You are not logged in.

#26 2003-05-22 12:32:01

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

Well i learned it the hard way too. some may remember my post chkrootkit detected 2 rootkits and an lkm trojan. At that time i was like nobody will get in but they did. exploits are found daily a firewall will not always work but it will surely be a lot harder.
running a firewall doesn't hurt. my firewall has been configured to only accept new connections on ports i specify. if someone spawns a root shell they won't be able to connect to it. further i accept all related connections this really makes it a lot more secure

Offline

#27 2003-05-22 12:47:48

jlvsimoes
Member
From: portugal
Registered: 2002-12-23
Posts: 392
Website

Re: Securing archlinux scripts and help

the feeling suks .....


-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GU/ d- s: a- C L U P+ L+++ E--- W+
N 0+ K- W-- !O !M V-- PS+ PE- V++ PGP T 5 Z+ R* TV+ B+
DI-- D- G-- e-- h! r++ z+ z*
------END GEEK CODE BLOCK------

Offline

#28 2003-05-22 15:49:24

Gyroplast
Member
From: Germany
Registered: 2002-09-03
Posts: 166
Website

Re: Securing archlinux scripts and help

Nickm wrote:

if someone spawns a root shell they won't be able to connect to it.

If someone spawns a root shell, this someone has full access to your system. Do you really think it's THAT hard to simply deactivate all your precious packet filtering rules in that situation? No sir, it is not, you lose.


"That's the problem with good advice. Nobody wants to hear it."
-- Dogbert

Offline

#29 2003-05-22 15:54:21

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

go ahead and write some shellcode to disable a firewall. I think it's not that easy. and it would keep scriptkiddie out for sure because they usually exploit known hacks. they use scripts and they won't adapt the shellcode to kill the firewall

Offline

#30 2003-05-22 16:56:45

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Securing archlinux scripts and help

What if the root shell made a connection to a remote host?  Where's your precious firewall now?  tongue

I'm just playing around.  The point is that once someone gets root it's pretty difficult to stop them, no matter what "obstacles" you put in front of them.  The hope is to not let them get root in the first place.  It's a lot easier to work to stop the problem than it is to try to clean up afterwards.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#31 2003-05-22 17:53:55

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

You are right but the point is that a lot of those scriptkiddies use scripts that spawn rootshells on a port which they will  not be able to connect to because of the firewall.
scriptkiddie are in general unable to change the shellcode so it is a lot harder for them.

And i think most of the people that hack computers are scriptkiddies using known exploits.  of course you could change it to break through

my point is that every obstacle counts and if it would stop about 50% of the attacks i'd be happy smile

Offline

#32 2003-05-22 18:12:54

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Securing archlinux scripts and help

Fair enough... having a firewall is a good idea.. but back to the topic.  How does this relate to having a firewall script with a default configuration in it? wink


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#33 2003-05-22 22:10:36

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

It's hard to have a default configuration. but lets say for samba you require port 139 that means that if a user wants to run it, he'll have to allow traffic on that port. maybe opening the port in the samba-startup script then but only if rc.conf says firewall=enabled or something.

advanced users will build their own scripts.

Offline

#34 2003-05-22 22:26:11

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Securing archlinux scripts and help

Ok... but think about how many servers you could run... I'm not even going to try to list them cause there are too many... each of those would have to be written, tested, and hopefully be run on the system (think about inetd or services run by hand).

What about people who don't install iptables, that's a lot of data to waste on their hard drive... or people who run 2.2 kernels (that's sort of a stretch)...

But the point is that there are too many different configurations of network/server/system for any default firewall (even package-based configurable) scripts to be effective.  Personally they'd just get in my way and piss me off.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#35 2003-05-23 06:06:00

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

and how about including one as a sample ?

Offline

#36 2003-05-23 12:32:38

Gyroplast
Member
From: Germany
Registered: 2002-09-03
Posts: 166
Website

Re: Securing archlinux scripts and help

Nickm wrote:

and how about including one as a sample ?

One can find literally hundreds of examples on the net already, and is thus supposed to die the same death that /usr/doc experienced as a whole. wink

And additionally, you have the same problem; What to put in this example? A local packet filter is friggin' superfluous until you have some sort of special setup already, and in that case generic examples wouldnt be of help anyway.

