tcp        0      0 0.0.0.0:6000            0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:80              0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:7101            0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:515             0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:2628            0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:928             0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:1024            0.0.0.0:* LISTEN      
tcp        0      0 0.0.0.0:111             0.0.0.0:* LISTEN      
udp        0      0 0.0.0.0:926             0.0.0.0:*                        
udp        0      0 0.0.0.0:1024            0.0.0.0:*                          
udp        0      0 0.0.0.0:111             0.0.0.0:*                          
raw        0      0 0.0.0.0:1               0.0.0.0:*              7           
raw        0      0 0.0.0.0:6               0.0.0.0:*              7           
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  0      [ ACC ]     STREAM     LISTENING     213
/tmp/.font-unix/fs7100
unix  0      [ ACC ]     STREAM     LISTENING     171    /dev/log
unix  0      [ ACC ]     STREAM     LISTENING     275
/tmp/.X11-unix/X0
unix  0      [ ACC ]     STREAM     LISTENING     200    /dev/gpmctl
unix  0      [ ACC ]     STREAM     LISTENING     208    /dev/printer
unix  0      [ ACC ]     STREAM     LISTENING     224    fs7101

In this example we see at the top the list of TCP and UDP ports that are open. The Active UNIX domain sockets are not listening on the network so we can ignore them.

Once you have all the unneeded daemons turned off and have things the way you want them we can set up our firewall rules using ipchains.

The ipchains program allows you to control the IP firewall rules in the Linux kernel. It seems much more complicated than it is. In this article I am going to keep things very simple. If you would like to learn more details about ipchains or look at some more complicated examples then take a look at the How To.

A simple rule to firewall a TCP port from any connection on the ppp0 interface uses something like the following command replacing $portnumber with the portnumber you want to firewall. It does not matter that the ppp0 interface is not up when you set up the firewall rules. When the interface does come up the rules will be applied.

ipchains -A input -i ppp0 -p TCP -d 0.0.0.0/0 $portnumber -j DENY
For UDP change the -p TCP to -p UDP.
ipchains -A input -i ppp0 -p UDP -d 0.0.0.0/0 $portnumber -j DENY

To see what rules are defined by using ipchains -L. To suppress DNS and port name lookups use a -n.

This is the output of ipchains -L -n on my example machine.

# ipchains -L -n
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   6
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   80
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   111
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   515
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   928
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1024
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   2628
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   6000
DENY       tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   7101
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   6
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   111
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   926
DENY       udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   1024
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
One more needed ipchains option is used to flush a chain -F. To remove all of the rules on the example machine we would use 'ipchains -F input'.

To save your rules for the next time you boot use the ipchains-save program and save the output into /etc/ipchains.rules.

# ipchains-save > /etc/ipchains.rules

When you boot you will restore the rules with ipchains-restore. The following script is from the how to you can place it in /etc/init.d and then set it up to run by placing a link to the script in the run level of your choice.

#! /bin/sh
  # Script to control packet filtering.

  # If no rules, do nothing.
  [ -f /etc/ipchains.rules ] || exit 0

  case "$1" in
      start)
          echo -n "Turning on packet filtering:"
          /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
          echo 1 > /proc/sys/net/ipv4/ip_forward
          echo "."
          ;;
      stop)
          echo -n "Turning off packet filtering:"
          echo 0 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -F
          /sbin/ipchains -X
          /sbin/ipchains -P input ACCEPT
          /sbin/ipchains -P output ACCEPT
          /sbin/ipchains -P forward ACCEPT
          echo "."
          ;;
      *)
          echo "Usage: /etc/init.d/packetfilter {start|stop}"
          exit 1
          ;;
  esac

  exit 0

When your rules are set up the way you want them you should check them with a port scanner such as nmap. If you do not have a machine on the net that you can scan your PPP connection from then you can apply the same rules to the lo (local) interface. Just make sure you do not save the rules with ipchains-save or you may find some things not working.

This is an example of scanning using nmap without any firewall rules in place:

# nmap  hostname

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on hostname (10.0.0.1):
(The 1517 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
111/tcp    open        sunrpc                  
515/tcp    open        printer                 
928/tcp    open        unknown                 
1024/tcp   open        kdm                     
6000/tcp   open        X11                     

Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
What it looks like when we scan with the firewall rules in place:
# nmap  hostname

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds

We can however still ping the machine. Ping uses icmp echo which we have not firewalled. We can turn off responding to icmp echos with an ipchains rule or by doing 'echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all'. However even that will not make us invisible. There is more than one kind of icmp packet. An example of this is that tools such as icmpush can be used to "ping" using other icmp types such as Time Stamp Request.

# ping hostname
PING hostname (10.0.0.0): 56 data bytes

--- hostname ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

# ./icmpush -tstamp hostname
hostname -> 18:11:22

Turning off icmp_echo does go a long way towards making us invisible but we can firewall more icmp types using ipchains. We can also use ipchains to insure that icmp packets will never be returned by our machine.

ipchains -A output -i ppp0 -p icmp -j DENY

The downside to doing this is that you will not be able to ping other systems as the firewall rule will stop all outgoing icmp packets not just replies to packets from the outside.

We do not want to filter all incoming icmp packets because if we do then we will not get host-unreachable and no-route-to-host messages and all of our connections will just wait for a reply that never comes. We could write a more complicated set of rules that blocks the icmp packets with more care, but for this example we will not.

By restricting what connections we allow on our exposed interfaces we restrict what we expose to the world. This can have some advantages in preventing people from finding or exploiting services that we need to run but do not need to share with the Internet.

Using ipchains can get very complicated but it does not need to be used in a complicated way to allow a significant amount of protection for your machine from a system Cracker's probes and a Script Kiddie's scans.


Our content can be syndicated: Main page Mac Page

Copyright 1999-2005 Noel Davis. Noel also runs web sites about sailing and kayaking.
All trademarks are the property of their owners.
All articles are owned by their author