HOWTO: PORT SCANNING
=====================
WRITTEN: 2004-05-21
====================
Enable Networking for now
-------------------------
01) ifconfig eth0 192.168.0.XX
02) route add default gw 192.168.0.1
03) echo "nameserver 64.69.86.29" >> /etc/resolv.conf
04) ping gdc.com
Obtain ssh 1.2.27
-----------------
The file is accessible on 192.168.0.50:/home/test
01) Go to /usr/local/src
02) FTP to 192.168.0.50
03) username: test
04) password: 123456
05) bin
06) ha
07) get ssh.tgz
############################################
############################################
###
08) quit
Unpackage & Install ssh
-----------------------
01) tar -zxvf ssh.tgz
02) cd ssh-1.2.27
03) make distclean
04) ./configure
05) make
06) make install
Enabling SSH from the command line
----------------------------------
01) /usr/local/sbin/sshd&
Enabling SSH to start automatically on reboot
---------------------------------------------
01) echo "echo \"Enabling SSH logins..\" " >> /etc/rc.d/rc.local
02) echo "/usr/local/sbin/sshd&" >> /etc/rc.d/rc.local
Configure permanent IP address (if necessary)
---------------------------------------------
01) linuxconf
02) Basic Host Information
03) Set IP address accordingly
04) Accept
05) Name server specification
06) 64.69.86.29
07) Accept
08) Routing and Gateways -> Defaults
09) 192.168.0.1
10) Accept
11) Quit
12) Activate changes
Restart Server
--------------
01) reboot
Add Path to SSH to default path
-------------------------------
01) echo "PATH=\$PATH:/usr/local/bin:/usr/local/sbin" >> ~/.bashrc
02) source ~/.bashrc
Test SSH
--------
01) ssh localhost from console
02) ssh using PuTTY
TURN OFF UNENCRYPTED SERVICES (FTP/TELNET)
------------------------------------------
Turn them off by disabling the line that spawns them in /etc/inetd.conf and replacing the executable with a message program indicating the proper way to connect to this machine:
01) Excerpted from /etc/inetd.conf:
---CUT---
# GL 20020125 12h10
#
# FTP disabled for security purposes. SSH has been installed
#
ftp stream tcp nowait root /usr/sbin/no_ftp
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#
# GL 20020125 12h05
#
# Original line commented out to increase security, scp has been installed
#
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
telnet stream tcp nowait root /usr/sbin/no_telnet
02) Force inetd to re-read its configuration file
killall -HUP inetd
Test FTP
--------
---CUT---
[root@linux1 /root]# ftp localhost
Connected to localhost.
Name (localhost:root):
This host does not accept unencrypted connections, please use scp.
Login failed.
421 Service not available, remote server has closed connection
Test TELNET
-----------
---CUT---
[root@linux1 /root]# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
This host does not accept unencrypted connections, please use ssh.
Connection closed by foreign host.
Download and install nmap
-------------------------
nmap is a free, powerful port scanner available from www.insecure.org.
The source tarball is available at /home/test on 192.168.0.50.
You will have to use SCP to pick it up because we've disabled FTP.
01) Navigate to /usr/local/src on your local machine
02) # scp test@192.168.0.50:/home/test/nmap.tgz .
03) password: 123456
04) tar -zxvf nmap.tgz
05) cd nmap-2.54BETA30
06) ./configure
07) make
08) make install
Using nmap
----------
The first thing to do once you've installed nmap is SCAN YOURSELF!
---CUT---
[root@linux1 test]# nmap localhost
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1532 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
80/tcp open http
98/tcp open linuxconf
111/tcp open sunrpc
113/tcp open auth
513/tcp open login
514/tcp open shell
515/tcp open printer
602/tcp open unknown
995/tcp open pop3s
1016/tcp open unknown
1021/tcp open unknown
1024/tcp open kdm
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
[root@linux1 test]#
TURN OFF EVERYTHING YOU HAVEN'T NEED FOR!
-----------------------------------------
DECISION Port State Service
---------------------------------- ---------- ----------- ------------
Leave available, with warning 21/tcp open ftp
Leave available, native service 22/tcp open ssh
Leave available, with warning 23/tcp open telnet
Leave available, native service 25/tcp open smtp
Leave available, native service 80/tcp open http
EXAMINE! 995/tcp open pop3s
DISABLE! 79/tcp open finger
DISABLE! 98/tcp open linuxconf
DISABLE! 111/tcp open sunrpc
DISABLE! 113/tcp open auth
DISABLE! 513/tcp open login
DISABLE! 514/tcp open shell
DISABLE! 515/tcp open printer
DISABLE! 602/tcp open unknown
DISABLE! 1016/tcp open unknown
DISABLE! 1021/tcp open unknown
DISABLE! 1024/tcp open kdm
We have a bunch of stuff to turn off, and one service to investigate (995).
What is POP3s?
--------------
Securing POP3 is sort of an involved process but is no means impossible. In order to
protect POP3 what you're going to need to do is use stunnel to wrap connections to port
995 (pop3s). Using this method incoming connections are re-routed from port 995,
through stunnel (which uses SSL encryption libraries) to be encrypted/decrypted, on to
port 110 and your regular pop3 server. This is a rather round about method, but I haven't
found any easy way to do this.
http://www.mandrakeuser.org/docs/secure/spop.html
We'll keep it, but we have to enable SSL (443) to make it work.
