How many a times it has happened that many a people try Linux for some time and then dump it ? well if u ask me I'll say plenty of times.It all starts like this.
You are bored of using a proprietary OS over the ages and want to try something new also now a days tere is a lot of buzz about Linux , so it all boils down to you calling your (Geek) friend and asking him to install Linux on your PC ( although there is no need of any external f1(help) , any one can install Linux[Ubuntu] easily).
After the installation is finished you are all set to breathe free in the Open Source World so you try your Linux for some time and then you start feeling "Oh God my proprietary OS was better as it played all my videos ....or where is my i tunes...." and things like that and finally you handcuff yourself to the proprietary OS and probably never think of coming out of it.
Let me tell you there are open source alternates to almost any proprietary software on this planet , some of the popular open source software alternatives to proprietary softwares can be found on the sites
http://whdb.com/2008/the-top-50-proprietary-programs-that-drive-you-crazy-and-their-open-source-alternatives/
But how to get these working on your Linux(Ubuntu 8.10) box ? The following tutorials links prove handy in getting your favorite open source software up and running on your box
https://help.ubuntu.com/community/InstallingSoftware
http://linuxgator.org/forums/viewtopic.php?f=15&t=1067
http://www.ehow.com/how_2243216_install-software-linux-using-synaptic.html
http://simplyubuntu.wordpress.com/2006/06/27/a-beginners-guide-to-installing-programs-in-ubuntu/
Showing posts with label ubuntu. Show all posts
Showing posts with label ubuntu. Show all posts
Sunday, December 7, 2008
Wednesday, December 3, 2008
Securing your Linux Box
On fine day when i was working on my Ubuntu 8.10 system one of
my friend ran up to me and told me that he was able to telnet into my machine( as he knew my user name and password) . I was stunned and had no words to say then i got upto the task of securing my box and the very first thing i did was running nmap ( a very popular portscanner )against my box and here's what i found.
linux@ubuntu:~$ nmap ubuntu
Starting Nmap 4.62 ( http://nmap.org ) at 2008-12-04 02:46 IST Interesting ports on ubuntu (127.0.1.1): Not shown: 1708 closed ports PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.154 seconds
I was shocked at this surprising discovery as i was very vulnerable to attacks and intrusions and hence began the task of securing my box.
The first thing that came into my mind was iptables ( linux's inbuild firewall) so inserted simple iptables rules to block any unsolicited traffic on the above listed ports. which were as follows
sudo iptables -A INPUT --dport 23 -j DROP
sudo iptables -A INPUT --dport 111 -j DROP
sudo iptables -A INPUT --dport 139 -j DROP
sudo iptables -A INPUT --dport 445 -j DROP
sudo iptables -A INPUT --dport 902 -j DROP
delibrately i kept ssh and nfs open for remote administration and file sharing respectively.
But in the long run this thing proved inefficient as i kept on intalling services like apache ...etc and every time i did so i manually had to insert a new firewall rule to make my mashine secure.
So i once again sought help of the documentation and opened the man page of the iptables there it seemed to me as and ocean of knowledge the finally i got something interesting the state module which provides iptables to finetune the firewall based on the state of connections not on their source or destination port numbers. Hola i got what i was looking for .I immediately erected the following iptables rules.
sudo iptables -A INPUT -m state --state NEW,INVALID -j DROP
This finally got the job done for me but there was a problem in this whoe setup. I was unable to download anything from the DC++ hub ( forget any data I was not able to download any file list also) .So i went back to basics and studied the DC Protocol and there i got the solution for the problem.Got to my DC client and there I checked the firewall with manual port forward option and selected 7777 tcp and 7777 as udp ports to work with( not to mention 7 is my lucky number) and then keyed in the following commands to get my DC client working.
sudo iptables -I INPUT 1 -p tcp --dport 7777 -j ACCEPT
sudo iptables -I INPUT 1 -p udp ---dport 7777 -j ACCEPT
and there i was i got the job done ( well that was what i thought initially) but later i figured out that this was not perfect as others could ping me . I wanted to stop others pinging me while i could do anyting form my box i:e net surfing , using DC++ , FTP etc... so i finally erectd the set of rules( technical details delibrately omitted to make this post small). To achieve this you need to follow the following 2 steps.
