96.998%Ralph Shumaker wrote: > James G. Sack (jim) wrote: >> Perhaps this thread is a good place to echo a well-known security >> mantra. Start with nothing allowed, then explicitly open up only those >> capabilities you need. >> >> If you have no remote access (eg ssh, vnc, ftp, telnet(!),..) then you >> don't need to worry about differentiating non-local from local users. > > Yes, not too many moons ago, I had a lot of activity on my DSL for no > good reason. Eventually in the thread, someone mentioned sshd (possibly > among other things). I discovered that I had it running (IIRC), and > shut it down. Instantly, the chinese IP address ceased its traffic on > my eth0. > > But I have forgotten how to check for those things to see if they are > running. Services maybe? I don't even see ftp in the services > listing...
The services config tool (system-config-services in redhat, also avail from the System > Administration > Server Settings > Services [eg, on my F7]) is a pretty decent gui tool, but I always like to look at the output of netstat -lnt netstat -lnu to see what ports are in "listen mode" (open to connection) on what interfaces. The 127.0.0.1 listeners are not accessible outside your own machine, but the things showing your LAN ip address or "0.0.0.0" (any ipv4) or ":::" (any ipv6) are open to connection from other computers on your network. Sometimes it's useful to leave off the -n (numeric) part of those commands to see interface and port names. If you run those commands via sudo, try adding the -p option as well, and that tells you the program doing the listening on those open ports. If, as most people these days, you are connected to the internet through a separate residential gateway box, then you only have to worry about connection from other machines on your household net -- and about any port-forwarded connections you might have set up in your gateway box. If you connect directly to the internet, or via a cable modem or other device that does not have a built-in firewall, then you would have to worry about access from the whole internet. I see from your email header that your ISP is probably dslextreme, so I presume you have a DSL modem -- it probably has a built-in firewall, but you might log in to it's administrative interface and make sure you don't have any unexpected port forwarding allowed. A lot of people have NO other machines on a household network which sits behind a protective gateway, so worrying about services, and open ports is mostly an academic exercise. OTOH, if we're talking about a laptop (which you use outside your home network), then I would recommend assuming that the security configured within the laptop is your only reliable friend. If you have other machines in your home network, it is worth asking not only do you trust those machines (their users), but do you trust them to be safely configured and operated (hint: it's probably wise to not trust any Windows machine). >..Son of a gun, sshd is running!!! I thought I took care of > that. Well I just now did a stop, unchecked the checkbox, and saved. > Hopefully, that takes care of that. I don't see telnet nor vnc in the > list either. Hmmm, how can I be sure... Wow, sometimes it can take a > lot of trial and error in the man pages to find what you want (assuming > this is even what I wanted): > $ ls /etc/rc.d/rc5.d/ > K01apt K71lirc S08iptables S28autofs > K01NetworkManager K72wpa_supplicant S09isdn S44acpid > K01smartd K73winbind S10network S50bluetooth > K01smolt K73ypbind S11auditd S56xinetd > K05saslauthd K74lm_sensors S12restorecond S58ntpd > K09vdr K74nscd S13irqbalance S80sendmail > K10psacct K76openvpn S13rpcbind S88nasd > K15gpm K84btseed S14nfslock S90ConsoleKit > K15httpd K84bttrack S15mdmonitor S90crond > K20nfs K85racoon S18rpcidmapd S95atd > K24irda K87multipathd S19rpcgssd S96avahi-daemon > K25sshd K89dund S25fuse > S96readahead_later > K35backuppc K89netplugd S25netfs S97yum-updatesd > K36lisa K89pand S25pcscd S98cups > K45arpwatch K89rdisc S26readahead_early S98haldaemon > K50netconsole K91capi S26rsyslog S98wine > K50snmpd S05kudzu S26udev-post S99anacron > K50snmptrapd S06cpuspeed S27messagebus S99firstboot > K69rpcsvcgssd S08ip6tables S27setroubleshoot S99local > > I don't think my PC even has BlueTooth capability. Why is that daemon > running? > > And ntpd, is that akin to ftp? Nope, false alarm. (That keeps my clock > current.) > > I'm assuming that isdn is needed by my DSL? > > I don't know what half of those things are. Does anyone see anything I > should be concerned about? Those start-stop scripts may not always result in a service getting run -- sometimes they exit without doing anything other than checking to see that they are not configured to run, or have no corresponding hardware to manage. The command /sbin/chkconfig --list is another way to look at service configuration settings (on RH systems). What may be more important than what is configured to run is what is currently running -- and those programs are visible via a ps (process-status) command, such as ps -ef Which of these may be listening for incoming network connections is more simply discovered by the netstat command(s) shown earlier. > >> >> Thus, your sudo question becomes simplified, I think. It's still good >> you asked though, because it gave (Greg, I think) a good chance to >> explain what those host fields are for. > > Good thing too. I was thoroughly confused about them (now, only > moderately so). > >> >> And BTW, what do you want to allow your user to do, anyway? It did sound >> like you trusted him/her implicitly, but didn't trust remote access >> security mechanisms, or maybe didn't trust your users' ability to do >> remote access securely? > > I would like him to be able to do lots of things, preferably everything > that "su -" lets him do. Would that be a bad thing? > > rafael is me, so yes, I trust him implicitly (on most days anyway). Heh, that's indeed what the sudoers file is supposed to make convenient. If you are the administrator, then you have to be able to administer, eh? > > It's like you said just prior: I don't trust remote access security > mechanisms because I don't _need_ to trust them. I never do remote > access. I wish to set up remote access for myself to my friend's > computer, but that is another thread. > > And finally, yes, you are correct. I don't trust rafael's ability to do > remote access securely since he has never done it. If I'm going to > learn that, I would prefer it be in an environment like an installfest. That's a great idea! Regards, ..jim -- KPLUG-List@kernel-panic.org http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
