Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Securing Linux, what should be in the passwd file
sirjimbob
post Dec 9 2003, 07:15 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 2
Joined: 9-December 03
Member No.: 1,932



I am very new to this so if ive posted this in the wrong place or the wrong way then please forgive me.
I am a newtwork administrator in a small publicly funded IT college in east london UK, we have a couple of redhat 9 servers running sendmail and apache for our website. We are concerned that the sendmail sever which is our mailgateway and sits outside our firewall may have been hacked, when i search the internet for help on this issue one of the things i find is that i should 'know' who and what the users listed in the passwd file are and what function they perform. Although some are obvious such as root and mail i find i have a line in that file for a user called nobody!
is this normal?
Go to the top of the page
 
+Quote Post
hughesjr
post Dec 9 2003, 07:49 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



nobody is a normal user ... it runs items like apache.

here is a standard RH9 passwd file with no extra users (except installed by programs):

CODE
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/bin/bash
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin


Most of those guys can't login (they have a shell of /sbin/nologin), however if you have been hacked, the cat, less, vi and other programs may have been changed so that they won't show the bad guy's logins.

See this thread for links to articles and advice on checking for root kits. Specifically, download chkrootkit and install it.

If you use apt for RH9 ... (i recommend apt) then you can use this (as /etc/apt/sources.list):

CODE
#/etc/apt/sources.list
# You can use the file:/ entries for creating your local repository mirrors.

# Red Hat Linux 9
rpm     http://ayo.freshrpms.net redhat/9/i386 os updates
#rpm-src http://ayo.freshrpms.net redhat/9/i386 os updates

# ATrpms for Red Hat Linux 9
# Possible sections: at-stable, at-good, at-testing, at-bleeding
rpm     http://apt.physik.fu-berlin.de redhat/9/en/i386 at-testing
#rpm-src http://apt.physik.fu-berlin.de redhat/9/en/i386 at-testing

# FreshRPMS for Red Hat Linux 9
rpm     http://ayo.freshrpms.net redhat/9/i386 freshrpms
#rpm-src http://ayo.freshrpms.net redhat/9/i386 freshrpms

# NewRPMS for Red Hat Linux 9
rpm     http://newrpms.sunsite.dk/apt/ redhat/en/i386/9.0 newrpms
#rpm-src http://newrpms.sunsite.dk/apt/ redhat/en/i386/9.0 newrpms

# Dag Wieers' rpms for Red Hat Linux 9
rpm     http://apt.sw.be redhat/9/en/i386 dag
#rpm-src http://apt.sw.be redhat/9/en/i386 dag


Then do:

apt-get update
apt-get install chkrootkit


To get chkrootkit ... or download and install it from the chkrootkit site.

Then run chkrootkit


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Dec 9 2003, 08:05 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



If you are going to have the entire box outside your firewall, you need to develope a very strict iptables rule set for it ... like:

only allow port 22 from your internal networks (and any other things you may be doing for admin like vnc) ....

only allow tcp 25 (smtp) and tcp 110 (pop3) initiated from all addresses outside (and only 110 if you want POP3 available off site).

If you are allowing external web as well for viewing e-mails then maybe also ports 80 and 443 from outside.

I would block all other posts into the box via iptables...

The ruleset would look something like this:

CODE
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -s xxx.xxx.xxx.xxx/zzz.zzz.zzz.zzz -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:65535 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:65535 -j REJECT
COMMIT


Where xxx.xxx.xxx.xxx is your IP network and zzz.zzz.zzz.zzz is the subnet mask. Remove the 80 and 443 entries if they are not required.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
sirjimbob
post Jan 27 2004, 12:26 PM
Post #4


Whats this Lie-nix Thing?
*

Group: Members
Posts: 2
Joined: 9-December 03
Member No.: 1,932



hello
thanks for the speedy reply to this post and apologies for not picking this up earlier
the first thing i have to report is that non of the accounts in my passwd file have the sbin/nologin

games:*:12:100:games:/usr/games:
gopher:*:13:30:gopher:/usr/lib/gopher-data:
ftp:*:14:50:FTP User:/var/ftp:

this is just a sample of the file to show u

the other worrying thing is that when i installed the root kit and tried to run it i got
permission denied... im hoping that this is 'normal' and it is also normal for me to have to give permissions to files like this after they have been installed on linux.
so i looked at chmod command but im afraid i couldn't work out how and what to give the right permissions to.

thanks for the help so far and looking forward to sorting this box out
chrs
Go to the top of the page
 
+Quote Post
hughesjr
post Jan 28 2004, 06:48 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



The command that I use to make files executable is:

chmod 755 filename
---------------------------------------------
What file are you trying to execute ... if you installed chkrootkit by use of apt-get then it should already be executeable ... if you downloaded the file named chkrootkit.tar.gz from the checkrootkit.org website, you have to untar the file with the command:

tar -xvzf chkrootkit.tar.gz

then go to the directory that was created (the version there right now is 0.43, so):

cd chkrootkit-0.43

After that, read the file named README with this command:

less README

It tells you to install by issuing the command (from within the chkrootkit-0.43 directory):

make sense

then you can run the chkrootkit program by using the command (again from within the chkrootkit-0.43 directory):

./chkrootkit

--------------------------------------------
The fact that you don't have /sbin/nologin as the login shell (your's is totally blank) is slightly less secure ... but shouldn't make any practical difference. (since the users don't have passwords).

The only person that can login as a user with no login shell is root ... and if you are already logged in as root, you can easily edit the passwd file and remove the shell (or change the shell and password) for a user that has a /sbin/nologin shell....although some script kiddie might not know that and fail in his attempt to do somrthing if following a howto posted from a chatroom.

However, using /sbin/nologin is more secure and Security Focus (securityfocus.com) recommends that you use it for the nobody to secure your apache server setup.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 22nd October 2017 - 06:02 PM