Let's face it, it's just an annoying waste of space for anyone who has the slightest clue of configuration, and merely a deterrent for everyone else. A deterrent to solving the underlying problems instead of tinkering with the symptoms. The phrase "Yeah, a firewall is a good thing!" falls often, but unfortunately it does not make sense without futher qualification. A "firewall", in the first place, describes a concept and additionally the methods of implementation needed to seperate networks according to specific rules. A packet filter, however, is NOT a firewall, it's a packet filter. Hence the name. It may be (and often is) part of a firewall, but note the little word "concept" in my defition. THIS is what makes your machine/network secure, not the packet filter, so if you need to supply anything with Arch to increase security, write a good howto about how to create a working security concept for a single machine connected to an untrusted network, and put it online. THAT would help.

Cool. A rant that's even staying on topic. smile

Greets,
  Dennis


"That's the problem with good advice. Nobody wants to hear it."
-- Dogbert

Offline

#37 2003-05-23 15:26:03

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

Gyroplast wrote:

A "firewall", in the first place, describes a concept and additionally the methods of implementation needed to seperate networks according to specific rules. A packet filter, however, is NOT a firewall, it's a packet filter. Hence the name. It may be (and often is) part of a firewall, but note the little word "concept" in my defition. THIS is what makes your machine/network secure, not the packet filter, so if you need to supply anything with Arch to increase security, write a good howto about how to create a working security concept for a single machine connected to an untrusted network, and put it online. THAT would help.

Cool. A rant that's even staying on topic. smile

Greets,
  Dennis

I know the difference between a firewall and a packetfilter. though generally when people are talking about a firewall people mean packetfilter. With a packetfilter you can stop a large part of the attacks of people checking if they can get in. most people just try it and are not qualified to improve whatever script they downloaded so a packetfilter will help securing a system in a lot of cases. If you want extreme security install lids and read their tutorial

Offline

#38 2003-05-24 12:36:34

Gyroplast
Member
From: Germany
Registered: 2002-09-03
Posts: 166
Website

Re: Securing archlinux scripts and help

generally when people are talking about a firewall people mean packetfilter

Yeah. And when people generally say TV they mean a computer monitor. It's not my problem that some people just don't grasp the most basic differences, and I surely won't adhere to this *cough*standard*cough* and make it worse that way. There are specific descriptive words, even in the english language, so please use them.

Anyhoo..

With a packetfilter you can stop a large part of the attacks of people checking if they can get in.

What now. An attack, or "checking whether one can get in"? There's a difference. "Checking" usually consists of broader portscans, and if there are any running services, banner probing. That's the common scriptkiddie stuff you're referring to, right? Now, pray tell, where is the problem with a script kiddie portscanning your machine if you don't have a local packet filter running? Of course you configured your machine correctly, so that simply nothing is bound to your ppp interface that you dont need.  Ergo, the scan will yield no results, as everything is already handled by your TCP stack just fine. If you do offer a public service (Apache, maybe, on a DynDNS host), you WANT people to find and use it, hence "preventing a portscan" is utterly pointless, even contra-productive. In the case of no running remote services, you already have a firewall (in the sense of a concept), but no packet filter whatsoever, and it is not needed, either. Attacks on publically available services are not prevented by a packet filter, as those services are by definition public. A kiddie exploit is a b0rken Content-Length header exploit, or an "evil" HELO string. That's nothing a packet filter on layer2/3 could prevent.

There simply are no "attacks" that a packet filter can help against in these scenarios. A portscan is no attack, not even a preparation of an attack. It's a probing of available, _public_ services. It's like looking at a list of vendors in a mall, and calling this a preparation of burglary. Of course it happens before an burglary, but preventing this does not improve security, but deteriorate service. Same goes for DROPping packets. It's the same principle, really. Security by Obscurity.

What is it that I'm unable to convey? What "attacks" are blocked by your packet filter that makes you sleep better at night? I simply cannot think of anything that would be a threat at all, and be helped against with a local packet filter. Help me. This is not (overly) sarcastic, I mean it. Give me a real world example where a packet filter makes more sense than a cleanly configured host. And don't tell me about "safeguard in case of unclean configurations". If you cannot bind your services correctly, you cannot create usable packet filtering rules, either. And if you need to learn one of both methods, learn the first one. It's easier and better.

And LIDS is indeed not a bad idea. Can prevent privilegue escalation after a remote exploit, but that's an entirely different scenario.

