++++++++++++++++++++++++++++++

                                  + Stopping the Scriptkiddies +

                                  ++++++++++++++++++++++++++++++

                                           + by POOL +

                                           +++++++++++





                                        --"My terminal is

                                             My soul"









Version 1.00 (Wed Aug 29 20:17:58 CEST 2001)

===================================================================================================



Contents

========



0x00 Disclaimer

0x01 Introduction

0x02 First things first

0x03 Remote security

0x04 Local security

0x05 Common backdoors

0x06 Windows

0x07 Patches

0x08 Conclusion

0x09 Final words

0x10 Copyright







0x00 Disclaimer

===============



I am NOT responsible for actions or damage caused by this document, if you get into trouble: blame yourself, not me.



0x01 Introduction

=================



In the past few months I noticed there were a lot of defacements (actually, too many), and a lot of hosts/networks were the target of DoS-attacks. I don't understand why so many network-administrators don't take the time to have a look at their security, it isn't very hard to install at least a few patches and stop running services they don't need. Yes, I know this won't stop attackers which are dedicated trying to hack you, but stupid scriptkiddies (like the most of them are) will give up and try another box. I will focus on linux security, but most topics in this paper will also apply to other UNIX-variants. You'll find some words about windows too. This paper won't make you a security-expert, a good system-administrator neither, it only provides basic knowledge needed to stop Scriptkiddies defacing sites and shutting down complete networks. Oh, and please don't mind my sloppy English (I'm Dutch)..



Have fun 8)



--POOL [systm@exploder.nl]



0x02 First things first

=======================



I recommend you to start securing your box(es) after a clean install, because it could be possible someone allready compromised you and placed one or more backdoors. So I suggest you backup all important data and reinstall the Operating System (if this is possible). Keep in mind your system will be more secure with the least comprehensive installation, for example: don't install a web-browser if you don't need it. Just install all the standard stuff, and only install software which you're sure about that you'll use it. Always check if the software is vulnerable or contains bugs. Only upgrade the installed software for security reasons.



0x03 Remote security

====================



Most compromises occur due to vulnerable daemons (like wu-ftpd or lpd). In this section I will show you how to close daemons which aren't directly in need, and how to build a firewall rule-set.



First, portscan yourself: nmap -sT -sU -e eth0 -p 1-65535 localhost

(in this example I use nmap (network mapper), which you can grab from www.insecure.org/nmap)



     -sT = TCP connect() scan

     -sU = UDP scan

     -p  = specify portrange

     -e  = specify interface



It's important to note that you should scan each interface.



[*] Closing unneeded daemons



Have a look at your /etc/inetd.conf file, in this config-file you can specify which daemons are started by inetd (type "man 8 inetd" (without the quotes) for more information). To close a daemon just comment the line (put a "#" (without the quotes) at the beginning of the line). Oh, and don't comment telnet out if you're connected to the box via telnet (could be very frustrating).. ;-)



Here's an example:



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

change



ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	wu.ftpd -a



to



#ftp    stream	tcp	nowait	root	/usr/sbin/tcpd	wu.ftpd -a

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<



Apply this to all daemons you don't need. To let the changes have effect restart inetd:



/sbin/init.d/inetd restart [I use linux SuSE 7.0 and SuSE 7.1, in other distro's inetd may be located in /etc/init.d]



or by hand:



kill -HUP <pid>



To obtain the pid (Process ID) of inetd just do as root a "ps -aux" (wihout the quotes) and look at the inetd-line.

Portscan yourself again (or simply do a "netstat -an"), and check if it's OK :-)

Note: Some daemons should be closed in another config-file. To find these config files just type this command:



locate *.conf



and



locate *.cf



If you want to keep a daemon running and for some reason you don't want people from the internet be able to connect to it (For example, you have a ftpd on your gateway, and you want only boxes from your network to use this ftpd, but not people from the internet), read the next section very carefully.



[*] Ipfwadm, ipchains and iptables



Linux comes with a firewall (read: packetfilter) called ipfwadm in the 2.0 kernel series. The 2.2 kernel series comes with ipchains, and 2.4 with iptables. Since most systems are running 2.2.x I will shortly discuss ipchains (please refer to the manpages for more information), just type "man ipfwadm" or "man iptables" (without the quotes) to view the manpages for ipfwadm or iptables.



I will demonstrate step for step how to build a firewall-rule with ipchains.



First flush all rules:



/sbin/ipchains -F



You'll have to choose a so called "chain" (input or output) with the -A option.



/sbin/ipchains -A input



With the -s option you can specify the source address (to block any address use 0.0.0.0/0) and with the -d option you can specify the destination address (your box). After this you place the port.



/sbin/ipchains -A input -s 0.0.0.0/0 -d x.x.x.x/24 21



Next, specify with the -p option the transport protocol (e.g. TCP, UDP or ICMP), and with -j the action (e.g. ACCEPT, DENY, REJECT, MASQ). You may be wondering what the difference between DENY and REJECT is. Well, REJECT sends an ICMP packet back with the message "Destination unreachable", and DENY just discards it without sending an ICMP packet back. MASQ is used for masquerading, maybe I will explain this in some networking related paper later.



/sbin/ipchains -A input -s 0.0.0.0/0 -d x.x.x.x/24 21 -p TCP -j DENY



Replace x.x.x.x with your IP, and you have created a rule which DENY's traffic from anywhere with destination address your box and destination port 21/tcp (ftp). Let's do the same for a tftpd (tftp = trivial file transfer protocol), which runs at 69/udp. But now we block this IP: 195.195.195.195



/sbin/ipchains -A input -s 195.195.195.195 -d x.x.x.x/24 69 -p UDP -j DENY



Well, very easy.. Just replace the port number, and the transport-protocol. This way you should be able to create yourself a rule-set.



Note: NEVER EVER think like: "oh, I don't have to close these daemons, I just filter all the trafic going to these daemons with a packetfilter/firewall"..! Always close all daemons, except those which are in need for users (on the internet, or on your LAN/WAN)!



You can put these commands in a file, e.g. /sbin/nfw (nfw = Network FireWall), and do a "chmod +x" on it. Then put "/sbin/nfw" in the "rc" files (if your system crashes, or needs a reboot for some reason, /sbin/nfw will be executed on system-boot and you don't have to worry about it).