157 lines
7.1 KiB
HTML
157 lines
7.1 KiB
HTML
|
<!--startcut BEGIN header ==============================================-->
|
||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
||
|
<HTML><HEAD>
|
||
|
<title>Security for the Home Network LG #46</title>
|
||
|
</HEAD>
|
||
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
||
|
ALINK="#FF0000">
|
||
|
<!--endcut ============================================================-->
|
||
|
|
||
|
<H4>
|
||
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
||
|
</H4>
|
||
|
|
||
|
<P> <HR> <P>
|
||
|
<!--===================================================================-->
|
||
|
|
||
|
<center>
|
||
|
<H1><font color="maroon">Security for the Home Network</font></H1>
|
||
|
<H4>By <a href="mailto:jpollman@bigfoot.com">JC Pollman</a> and
|
||
|
<a href="mailto:bill.mote@bigfoot.com">Bill Mote</a></H4>
|
||
|
</center>
|
||
|
<P> <HR> <P>
|
||
|
|
||
|
<!-- END header -->
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<p>Security for the home network is your responsibility. With all
|
||
|
the tools available to the crackers and script kiddies, it is not a matter of
|
||
|
<EM><STRONG>if</STRONG></EM> but rather <EM><STRONG>when</STRONG></EM> you
|
||
|
will be probed and possibly attacked. I have personally been connected
|
||
|
via modem for less than 5 minutes and been port scanned! Your ISP really
|
||
|
does not care if you are being attacked by "x" because if they shut down "x",
|
||
|
tomorrow it will be "y"
|
||
|
attacking you. Fortunately there are several things you can do to
|
||
|
greatly increase the security of your network.
|
||
|
<p><b>Disclaimer: </b>This article provides information we have gleamed
|
||
|
from reading the books, the HOWTOs, man pages, usenet news groups, and
|
||
|
countless hours banging on the keyboard. It is not meant to be an all inclusive
|
||
|
exhaustive study on the topic, but rather, a stepping stone from the novice
|
||
|
to the intermediate user. All the examples are taken directly from
|
||
|
our home networks so we know they work.
|
||
|
<p><b>How to use this guide:</b>
|
||
|
<ul>
|
||
|
<li>
|
||
|
Words encapsulated by square brackets like [Enter] indicate the depression
|
||
|
of a key on the keyboard or a mouse button [Mouse1]</li>
|
||
|
|
||
|
<li>
|
||
|
Words encapsulated by squiggly brackets like {your name here} indicate
|
||
|
data that will/should be substituted with "real" data</li>
|
||
|
|
||
|
<li>
|
||
|
Text depicted in italics are commands you, the user, should type at a prompt</li>
|
||
|
</ul>
|
||
|
<b>Prerequisites:</b> This guide assumes that you have tcp wrapper and
|
||
|
ipchains installed, that you are running kernel 2.2.0 or higher, that you
|
||
|
have selected a legal/private domain name, that you're using IP Masquerade
|
||
|
to "hide" your machine from the internet, and that you are consistently
|
||
|
able to connect to the internet.
|
||
|
<p><b>Why crack me?</b> Most of us believed, at one time, that we were
|
||
|
so insignificant that a cracker would not waste his time with us. Additionally,
|
||
|
there are so many computers connected to the internet that the odds of
|
||
|
being cracked were virtually nil. Five years ago that was probably a correct
|
||
|
assessment. With the advent of the script kiddies, this is no longer
|
||
|
true. The tools available to them make it so easy to find and crack systems
|
||
|
that anyone who can turn on a computer can do it.
|
||
|
<p>There are two main reasons they may want to crack your home system:
|
||
|
the thrill of another conquest, and to get information to use your ISP
|
||
|
account to launch other attacks. Life will become distinctly unpleasant
|
||
|
when the authorities come to your door investigating why you were using
|
||
|
your ISP account to break into the pentagon.
|
||
|
<p>The following information comes from a series of <a href="http://www.enteract.com/~lspitz/pubs.html">excellent
|
||
|
articles</a> by <a href="mailto:lance@spitzner.net">Lance Spitzner</a>.
|
||
|
They should scare you straight if you have taken security lightly up to
|
||
|
now.
