my friend ran up to me and told me that he was able to telnet into my machine( as he knew my user name and password) . I was stunned and had no words to say then i got upto the task of securing my box and the very first thing i did was running nmap ( a very popular portscanner )against my box and here's what i found.linux@ubuntu:~$ nmap ubuntu
Starting Nmap 4.62 ( http://nmap.org ) at 2008-12-04 02:46 IST Interesting ports on ubuntu (127.0.1.1): Not shown: 1708 closed ports PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.154 seconds
I was shocked at this surprising discovery as i was very vulnerable to attacks and intrusions and hence began the task of securing my box.
The first thing that came into my mind was iptables ( linux's inbuild firewall) so inserted simple iptables rules to block any unsolicited traffic on the above listed ports. which were as follows
sudo iptables -A INPUT --dport 23 -j DROP
sudo iptables -A INPUT --dport 111 -j DROP
sudo iptables -A INPUT --dport 139 -j DROP
sudo iptables -A INPUT --dport 445 -j DROP
sudo iptables -A INPUT --dport 902 -j DROP
delibrately i kept ssh and nfs open for remote administration and file sharing respectively.
But in the long run this thing proved inefficient as i kept on intalling services like apache ...etc and every time i did so i manually had to insert a new firewall rule to make my mashine secure.
So i once again sought help of the documentation and opened the man page of the iptables there it seemed to me as and ocean of knowledge the finally i got something interesting the state module which provides iptables to finetune the firewall based on the state of connections not on their source or destination port numbers. Hola i got what i was looking for .I immediately erected the following iptables rules.
sudo iptables -A INPUT -m state --state NEW,INVALID -j DROP
This finally got the job done for me but there was a problem in this whoe setup. I was unable to download anything from the DC++ hub ( forget any data I was not able to download any file list also) .So i went back to basics and studied the DC Protocol and there i got the solution for the problem.Got to my DC client and there I checked the firewall with manual port forward option and selected 7777 tcp and 7777 as udp ports to work with( not to mention 7 is my lucky number) and then keyed in the following commands to get my DC client working.
sudo iptables -I INPUT 1 -p tcp --dport 7777 -j ACCEPT
sudo iptables -I INPUT 1 -p udp ---dport 7777 -j ACCEPT
and there i was i got the job done ( well that was what i thought initially) but later i figured out that this was not perfect as others could ping me . I wanted to stop others pinging me while i could do anyting form my box i:e net surfing , using DC++ , FTP etc... so i finally erectd the set of rules( technical details delibrately omitted to make this post small). To achieve this you need to follow the following 2 steps.
1 . just copy the following lines and save it in a normal text file
# Generated by iptables-save v1.4.0 on Thu Dec 4 02:45:50 2008
*filter
:INPUT DROP [1773:224581]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [389800:258208271]
-A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT
-A INPUT -p udp -m udp --dport 7777 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Dec 4 02:45:50 2008
2 . As a root user type in the following command iptables_restore < { path to the file in which you Saved the following lines }
There you have it a very safe and secure box which cannot be pinged also while you can do any thing from it.Remember to change your DC++ settings(as mentioned above) for your DC client to work.
