Securing your Linux Box

On fine day when i was working on my Ubuntu 8.10 system one of my friend ran up to me and told me that he was able to telnet into my machine( as he knew my user name and password) . I was stunned and had no words to say then i got upto the task of securing my box and the very first thing i did was running nmap ( a very popular portscanner )against my box and here's what i found.





linux@ubuntu:~$ nmap ubuntu
Starting Nmap 4.62 ( http://nmap.org ) at 2008-12-04 02:46 IST Interesting ports on ubuntu (127.0.1.1): Not shown: 1708 closed ports PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
2049/tcp open nfs

Nmap done: 1 IP address (1 host up) scanned in 0.154 seconds

I was shocked at this surprising discovery as i was very vulnerable to attacks and intrusions and hence began the task of securing my box.
The first thing that came into my mind was iptables ( linux's inbuild firewall) so inserted simple iptables rules to block any unsolicited traffic on the above listed ports. which were as follows


sudo iptables -A INPUT --dport 23 -j DROP
sudo iptables -A INPUT --dport 111 -j DROP
sudo iptables -A INPUT --dport 139 -j DROP
sudo iptables -A INPUT --dport 445 -j DROP
sudo iptables -A INPUT --dport 902 -j DROP


delibrately i kept ssh and nfs open for remote administration and file sharing respectively.
But in the long run this thing proved inefficient as i kept on intalling services like apache ...etc and every time i did so i manually had to insert a new firewall rule to make my mashine secure.

So i once again sought help of the documentation and opened the man page of the iptables there it seemed to me as and ocean of knowledge the finally i got something interesting the state module which provides iptables to finetune the firewall based on the state of connections not on their source or destination port numbers. Hola i got what i was looking for .I immediately erected the following iptables rules.

sudo iptables -A INPUT -m state --state NEW,INVALID -j DROP


This finally got the job done for me but there was a problem in this whoe setup. I was unable to download anything from the DC++ hub ( forget any data I was not able to download any file list also) .So i went back to basics and studied the DC Protocol and there i got the solution for the problem.Got to my DC client and there I checked the firewall with manual port forward option and selected 7777 tcp and 7777 as udp ports to work with( not to mention 7 is my lucky number) and then keyed in the following commands to get my DC client working.


sudo iptables -I INPUT 1 -p tcp --dport 7777 -j ACCEPT
sudo iptables -I INPUT 1 -p udp ---dport 7777 -j ACCEPT


and there i was i got the job done ( well that was what i thought initially) but later i figured out that this was not perfect as others could ping me . I wanted to stop others pinging me while i could do anyting form my box i:e net surfing , using DC++ , FTP etc... so i finally erectd the set of rules( technical details delibrately omitted to make this post small). To achieve this you need to follow the following 2 steps.


1 . just copy the following lines and save it in a normal text file

# Generated by iptables-save v1.4.0 on Thu Dec 4 02:45:50 2008
*filter
:INPUT DROP [1773:224581]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [389800:258208271]
-A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT
-A INPUT -p udp -m udp --dport 7777 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Dec 4 02:45:50 2008

2 . As a root user type in the following command iptables_restore < { path to the file in which you Saved the following lines }

There you have it a very safe and secure box which cannot be pinged also while you can do any thing from it.Remember to change your DC++ settings(as mentioned above) for your DC client to work.