|
||
|
<blockquote>The script kiddie methodology is a simple one. Scan the Internet
|
||
|
for a specific weakness, when you find it, exploit it. Most of the tools
|
||
|
they use are automated, requiring little interaction. You launch the tool,
|
||
|
then come back several days later to get your results. No two tools
|
||
|
are alike, just as no two exploits are alike. However, most of the tools
|
||
|
use the same strategy. First, develop a database of IPs that can
|
||
|
be scanned. Then, scan those IPs for a specific vulnerability.</blockquote>
|
||
|
|
||
|
<blockquote>Once they find a vulnerable system and gain root, their first
|
||
|
step is normally to cover their tracks. They want to ensure you do
|
||
|
not know your system was hacked and cannot see nor log their actions.
|
||
|
Following this, they often use your system to scan other networks, or silently
|
||
|
monitor your own.</blockquote>
|
||
|
And now for the bad news: <a href="http://www.cert.org/tech_tips/root_compromise.html">CERT®
|
||
|
Coordination Center</a> has only one solution if you have been cracked:
|
||
|
reinstall everything from scratch!
|
||
|
<p><b>The Firewall Machine:</b> Ideally your firewall should be a machine
|
||
|
dedicated to just that: being your security. Given that you only need the
|
||
|
power of a 486, this should not be to hard to handle. By using a computer
|
||
|
to just be your firewall you can shutdown all the processes that normally
|
||
|
get attacked - like imap, ftp, sendmail, etc. A simple solution would be
|
||
|
to create a boot floppy with everything you need on it and run it out of
|
||
|
a ram disk. That way, if you are cracked, you just reboot the machine,
|
||
|
and without a hard drive it will run much cooler. Check out the
|
||
|
<A HREF=http://www.linux-router.org>Linux Router Project</A>
|
||
|
for how to set it up.
|
||
|
<p>However, for the purposes of this article the
|
||
|
authors assume you're setting this up on your primary server and that
|
||
|
you've been following along with the previous month's articles on DNS and
|
||
|
SendMail.
|
||
|
|
||
|
<p><b>What we will cover: </b>There are hundreds, maybe even thousands,
|
||
|
of ways to crack into your computer. And for every way in, you need to
|
||
|
provide a defense. We are not going to cover everything here: we will cover
|
||
|
just the basics to get your machine secured from the most likely attacks.
|
||
|
<blockquote><a href="pollman/ip_spoofing.html">ip
|
||
|
spoofing</a>
|
||
|
<br><a href="pollman/tcpwrappers.html">tcp
|
||
|
wrappers</a>
|
||
|
<br><a href="pollman/ipchains.html">ipchains</a></blockquote>
|
||
|
<b>What we will not be covering:</b>
|
||
|
<blockquote>physical security
|
||
|
<br>specific programs you run
|
||
|
<br>encrypting data</blockquote>
|
||
|
|
||
|
<hr SIZE=4 WIDTH="90%">
|
||
|
<br>Here are some <a href="pollman/final_thoughts.html">final
|
||
|
thoughts</a> to whet your appetite. Next month we will be discussing dhcp.
|
||
|
<center>
|
||
|
|
||
|
|
||
|
|
||
|
<!-- BEGIN copyright ==================================================-->
|
||
|
<P> <hr> <P>
|
||
|
<H5 ALIGN=center>
|
||
|
|
||
|
Copyright © 1999, JC Pollman and Bill Mote <BR>
|
||
|
Published in Issue 46 of <i>Linux Gazette</i>, October 1999</H5>
|
||
|
<!-- END copyright ===================================================-->
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<!--startcut footer ===================================================-->
|
||
|
<P> <hr> <P>
|
||
|
<A HREF="index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
|
||
|
ALT="[ TABLE OF CONTENTS ]"></A>
|
||
|
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
|
||
|
ALT="[ FRONT PAGE ]"></A>
|
||
|
<A HREF="orr.html"><IMG SRC="../gx/back2.gif"
|
||
|
ALT=" Back "></A>
|
||
|
<A HREF="../faq/index.html"
|
||
|
><IMG SRC="./../gx/dennis/faq.gif"
|
||
|
ALT="[ Linux Gazette FAQ ]"></A>
|
||
|
<A HREF="serrao.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
|
||
|
<P> <hr> <P>
|
||
|
</BODY></HTML>
|
||
|
<!--endcut ============================================================-->
|