Understanding Computer Attacks

There are many ways to divide up the types of computer attacks, but perhaps the easiest to understand is the internal attack, where someone has access to a computer on the local area network, versus the external attack, which occurs over the Internet. The distinction is important because it clarifies the relative danger your system is in. Chances are excellent that your local network is protected quite well by the system of permissions, along with the trust you place in your users to not damage the system. Unless you are in the habit of hanging around with the bad guys and giving them access to your system, you shouldn't have to spend a great deal of time protecting your system against your users.

It's that outside world that you must worry about most. In a world—and Internet—filled with millions upon millions of people, some percentage (usually small) will be evil. The Internet makes it possible for machines to connect on a vast scale, and any single machine can be attacked by people located anywhere on the planet. Within minutes of making first contact with the Internet, some machines can be attacked , although usually not successfully. Don't let your machines be counted among the victims.

This situation is not a result of malicious users lying in wait for your IP address to do something interesting. Instead, canny virus writers have created worms that exploit a vulnerability, take control of a machine, and then spread it to other machines around them. As a result, more attacks today are the result of these autohacking tools. There are really only a handful of the truly evil out there; however, as with most human endeavors, if you're really the target of someone's attack, you probably cannot prevent it without a massive effort.

Scripts come in another flavor as well: prewritten code that exploits a vulnerability and gives its users special privileges on the compromised machine. These scripts are rarely used by their creators . They get posted online for the aforementioned script kiddies, who use them to invade vulnerable systems and brag about it to their friends .

Your job as a system administrator is to keep your computers and local networks from being compromised by worms, script kiddies, and the more serious attacks conducted by more experienced criminals. Your users (even if it's just you) want to use the computer to accomplish great things and not worry about the firefights outside. Wearing your sysadmin hat, you can accomplish this task.

Regardless of the source of the attack, you can follow a five-step checklist to secure your SUSE Linux box:

Assess your vulnerability. Decide what machines can be attacked, what services they are running, and who has access to them.
Configure the server for maximum security. Install only what you need, run only what you must, and configure a local firewall.
Secure physical access to the server.
Create worst-case-scenario policies.
Keep up to date with security issues.

You'll learn more about each step in the following sections. You must implement all the steps.

Assessing Your Vulnerability

It is a common mistake for people to assume that switching on a firewall makes them safe. Although there's no question that switching on a firewall is an important step to take, it is not a solution and never has been. Each system has distinct security needs, and taking the time to customize its security layout will give you maximum protection and best performance.

Following are the most common security mistakes people make:

Installing every package—SUSE Linux 10 has 3 gigabytes of software included in the distribution. If a machine is not going to be an FTP server, you probably don't need to have the server installed on it. YaST makes it easy to configure your installation so that you can remove unnecessary packages and get the ones you will use.
Enabling unused services—Do you really require the capability to access your system remotely? Do you want people to upload files to your machine? If not, don't run SSH or FTP. Always think about what you use, whether that service is open to the Internet, and whether you need it.
Disabling the local firewall on the grounds that your server already has a firewall installed—When it comes to firewalls, more is better. Your computer is your castle. Put up a wide moat with a long drawbridge, followed by a thick wall, followed by another thick wall 10 feet away from the first one. Make it hard to access, and it won't be worth the time it takes for your attacker to continue.
Letting your machine give out more information than it needs to—Earlier we talked about the unfortunate, if inevitable, demise of finger as a useful tool to find out about other users on the network. Now it's just another way to hack into someone's system.
Keeping the door to the server room unlocked—Less common in IT shops these days, but still a bad idea. Even if your sysadmins live in the server room (and with Linux servers, that really shouldn't be—they work best unattended), the room should be locked whenever no one is inside.
Being careless with your wireless network—Wireless networking is convenient and helpful, but the standards were not developed with security in mind. Someday, this is likely to improve. We're not there yet.

After you have ruled out these common problems, you're on to the real problem. How can the bad guys attack your machine? What can people access from the outside? This comes down to the question of what applications and services face the Internet, and what ports do they run on?

The best way to find answers to these questions is through the Nmap networking utility. This little tool will scan the ports of any machine on your network, or all of them, and tell you which ones are open at that moment. Any service you have installed that responds to Nmap 's query is pointed out, and you may, in turn , choose to lock down ports that should not be open.

SUSE Linux does not install Nmap by default, but you can install the command-line version and a GUI front-end called Nmap-gtk through YaST. Other GUIs are available at the Nmap website, http://www. insecure .org/nmap.

Although you can use the shell version, it is much easier to configure and see the results of Nmap 's work in the GUI (Figure 23.1). It is also better to run Nmap as the SuperUser, because you will get more information that way. To launch Nmap-gtk , log in as the SuperUser and type xnmap & .

Figure 23.1. `Nmap` scans ports to see what is open and vulnerable.

The best way to run Nmap , especially the first time, is to use the SYN Stealth scan (on by default when you launch it as SuperUser) with OS Detection and Version Probe on. By default, Nmap scans the localhost (127.0.0.1), but you can add or change targets by typing the IP address(es) into the Target(s) edit box. The first time you run Nmap , you should click the Scanned Ports box to change the scan range from a few default ports; select All from the drop-down menu. This scan takes a little longer, but gives you a more complete picture of your status. As you adjust your options in the GUI, you'll see the actual shell command being built at the bottom of the window. You could, if so inclined, copy this command to a text file and run it as a shell script later on.

When you have made your selections, click Scan. Nmap tests each port to determine whether it responds. If it does, Nmap asks the application at that port for version information and displays that to the Nmap screen. You then get results like those displayed in Figure 23.1. Ideally, there will be no surprises on the list. If there are surprises , or you decide that there are some unnecessary services on the list, you can take action.

You can log your Nmap scan by going to Save Log in the File menu and choosing a location from the menu. To view the log file later, go to Open Log from the File menu.

If you just have one or a few machines on the network, you probably need to run Nmap only once a year, or if you suspect your system is compromised. Sysadmins of larger networks should run Nmap regularly as part of their general maintenance regimen.

Caution

Peer-to-peer file sharing networks such as Gnutella and BitTorrent usually require you to open ports on your firewall to speed up, or even access, the network. Recognize that you may be compromising your security when you participate in these networks. Be wary when downloading files from these sources. although as of this writing, no significant worm has propagated itself through peer-to-peer networks, it could easily happen. Not every file with a certain name contains the content you may be expecting after you get it downloaded.