1 . just copy the following lines and save it in a normal text file
# Generated by iptables-save v1.4.0 on Thu Dec 4 02:45:50 2008
*filter
:INPUT DROP [1773:224581]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [389800:258208271]
-A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT
-A INPUT -p udp -m udp --dport 7777 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Dec 4 02:45:50 2008
2 . As a root user type in the following command iptables_restore < { path to the file in which you Saved the following lines }
There you have it a very safe and secure box which cannot be pinged also while you can do any thing from it.Remember to change your DC++ settings(as mentioned above) for your DC client to work.
my friend ran up to me and told me that he was able to telnet into my machine( as he knew my user name and password) . I was stunned and had no words to say then i got upto the task of securing my box and the very first thing i did was running nmap ( a very popular portscanner )against my box and here's what i found.linux@ubuntu:~$ nmap ubuntu
Starting Nmap 4.62 ( http://nmap.org ) at 2008-12-04 02:46 IST Interesting ports on ubuntu (127.0.1.1): Not shown: 1708 closed ports PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.154 seconds
I was shocked at this surprising discovery as i was very vulnerable to attacks and intrusions and hence began the task of securing my box.
The first thing that came into my mind was iptables ( linux's inbuild firewall) so inserted simple iptables rules to block any unsolicited traffic on the above listed ports. which were as follows
sudo iptables -A INPUT --dport 23 -j DROP
sudo iptables -A INPUT --dport 111 -j DROP
sudo iptables -A INPUT --dport 139 -j DROP
sudo iptables -A INPUT --dport 445 -j DROP
sudo iptables -A INPUT --dport 902 -j DROP
delibrately i kept ssh and nfs open for remote administration and file sharing respectively.
But in the long run this thing proved inefficient as i kept on intalling services like apache ...etc and every time i did so i manually had to insert a new firewall rule to make my mashine secure.
So i once again sought help of the documentation and opened the man page of the iptables there it seemed to me as and ocean of knowledge the finally i got something interesting the state module which provides iptables to finetune the firewall based on the state of connections not on their source or destination port numbers. Hola i got what i was looking for .I immediately erected the following iptables rules.
sudo iptables -A INPUT -m state --state NEW,INVALID -j DROP
This finally got the job done for me but there was a problem in this whoe setup. I was unable to download anything from the DC++ hub ( forget any data I was not able to download any file list also) .So i went back to basics and studied the DC Protocol and there i got the solution for the problem.Got to my DC client and there I checked the firewall with manual port forward option and selected 7777 tcp and 7777 as udp ports to work with( not to mention 7 is my lucky number) and then keyed in the following commands to get my DC client working.
sudo iptables -I INPUT 1 -p tcp --dport 7777 -j ACCEPT
sudo iptables -I INPUT 1 -p udp ---dport 7777 -j ACCEPT
and there i was i got the job done ( well that was what i thought initially) but later i figured out that this was not perfect as others could ping me . I wanted to stop others pinging me while i could do anyting form my box i:e net surfing , using DC++ , FTP etc... so i finally erectd the set of rules( technical details delibrately omitted to make this post small). To achieve this you need to follow the following 2 steps.
1 . just copy the following lines and save it in a normal text file
# Generated by iptables-save v1.4.0 on Thu Dec 4 02:45:50 2008
*filter
:INPUT DROP [1773:224581]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [389800:258208271]
-A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT
-A INPUT -p udp -m udp --dport 7777 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Dec 4 02:45:50 2008
2 . As a root user type in the following command iptables_restore < { path to the file in which you Saved the following lines }
There you have it a very safe and secure box which cannot be pinged also while you can do any thing from it.Remember to change your DC++ settings(as mentioned above) for your DC client to work.
Subscribe to:
Posts (Atom)
