Hacking and more...
HaCkinG CulT
Lista Forumurilor Pe Tematici
Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.
Nou pe simpatie:
Popa Bianca pe Simpatie.ro
Femeie
24 ani
Valcea
cauta Barbat
25 - 63 ani
Hacking and more... / n00bs / They Can't Crack What They Can't Find Moderat de Shocker
Autor
Mesaj Pagini: 1
zbeng
Junior+

Inregistrat: acum 18 ani
Postari: 43
SCZ CAI IN ENGLEZA DA MI SA PARUT INTERESANT

The Internet today is a jungle full of predators. Some of these predators are trying to crack your machine others are just looking for a machine to crack. By using the firewalling tools built into the Linux kernel it is possible to make a desktop machine virtually disappear from the crackers view.



In this article I will describe how to hide a machine running Linux that uses PPP over a modem to connect to the Internet. I will use ipchains and the firewalling built into the Linux kernel to protect the services that are running on this machine from connections across the PPP interface.



For this example, I will use a Debian system with a 2.2.15 Linux kernel on a Debian system. You should note that the firewalling code in the 2.4 Kernel has undergone a rewrite, but that the examples in this article will still work by loading the ipchains compatibility module.



We begin right after you have installed Linux on your machine and before you have connected to the Internet. Any connections to the Internet could leave your machine compromised so it is important to secure your machine before you connect for the first time.



After the install you should turn off all of the services and daemons that you do not need. Each service that is running is one more that could be vulnerable and will require monitoring for security advisories and updating as new versions are released. To find where to turn off these services look at what inetd is providing and then look at what daemons the sysV init processes starts.



The file /etc/inetd.conf controls what daemons are started by inetd. Open this file in vi or your favorite editor and comment out all the lines that you do not need by adding a # to the start of the line. I usually turn off all of the things such as echo, chargen, cenzurat, talk, rsh [ echipa lameri ], rexec, etc. If I am not going to need them I will also turn off FTP and telnet. If you end up turning all of the services off then we can turn off inetd itself in the next step.



Example (/etc/inetd.conf):



Before:

echo stream tcp nowait root internal
echo dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal

After:

#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal

If you still have services being started by inetd then restart inetd. You can do this by using ps to see what the Process ID (PID) is for inetd and then sending it a HUP signal with the kill command. This will cause it to re-read it's configuration file.

# ps axwww |grep inetd
345 ? S 0:00 /usr/sbin/inetd
535 pts/1 S 0:00 grep inetd

# kill -HUP 345
Then look at the SysV init system to see what daemons you do not need. One of the easiest ways to do this is to use ksysv. Ksysv is a graphical manager for the SysV run levels written in tk by Peter Putzer.

If for some reason you can not use this then look inside your /etc directory for a group of directories named /etc/rc1.d /etc/rc2.d etc. The rc2.d directorie on the example machine looks like this:

$ ls /etc/rc2.d/

S01ipchains S19nfs-common S20inetd S20makedev S89atd
S10sysklogd S20alsa S20linuxconf S20nfs-kernel-server S89cron
S14ppp S20dictd S20logoutd S20xfs S91apache
S18portmap S20gpm S20lpd S20xfstt S99rmnologin

To prevent a daemon from starting, look for a file in these directories that starts with an S and remove it. For example if we wanted to turn off inetd we would find all of the startup files for inetd and then remove them:

# ls /etc/rc*.d/S*inetd

/etc/rc2.d/S20inetd /etc/rc4.d/S20inetd
/etc/rc3.d/S20inetd /etc/rc5.d/S20inetd
# rm /etc/rc*.d/S*inetd
Once you have reached this point reboot your machine to test the startup scripts. Then use the ps command to see what you have running and use the netstat command to see what ports are open on your network.

# netstat -ln

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7101 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2628 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:928 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:926 0.0.0.0:*
udp 0 0 0.0.0.0:1024 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 213
/tmp/.font-unix/fs7100
unix 0 [ ACC ] STREAM LISTENING 171 /dev/log
unix 0 [ ACC ] STREAM LISTENING 275
/tmp/.X11-unix/X0
unix 0 [ ACC ] STREAM LISTENING 200 /dev/gpmctl
unix 0 [ ACC ] STREAM LISTENING 208 /dev/printer
unix 0 [ ACC ] STREAM LISTENING 224 fs7101

In this example we see at the top the list of TCP and UDP ports that are open. The Active UNIX domain sockets are not listening on the network so we can ignore them.



Once you have all the unneeded daemons turned off and have things the way you want them we can set up our firewall rules using ipchains.



The ipchains program allows you to control the IP firewall rules in the Linux kernel. It seems much more complicated than it is. In this article I am going to keep things very simple. If you would like to learn more details about ipchains or look at some more complicated examples then take a look at the How To.



