chrootkit & rkhunter

This list does not make much sense to me. You should work on that.

• All repos have the same priority.

• The KDE4-Playground repo contains mainly untested packages, they’re aimed at testers and developers, not endusers.

• You use quite a lot of ‘home:’-repositories, my experience says that at least 90% of them contain sheer trash (I don’t mean “alpha” or “unstable” but simply “trash”). Especially when compiling from source, one should take care that dependencies and devel-packages are set up right.

• “server”, “security” & “monitor” are mainly aimed at server systems, not home desktops.

hcvv wrote:
> You have to many repos enabled. I do not wonder you have dependancy
> problems.

i wonder how it still boots!


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

Because it is hardened.

Right, I am trying to figure out automation.

I am not having any dependency issues right now, resolved it on their merits. The only thing I need is like some automation to resolve dependencies.

I never said I am an enduser only or anything like that. I test stuff/security for clients in SOX age. I need server, security and nmap for various reasons.

It boots fast and without any conflicts. I may not be able to document what I did but I did it right. The system is now like a rock. I scanned open ports, fixed them and did a lot of stuff with VMware server.

You got that right.

To sum my experience so far -

  1. Enable all repositories or at least major ones.
  2. Harden the desktop.
  3. Firewall keep ports open, scan yourself and close the ports, it wont mess up your web activity if you initiate from your desktop but hack stuff wont work against you.

This time I wiill try to give some serious remarks.

First, you should enable only the famous four repos (OSS, nonOSS, Update and Packman) and when you need a package from another repos (where you should assess its reliability very carefully when you are after a very stable and secure system), you disable that repos immediatly you installed the package. Thus your* zypper lr -d* list gives me the shivers (and you dependancy problems).

Second. I have not much remarks about “hardening the desktop” (why the desktop and not the rest of the system?), because that includes a long list of varying subjects (where the trustable repos are part of and not a seperate thing). I assume those lists are to be found on the Internet also.

Third. It is simple to see what ports are open with

netstat -atu

No need to scan the ports. And when you have switched off everything you do not need there, I doubt if you realy need a so called “personal firewall” on the system. You better have a well managed firewall on the perifiral of your network.

Just my two cents of advice.

Have installed smoothwall on second machine, @ suse firewall; i have no comments to make. The tools that I use offer me ease. I do not have dependency issues any more. I have checked the repos and find them authentic.

FYI - Ideally a system should not respond to port scan. I will post the contradictions when I get on suse, right now in windows.

Let me explain my opinion a bit more.

The sysadmin/manager uses netstat because it is an easily vailable tool to tell him what is going on and if stopping services worked as intended. He does not need a second system with portscanning software, which might not even be available.

When the sysadmin is satisfied with this and the rest of the hardening, he reports so.

Then the security department can test with portscans, passwords crackers, etc. (preferably when the sysadmin is at home and asleep :wink: ).

It may be true that the roles of sysadmin and security admin reside in the same person, but seeing the difference between roles is always important.

Henk,

Below please find out puts from various port scanning utilities and compare those at your convenience. I will give my reasons choosing specific apps at the bottom of the post.

linux-lst5:/home/david # netstat -atu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:sunrpc : LISTEN
tcp 0 0 localhost:ipp : LISTEN
tcp 0 0 localhost:smtp : LISTEN
tcp 0 0 192.168.1.2:40460 cot.novell.com:www-http ESTABLISHED
tcp 0 0 192.168.1.2:40463 cot.novell.com:www-http ESTABLISHED
tcp 0 0 192.168.1.2:40465 cot.novell.com:www-http ESTABLISHED
tcp 0 0 192.168.1.2:40455 cot.novell.com:www-http ESTABLISHED
tcp 0 0 192.168.1.2:40464 cot.novell.com:www-http ESTABLISHED
tcp 0 0 192.168.1.2:45539 hx-in-f139.1e1:www-http ESTABLISHED
tcp 0 0 192.168.1.2:40466 cot.novell.com:www-http ESTABLISHED
tcp 0 0 *:sunrpc : LISTEN
tcp 0 0 localhost:ipp : LISTEN
tcp 0 0 localhost:smtp : LISTEN
udp 0 0 *:cadview-3d :
udp 0 0 *:57152 :
udp 0 0 *:mdns :
udp 0 0 *:sunrpc :
udp 0 0 *:ipp :
udp 0 0 *:cadview-3d :
udp 0 0 *:sunrpc :

