Wednesday, January 27, 2010

How to protect your Linux ? netstat and lsof

Netstat

"Netstat" is a tooll we use in defense.It shows existing connexions

netstat -taupe | sort



# netstat -taupe | sort

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
PID/Program name
tcp 0 0 192.168.0.12:36932 ey-in-f191.1e100.n:http ESTABLISHED toto 11436
4490/firefox-bin
tcp 0 0 192.168.0.1:netbios-ssn *:* LISTEN root 6851 3997/smbd
tcp 0 0 192.168.0.:microsoft-ds *:* LISTEN root 6850 3997/smbd
tcp 0 0 localhost:microsoft-ds *:* LISTEN root 6852 3997/smbd
tcp 0 0 localhost:netbios-ssn *:* LISTEN root 6853 3997/smbd
udp 0 0 *:bootpc *:* root 6576 3856/dhcpcd
udp 0 0 *:netbios-dgm *:* root 6875 4007/nmbd
udp 0 0 *:netbios-ns *:* root 6874 4007/nmbd
udp 0 0 192.168.0.12:netbios-ns *:* root 6878 4007/nmbd

udp 0 0 192.168.0.1:netbios-dgm *:* root 6879 4007/nmb


In my case, i saw that firefox is running and also samba and dhcp.I use samba juste a little so i prefer to stop it.It's better to stop process that you don't use and that you use only sometimes :


# rc-update del samba
* 'samba' removed from the following runlevels: default
# /etc/init.d/samba stop
* samba -> stop: smbd
...
[ ok ]
* samba -> stop: nmbd ...



To have a safe system, a good approach it to stop unused process because a hacker will want to check which process is running to hack them.So if the process is stop, it can't do anything.



lsof

This tool will you show which files is open on your linux



emerge sys-process/lsof

lsof -Pi | sort




# lsof -Pi | sort
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhcpcd 3856 root 7u IPv4 6576 0t0 UDP *:68

firefox-b 4490 toto 13u IPv4 11436 0t0 TCP 192.168.0.12:36932->ey-in-f191.1e100.net:80
(ESTABLISHED)

nmbd 4007 root 6u IPv4 6874 0t0 UDP *:137

nmbd 4007 root 7u IPv4 6875 0t0 UDP *:138

nmbd 4007 root 8u IPv4 6878 0t0 UDP 192.168.0.12:137

nmbd 4007 root 9u IPv4 6879 0t0 UDP 192.168.0.12:138

smbd 3997 root 19u IPv4 6850 0t0 TCP 192.168.0.12:445 (LISTEN)

smbd 3997 root 20u IPv4 6851 0t0 TCP 192.168.0.12:139 (LISTEN)

smbd 3997 root 21u IPv4 6852 0t0 TCP localhost:445 (LISTEN)

smbd 3997 root 22u IPv4 6853 0t0 TCP localhost:139 (LISTEN)


netstat wikipedia
netstat command

Wednesday, January 20, 2010

How to protect your Linux ? Delete dangerous command

Some tools are known to present security problems.For example rlogin,rsh ...
So you have to delete this package :

emerge -C net-misc/netkit-rsh

You can replace this tool with ssh.You have also ftp package which presents security warnings.It's better to use SCP (cp with ssh).

Wednesday, January 13, 2010

How to protect your Linux ? password

Goal: In this article, we will check that your password are present in the good file and we will test the strength of your password.


Step 1 : Be sure that your password are in the correct file

If you open /etc/passwd, they should be like that
:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/adm:/bin/false

toto:x:500:100::/home/damitux:/bin/bash



The "x" confirms that password are in other file : /etc/shadow.If you didn't see x but some strange characters, you have to use pwconv.


Note : The format of this file is username:password:userid:groupeid:account_name:user_directory:shell


It's /etc/shadow which contents password :

root:$6$/oxwgEtd$8qxL1XfoR5QW7xtduZyaopknIV6ETEBj5fDvGjdPvDO3TYlTRQOQkYvWrJoiPtyjYfYYkgLyJHpT6oq0nAvef.:14583:0:::::

bin:!!:9797:0:::::

daemon:!!:9797:0:::::

toto:$1$u1fuA5jK$wZFULlHT/Sd8FhBv9GZhi1:14213:0:::::0



You can see severeal fields but only two interest us :
- First field contents the user name.

- The second contents the password.


You can note that password begin with $chiffre$.It permits to say which encryption is used :

SHA-512 == $6$

MD5 == $1$

SHA-256 == $5$



Etape 2 : Check password strength

To test your password, you can use John the ripper


emerge app-crypt/johntheripper

unshadow /etc/passwd /etc/shadow > testpwdmd5

john --show testpwdmd5



Note :
- You have to hit enter to check what it's doing.
- When it finishs it writes you user and password if it finds it.
- It will not search root password because the encryption of it is
$6$ SHA-512.So you have to look on web site JohnTheRipper if there are patchs.

How to protect your Linux ?

The goal of these article is to teach you thta you have to do to protect your Linux.In these articles we will answer at questions like :

- What can i check to be sure that my system is safe ?
- Which are services running ? Is that normal ?
- Is there someone on my computer ?
- ...

Thursday, January 7, 2010

Good year

This year we will see Gentoo optimisation, KDE4, Gentoo security and tips and many many things ...

Good year and good Gentoo !