A simple rule to firewall a TCP port from any connection on the ppp0 interface uses something like the following command replacing $portnumber with the portnumber you want to firewall. It does not matter that the ppp0 interface is not up when you set up the firewall rules. When the interface does come up the rules will be applied.

ipchains -A input -i ppp0 -p TCP -d 0.0.0.0/0 $portnumber -j DENY
For UDP change the -p TCP to -p UDP.

ipchains -A input -i ppp0 -p UDP -d 0.0.0.0/0 $portnumber -j DENY
To see what rules are defined by using ipchains -L. To suppress DNS and port name lookups use a -n.

This is the output of ipchains -L -n on my example machine.

# ipchains -L -n

Chain input (policy ACCEPT):
target prot opt source destination ports
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 80
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 111
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 515
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 928
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 2628
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6000
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 7101
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 6
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 111
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 926
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

One more needed ipchains option is used to flush a chain -F. To remove all of the rules on the example machine we would use 'ipchains -F input'.



To save your rules for the next time you boot use the ipchains-save program and save the output into /etc/ipchains.rules.

# ipchains-save > /etc/ipchains.rules
When you boot you will restore the rules with ipchains-restore. The following script is from the how to you can place it in /etc/init.d and then set it up to run by placing a link to the script in the run level of your choice.

#! /bin/sh
# Script to control packet filtering.

# If no rules, do nothing.
[ -f /etc/ipchains.rules ] || exit 0

case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter {start|stop}"
exit 1
;;
esac

exit 0
When your rules are set up the way you want them you should check them with a port scanner such as nmap. If you do not have a machine on the net that you can scan your PPP connection from then you can apply the same rules to the lo (local) interface. Just make sure you do not save the rules with ipchains-save or you may find some things not working.



This is an example of scanning using nmap without any firewall rules in place:

# nmap hostname

Starting nmap V. 2.53 by ( )
Interesting ports on hostname (10.0.0.1):
(The 1517 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
111/tcp open sunrpc
515/tcp open printer
928/tcp open unknown
1024/tcp open kdm
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
What it looks like when we scan with the firewall rules in place:

# nmap hostname

Starting nmap V. 2.53 by ( )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds
We can however still ping the machine. Ping uses icmp echo which we have not firewalled. We can turn off responding to icmp echos with an ipchains rule or by doing 'echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all'. However even that will not make us invisible. There is more than one kind of icmp packet. An example of this is that tools such as icmpush can be used to "ping" using other icmp types such as Time Stamp Request.

# ping hostname
PING hostname (10.0.0.0): 56 data bytes

--- hostname ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

# ./icmpush -tstamp hostname
hostname -> 18:11:22
Turning off icmp_echo does go a long way towards making us invisible but we can firewall more icmp types using ipchains. We can also use ipchains to insure that icmp packets will never be returned by our machine.

ipchains -A output -i ppp0 -p icmp -j DENY
The downside to doing this is that you will not be able to ping other systems as the firewall rule will stop all outgoing icmp packets not just replies to packets from the outside.



We do not want to filter all incoming icmp packets because if we do then we will not get host-unreachable and no-route-to-host messages and all of our connections will just wait for a reply that never comes. We could write a more complicated set of rules that blocks the icmp packets with more care, but for this example we will not.



By restricting what connections we allow on our exposed interfaces we restrict what we expose to the world. This can have some advantages in preventing people from finding or exploiting services that we need to run but do not need to share with the Internet.

© 20005-2009 ZBENG


Using ipchains can get very complicated but it does not need to be used in a complicated way to allow a significant amount of protection for your machine from a system Cracker's probes and a Script Kiddie's scans.


pus acum 18 ani
   
BaTuSaY
Little Kevin

Din: brasov
Inregistrat: acum 18 ani
Postari: 71
numai in linux kernel e valabila?am auzit k e mai bun ubuntu

_______________________________________
<a href="http://www.danasoft.com"><img src="http://www.danasoft.com/sig/Sociopatie.jpg" border="0"></a><div style="font-family:arial,sans-serif;font-size:11px;"><p>Sign by Dealighted - <a href="http://www.dealighted.com">Coupon Codes</a></p></div>

pus acum 18 ani
   
ystenly
Old School Member

Inregistrat: acum 18 ani
Postari: 410
...e mai usor ubuntu, nu mai "bun"...

_______________________________________
I am not as stupid as I look...

pus acum 18 ani
   
BaTuSaY
Little Kevin

Din: brasov
Inregistrat: acum 18 ani
Postari: 71
spui asta k folosesti kernel?

_______________________________________
<a href="http://www.danasoft.com"><img src="http://www.danasoft.com/sig/Sociopatie.jpg" border="0"></a><div style="font-family:arial,sans-serif;font-size:11px;"><p>Sign by Dealighted - <a href="http://www.dealighted.com">Coupon Codes</a></p></div>

pus acum 17 ani
   
Pagini: 1  

Mergi la