Turning Services Off
--------------------
Service startup is controlled by startup scripts driven by the default
runlevel of the machine. This runlevel is listed in the file inittab.
[root@linux1 test]# grep default /etc/inittab
# 0 - halt (Do NOT set initdefault to this)
# 6 - reboot (Do NOT set initdefault to this)
id:3:initdefault:
So, the default init level is three (3), therefore the directory that
we need to adjust is /etc/rc.d/rc3.d:
Let's see what's in there:
[root@linux1 rc3.d]# ls
K20rstatd S05apmd S30syslog S60lpd S85httpd
K20rusersd S10network S40atd S60nfs S85sound
K20rwhod S11portmap S40crond S75keytable S90xfs
K35smb S15netfs S45pcmcia S80sendmail S99linuxconf
K55routed S20random S50inet S85gpm S99local
The services that are started on boot begin with "S", so:
[root@linux1 rc3.d]# ls -1 S*
S05apmd
S10network
S11portmap
S15netfs
S20random
S30syslog
S40atd
S40crond
S45pcmcia
S50inet
S60lpd
S60nfs
S75keytable
S80sendmail
S85gpm
S85httpd
S85sound
S90xfs
S99linuxconf
S99local
What remains is to match the S* files against our DISABLE! list.
S15netfs
S60nfs
S90xfs
DISABLE! 79/tcp open finger
S99linuxconf DISABLE! 98/tcp open linuxconf
S11portmap DISABLE! 111/tcp open sunrpc
DISABLE! 113/tcp open auth
DISABLE! 513/tcp open login
DISABLE! 514/tcp open shell
S60lpd DISABLE! 515/tcp open printer
DISABLE! 602/tcp open unknown
DISABLE! 1016/tcp open unknown
DISABLE! 1021/tcp open unknown
DISABLE! 1024/tcp open kdm
Change the first character from "S" to "K" to disable these services.
[root@linux1 rc3.d]# mv S11portmap K11portmap
[root@linux1 rc3.d]# mv S15netfs K15netfs
[root@linux1 rc3.d]# mv S60lpd K60lpd
[root@linux1 rc3.d]# mv S60nfs K60nfs
[root@linux1 rc3.d]# mv S90xfs K90xfs
[root@linux1 rc3.d]# mv S99linuxconf K99linuxconf
Examine what remains:
Some services just aren't needed on a server, so I will turn them off
as well:
[root@linux1 rc3.d]# mv S05apmd K05apmd
[root@linux1 rc3.d]# mv S45pcmcia K45pcmcia
[root@linux1 rc3.d]# mv S85gpm K85gpm
[root@linux1 rc3.d]# mv S85sound K85sound
What's left:
S10network
S20random
S30syslog
S40atd
S40crond
S50inet
S75keytable
S80sendmail
S85httpd
S99local
Send the machine to runlevel 4, then back to runlevel 3, turning off
all the things that were once on.
[root@linux1 /]# /sbin/init 4
[root@linux1 /]# /sbin/init 3
Make the machine re-read its /etc/inetd.conf file:
[root@linux1 /]# killall -HUP inetd
Re-run nmap to see what's left:
[root@linux1 /]# nmap localhost
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1539 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
80/tcp open http
98/tcp open linuxconf
113/tcp open auth
513/tcp open login
514/tcp open shell
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Manually Stopping Stubborn processes
------------------------------------
Turning things off involves the use of /etc/rc.d/init.d/, or the use
of the "kill" command.
An example is an attempt to turn off linuxconf using /etc/rc.d/init.d/linuxconf stop.
Didn't work, so we have to do it the hard way:
[root@linux1 init.d]# ps ax | grep linuxconf
1133 ? S 0:00 linuxconf --http
1194 pts/0 S 0:00 grep linuxconf
[root@linux1 init.d]# kill 1133
[root@linux1 init.d]# ps ax | grep linuxconf
Re-configuring inetd.conf
-------------------------
Turning off services in /etc/inetd.conf involves commenting out unwanted lines.
First of all, obtain a list of enabled services:
[root@linux1 init.d]# egrep -v "#" /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/no_ftp
telnet stream tcp nowait root /usr/sbin/no_telnet
shell stream tcp nowait root /usr/sbin/tcpd in.rshd
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
talk dgram udp wait root /usr/sbin/tcpd in.talkd
ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /
bootps dgram udp wait root /usr/sbin/tcpd bootpd
finger stream tcp nowait root /usr/sbin/tcpd in.fingerd
auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
Edit the file to suit and then restart inetd
[root@linux1 init.d]# vi /etc/inetd.conf
[root@linux1 init.d]# killall -HUP inetd
[root@linux1 init.d]# nmap localhost
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1543 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
98/tcp open linuxconf
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
The only remaining service to hunt down and terminate is _linuxconf_
--------------------------------------------------------------------
Verify /etc/inetd.conf once again
----------------------------
[root@linux1 init.d]# egrep -v "#" /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/no_ftp
telnet stream tcp nowait root /usr/sbin/no_telnet
#killall linuxconf
Perform a final pre-reboot scan
-------------------------------
[root@linux1 init.d]# nmap localhost
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1544 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
The system is secure, time to start scanning other hosts AND closing up ports!
Places to research "MYSTERY SERVICES"
www.google.com
www.sans.org
www.securityfocus.com
www.insecure.com
www.rootkit.com
www.slashdot.org