Secure your desktop PC
From FedoraNEWS.ORG
Written by Anze Vidmar on 2005-08-25
| Table of contents |
What is this all about and why do I need to read it?
This is the ultimate guide how to sleep careless knowing your desktop PC is online 24/7 and well secured.
In this article I'll show you some basic stuff on what do you need to have in mind when you have your desktop PC hooked up 24/7. I'll show you how to use tcpwrappers rather than iptables. Why?
The security is a must this days. Many desktop users need their box for basic stuff work, they want to set it up as fast as possible and they don't have time and need to get to know iptables well. That's why this article was born. It takes you thru some simple steps on how to well secure your running network services that you need, without using iptables. Instead we'll use tcpwrappers.
The scenario
I have a desktop PC at home, that is hooked up to the cable internet. I have ssh, file, web and ftp servers running 24/7 on my PC, so i can share some stuff with my friends inside and outside of my LAN.
I also like LogWatch to read every day, that's why I also have sendmail service turned on. So we're actually dealing here with ssh, file, web, mail and ftp services.
Now, let's secure these services quick and with as less effort as possible.
First step: Disable services that you don't need
I want be re-inventing the wheel here about explaining what is each service for, instead you can read all about services in [this (http://fedoranews.org/mediawiki/index.php/Which_Services_Can_I_Disable%3F)] fine article.
Let's get started with disabling all the services that we don't need and we'll finish running only with this:
- Running network services:
- smbd
- sendmail
- ssh
- vsftpd
- httpd
Note that this are network related services only, so don't get confused why I don't have crond, syslog and similar services turned on.
Second step: Secure services that you DO need
Next, it's time that we secure our services so that no one except the computers (hosts) that we want can connect to our box.
smbd:
Since I use samba to provide shares to my home LAN only, the best way to prevent a specific computers to access your shared resources is by using host based protection. This means that you need to add the two following lines in your smb.conf file.
hosts allow = <something> host deny = <something>
For example:
hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 hosts deny = 0.0.0.0/0
The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.1 and 192.168.2. All other connections will be refused connections as soon as the client sends its first packet. The refusal will be marked as a 'not listening on called name' error.
sendmail:
It is safe to run sendmail by default now. When i say it's safe I mean no one from the outside can't connect to your port 25, although you have it opened when you're running sendmail. Why? It's default in sendmail.mc file:
dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
If you do want to be able to connect to port 25 from outside (in case you have a mail server), just comment this line or add "dnl" in front of it. (dnl stands for Delete until New Line)
ssh:
There are two things we'll setup in this section. The first thing will be that we'll change the port on which ssh will be listening on. Why? Because this will reduce your possible attacks for 99% (this is the first hand information a.k.a. verified info)! A lot of attackers first scan your box for open ports, and for giving the ssh port somewhere above 50000, most scanners won't even reach to there. And default port 22 is to obvious, isn't it?
Here is the example of standard nmap-ing of localhost: (you wan't see ssh port open)
[anze@kiwi ~]$ nmap localhost Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-25 12:05 CEST Interesting ports on sataras.home.local (127.0.0.1): (The 1660 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds
...and it's magic time:
[anze@kiwi ~]$ nmap -p 1-60000 localhost Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-25 12:05 CEST Interesting ports on sataras.home.local (127.0.0.1): (The 1660 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 58349/tcp open unknown
See my point?!
So, let's configure our ssh server to listen on port 58349. To do this, change the line in your /etc/ssh/sshd_config to look like this:
Port 58349
In the next step, we'll define what hosts will have permissions to connect to our ssh server.
For example, let's say we want to connect to our box from our place, where we work (outside IP range there is 222.11.33.0/24 and also we want to grant ssh access to our friend that has static ip of 200.20.39.40. So what we need to do here is to configure tcpwrappers to allow only this addresses and deny all others. This is accomplished by editing /etc/hosts.deny to deny all hosts:
sshd: ALL
...except the hosts listed in /etc/hosts.allow file:
sshd: 222.11.33., 200.20.39.40
Note: have in mind that it's better solution to put the line below in your hosts.deny file, rather than denying it for each service.
ALL: ALL
That's it. If you try to connect from some other ip, the connection will be closed at once .
Now, the users that are allowed to login to your shell thru ssh part:
First, edit some basic and very important things in your /etc/ssh/sshd_config file as shown above:
PermitRootLogin no
The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option.
AllowUsers anze dasa raul pablo
The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces.
vsftpd:
Let's use the same hosts example as for securing ssh. We want to give the same people (hosts) access to our ftp server. Configure tcpwrappers to:
Deny all users by default by editing /etc/hosts.deny
vsftpd: ALL
...and allow IP's 222.11.33.XXX and 200.20.39.40 by editing /etc/hosts.allow
vsftpd: 222.11.33., 200.20.39.40
The users permissions:
If you don't want anonymous logins make sure the line in your vsftpd.conf have the following line:
anonymous_enable = no
If enabled, both the usernames ftp and anonymous are recognized as anonymous logins.
Now, create a list of local users that don't have login permision to your ftp, although they have access to your ftp server. The users that don't have login permissions are listed in:
/etc/vsftpd.ftpusers
httpd:
Oh come on, what did you expect? That's why it's called World Wide Web ;-)