linux-lst5:/home/david # nmap -v -A scanme.nmap.org

Starting Nmap 5.00 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-06-25 20:11 SGT
NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 20:11
Scanning 64.13.134.52 [4 ports]
Completed Ping Scan at 20:11, 0.42s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:11
Completed Parallel DNS resolution of 1 host. at 20:11, 8.02s elapsed
Initiating SYN Stealth Scan at 20:11
Scanning scanme.nmap.org (64.13.134.52) [1000 ports]
Discovered open port 22/tcp on 64.13.134.52
Discovered open port 53/tcp on 64.13.134.52
Discovered open port 80/tcp on 64.13.134.52
Completed SYN Stealth Scan at 20:12, 28.24s elapsed (1000 total ports)
Initiating Service scan at 20:12
Scanning 3 services on scanme.nmap.org (64.13.134.52)
Completed Service scan at 20:12, 12.19s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (64.13.134.52)
Initiating Traceroute at 20:12
64.13.134.52: guessing hop distance at 11
Completed Traceroute at 20:12, 2.32s elapsed
Initiating Parallel DNS resolution of 17 hosts. at 20:12
Completed Parallel DNS resolution of 17 hosts. at 20:12, 11.70s elapsed
NSE: Script scanning 64.13.134.52.
NSE: Starting runlevel 1 scan
Initiating NSE at 20:12
Completed NSE at 20:12, 5.70s elapsed
NSE: Script Scanning completed.
Host scanme.nmap.org (64.13.134.52) is up (0.39s latency).
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA)
|_ 2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA)
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|_ html-title: Go ahead and ScanMe!
113/tcp closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.27, Linux 2.6.18
Uptime guess: 0.458 days (since Fri Jun 25 09:12:44 2010)
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 1.21 192.168.1.1
2 9.80 xx.xxx.32.1
3 88.66 218.248.168.90
4 29.94 59.163.206.161.static.chennai.vsnl.net.in (59.163.206.161)
5 271.72 172.31.125.46
6 318.24 if-2-11.mse2.SV1-SantaClara.as6453.net (209.58.86.13)
7 316.35 if-3-0.mcore3.LAA-LosAngeles.as6453.net (216.6.84.45)
8 313.10 Vlan1976.icore1.LAA-LosAngeles.as6453.net (209.58.53.81)
9 393.39 4.68.63.65
10 410.68 ae-93-90.ebr3.LosAngeles1.Level3.net (4.69.144.244)
11 313.20 ae-2-2.ebr3.SanJose1.Level3.net (4.69.132.9)
12 410.96 4.69.134.238
13 311.20 ae-22-69.car2.SanJose2.Level3.net (4.68.18.12)
14 314.82 layer42.car2.sanjose2.level3.net (4.59.4.78)
15 399.99 xe6-2.core1.svk.layer42.net (69.36.239.221)
16 399.40 scanme.nmap.org (64.13.134.52)

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 72.76 seconds
Raw packets sent: 2050 (91.790KB) | Rcvd: 71 (3634B)

I guess you can interpret the outcome or I will do a pm and explain it there. In normal sense many daemons run on a Linux desktop and to take appropriate measures you need efficient tools. If you scan from a localhost (the way you suggested) the firewall will read it and allow it to go thru. In order to understand your risks you should check your firewall against untrusted hosts that can scan you while your firewall is fully functional. When you get hacked the people on the other side of the fence discover your open ports, apps and mess with you when ready.

As per my experience and practice I never accept default settings of any operating system. Users should ensure that their operating system (especially Linux) is very secure and efficient.

As per your suggestion regarding repos, I know what I am doing. I freaked out at first over kde, now comfortable with it. As of now I have managed all updates and have not had any conflicts pending. I believe one should choose the road less traveled.

Yes, I can read it, but with difficulty. I assume that the computer output was formatted to be easier to read (I know that for sure for netstat), but you spoiled that by not putting the computer text beween CODE tags. There is the # button in the toolbar above the text input field for that.

It would also have been easier when you had used the* n *option with netstat (I suppose you studied the man page before executing something I, as an untrusted outsider, tried to lure you into). Because Nmap gives you the ports in numbers.
(And a | grep LISTEN also makes it more consise and to the point, but again I only pointed you to nstat, leaving it to you if you want to use it and how).

As long as you know what you are doing and are satisfied with that, I am fine with that also.

Well, I can still do that. Give me a moment. I wont paste my IP, I am not allowed to do that from my work place. You will get other things the way you want.

david@linux-lst5:~> su
Password:             
linux-lst5:/home/david # netstat -atu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:sunrpc                *:*                     LISTEN      
tcp        0      0 localhost:ipp           *:*                     LISTEN      
tcp        0      0 localhost:smtp          *:*                     LISTEN      
tcp        0      0 192.168.1.2:48096       cs110.msg.ac4.yaho:mmcc ESTABLISHED 
tcp        0      0 192.168.1.2:54680       tx-in-f125.:xmpp-client ESTABLISHED 
tcp        0      0 192.168.1.2:59059       cot.novell.com:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:59045       cot.novell.com:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:59061       cot.novell.com:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:37935       91.214.237.15:gadugadu  ESTABLISHED 
tcp        0      0 192.168.1.2:48097       cs110.msg.ac4.yaho:mmcc ESTABLISHED 
tcp        0      0 192.168.1.2:52258       tz-in-f102.1e1:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:59060       cot.novell.com:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:59048       cot.novell.com:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:59050       cot.novell.com:www-http ESTABLISHED 
tcp        0      0 192.168.1.2:51169       community.open:www-http TIME_WAIT   
tcp        0      0 *:sunrpc                *:*                     LISTEN      
tcp        0      0 localhost:ipp           *:*                     LISTEN      
tcp        0      0 localhost:smtp          *:*                     LISTEN      
udp        0      0 *:cadview-3d            *:*                                 
udp        0      0 *:57152                 *:*                                 
udp        0      0 *:mdns                  *:*                                 
udp        0      0 *:sunrpc                *:*                                 
udp        0      0 *:ipp                   *:*                                 
udp        0      0 *:cadview-3d            *:*                                 
udp        0      0 *:sunrpc                *:*                                 
linux-lst5:/home/david # nmap -v -A scanme.nmap.org                             

Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-25 21:25 SGT
NSE: Loaded 30 scripts for scanning.                          
Initiating Ping Scan at 21:25                                 
Scanning 64.13.134.52 [4 ports]                               
Completed Ping Scan at 21:25, 0.54s elapsed (1 total hosts)   
Initiating Parallel DNS resolution of 1 host. at 21:25        
Completed Parallel DNS resolution of 1 host. at 21:25, 0.37s elapsed
Initiating SYN Stealth Scan at 21:25                                
Scanning scanme.nmap.org (64.13.134.52) [1000 ports]                
Discovered open port 53/tcp on 64.13.134.52                         
Discovered open port 80/tcp on 64.13.134.52                         
Discovered open port 22/tcp on 64.13.134.52                         
Completed SYN Stealth Scan at 21:25, 25.90s elapsed (1000 total ports)
Initiating Service scan at 21:25                                      
Scanning 3 services on scanme.nmap.org (64.13.134.52)                 
Completed Service scan at 21:25, 12.61s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (64.13.134.52)
Initiating Traceroute at 21:25                                         
64.13.134.52: guessing hop distance at 11                              
Completed Traceroute at 21:26, 2.92s elapsed                           
Initiating Parallel DNS resolution of 17 hosts. at 21:26               
Completed Parallel DNS resolution of 17 hosts. at 21:26, 13.25s elapsed
NSE: Script scanning 64.13.134.52.                                     
NSE: Starting runlevel 1 scan                                          
Initiating NSE at 21:26                                                
Completed NSE at 21:26, 7.24s elapsed                                  
NSE: Script Scanning completed.                                        
Host scanme.nmap.org (64.13.134.52) is up (0.53s latency).             
Interesting ports on scanme.nmap.org (64.13.134.52):                   
Not shown: 993 filtered ports                                          
PORT      STATE  SERVICE VERSION                                       
22/tcp    open   ssh     OpenSSH 4.3 (protocol 2.0)                    
|  ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA)
|_ 2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA)             
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http    Apache httpd 2.2.3 ((CentOS))
|_ html-title: Go ahead and ScanMe!
113/tcp   closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.27, Linux 2.6.18
Uptime guess: 0.507 days (since Fri Jun 25 09:15:40 2010)
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 25/tcp)
HOP RTT    ADDRESS
1   0.95   192.168.1.1
2   8.78   xx.xxx.32.1
3   13.66  218.248.168.90
4   52.47  59.163.206.161.static.chennai.vsnl.net.in (59.163.206.161)
5   289.43 172.31.125.46
6   492.46 if-2-11.mse2.SV1-SantaClara.as6453.net (209.58.86.13)
7   489.57 if-3-0.mcore3.LAA-LosAngeles.as6453.net (216.6.84.45)
8   487.51 Vlan1976.icore1.LAA-LosAngeles.as6453.net (209.58.53.81)
9   516.55 4.68.63.65
10  527.01 ae-83-80.ebr3.LosAngeles1.Level3.net (4.69.144.180)
11  282.91 ae-2-2.ebr3.SanJose1.Level3.net (4.69.132.9)
12  542.97 4.69.134.238
13  284.92 ae-22-69.car2.SanJose2.Level3.net (4.68.18.12)
14  284.42 layer42.car2.sanjose2.level3.net (4.59.4.78)
15  536.06 xe6-2.core1.svk.layer42.net (69.36.239.221)
16  528.68 scanme.nmap.org (64.13.134.52)

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.40 seconds
           Raw packets sent: 2049 (91.746KB) | Rcvd: 78 (3894B)
linux-lst5:/home/david #

@ Henk - I tried nestat --all, it listed all ports but it still isnt mature, tried to paste the code here but it declined saying ‘The text that you have entered is too long (47669 characters). Please shorten it to 15000 characters long’.

The --all will also show the internal (Unix domain sockets). As they are only about program to program communications internaly to your system, they have nothing to do with listening ports on the network. That is why I gave the t (TCP) and u (UDP) options. Also the l option is nice, then you do not have to grep for LISTEN. And do not forget the p option if you wantto know which program does the listening.

And do not try to publish that long list here. Nobody will be interested. I gave you the notion of the existence of netstat. Use it as you like. When you have a problem that must be illustrated with it, start a thread and post that part of the netstat output that is of interest.

Henk,

Thanks a bunch. As of now I got all I needed, I may or may not use all the software bundle or I may install something that meets my requirements. For recording packages and communications I have snort that logs to file.

best,

david