Best regards,
  Dennis


"That's the problem with good advice. Nobody wants to hear it."
-- Dogbert

Offline

#39 2003-05-24 17:28:11

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

I'll give you an example of what i mean.
person A finds a buffer overflow in apache
person B writes a script to test it and publishes it on the internet
person C downloads the script portscans both of us, indeed not an attack. he finds out we both have apache running and the exploit he downloaded should work on our versions.
person B built his script in such a way it will bind a shell on port 31337 or whatever port

you have no packetfilter running and person C connects to your port 31337 on my pc person C tries to connect but the port seems closed due to my packetfilter which doesn't allow new connections on port 31337.
person C won't adapt the script made by person B because he can't. so you become a public anon mailserver, or whatever, and i don't.
in this situation, the same way most scriptkiddies like person C operate, you are safe because of the packetfilter.
I know that if person B would have done this he probably would have adapted his code and could have disabled my firewall first but that is not the situation i am talking about.
It's people like person C that in general compromise computers. this large part can be stopped by a packerfilter, so a packet filter makes sense.
the packetfilter does not stop the attack but it stops person C from connecting to port 31337

Offline

#40 2003-05-24 18:33:01

Gyroplast
Member
From: Germany
Registered: 2002-09-03
Posts: 166
Website

Re: Securing archlinux scripts and help

Nickm wrote:

person B writes a script to test it and publishes it on the internet

If person C can find info on the exploit, I can as well, and therefore my apache is patched. To minimize actual damage in case of a break in (which can still happen of course, man race condition), my apache runs not only chrooted, but also with a more than useless user id, which makes gaining root access basically impossible for your version of person C. Where was your root exploit for Apache, again? Happening _before_ it binds to it's port and chuids to something less braindead? Wow, that's rare. smile

Moral: No, I will not allow any script kiddie to become root remotely on my box, simply because I have no daemons running as root, and all which are running are safely tucked away behind dedicated uids and chroots. The ptrace bug was a major problem, but that's been fixed soon enough.


"That's the problem with good advice. Nobody wants to hear it."
-- Dogbert

Offline

#41 2003-05-25 09:20:48

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

If someone has access to your box they can gain root rights in your case the most likely will have to break out of the chroot a thing scriptkiddies generlly can't do.
But if it wouldn't be running chrooted you know what can happen. there are a lot more local exploits then remote ones. but in your case you're indeed safer though my only point is a packetfilter does not hurt

If you'va some time left couldn't you then write a simple howto for setting up a chroot eg for apache and how to set it up the way it runs on your box

Offline

#42 2003-05-25 16:05:16

jlvsimoes
Member
From: portugal
Registered: 2002-12-23
Posts: 392
Website

Re: Securing archlinux scripts and help

there are plenty of howtos on the internet about setting up a chroot enviroment but before you go runnig to go and set one for your self read this and other documents like this one
http://www.bpfh.net/simes/computing/chroot-break.html
so the problem is not setting the chroot enviroment the main problem is make preventing other to escape from it security is a tho way street


-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GU/ d- s: a- C L U P+ L+++ E--- W+
N 0+ K- W-- !O !M V-- PS+ PE- V++ PGP T 5 Z+ R* TV+ B+
DI-- D- G-- e-- h! r++ z+ z*
------END GEEK CODE BLOCK------

Offline

#43 2003-05-26 11:45:55

Gyroplast
Member
From: Germany
Registered: 2002-09-03
Posts: 166
Website

Re: Securing archlinux scripts and help

You are changing the nature of person C when you are telling me that it is possible to break chroots when you're root, and even as a normal user if certain conditions are met, which are of course to be negated. A chrooted root shell simply deactivates the packet filter, removes the chroot, whatever. There's no point in securing a system against root, except for kernel-sided implementations like PBMAC or the BSD securelevels. Chroots in combination with sensible file system permissions can effectively prevent the breakout of a chroot and the usage of any binaries, native or selfcompiled, especially, but not exclusively for wannabe scriptkiddies, but also by seasoned crackers. If there IS no way, you cannot find one, no matter how good you are. wink

However, I guess we're getting carried away here. Of course you can additionally slap a packet filter on your machine, but it's not a must-have, and pretty much useless if your concept is feasible, and should therefore not be included in a linux distribution by default. That was our topic, and that's my opionion on it, adorned with my reasoning.

I suppose we're not exchanging news anymore, so may I suggest killing this thread?

Regards,
  Dennis


"That's the problem with good advice. Nobody wants to hear it."
-- Dogbert

Offline

#44 2003-05-26 15:13:11

Nickm
Member
From: Netherlands
Registered: 2003-02-25
Posts: 106

Re: Securing archlinux scripts and help

Thats Ok smile

Offline

Board footer

Powered by FluxBB