Ifind it somewhat ironic that the final chapter in this book covers turning on essential network servers such as FTP, e-mail, and the web. Part I of this book covers installation and system tweaking, mainly focusing on the local system, not network services. Part II discusses collaboration systems, where your Ubuntu system primarily operates as a client and details some services such as SMB, SSH, SOCKS, and LPD. Part III aims at improving performance, but not network services. That leaves Part IV. In Chapters 10 and 11, I show you how to lock down your system and network. In this chapter, I show you how to open it up.
Any time you make a network service externally accessible, you open yourself up to a possible network attack. For this reason, it is very important to know exactly what services you are offering and to limit access to only the services you explicitly want to offer. You will also want to monitor your system for possible threats. Basic network services, like web and e-mail systems, should expect to receive literally hundreds of probes and attack attempts per day. As luck usually has it, the day you stop monitoring for these events will be the day one of them becomes successful in compromising your system.
Finally, when you understand the risks and how to handle them, you should feel confident enough to open a network service to other people, including everyone on the Internet. Common services that you will probably want to run include SSH, FTP, e-mail, and web servers.
Warning | While booting from a USB drive is arguably the most difficult hack in this book (see Chapter 1), opening a network service (especially to the Internet) is the most dangerous. The question is not "will you be attacked?"-you will. You will probably be probed and attacked within a few hours, and the attempts will never end. Eventually some attack method may succeed. The only real question is, "when will you notice?" |
Ubuntu has a simple default setting: no default network services. Although software firewalls are not configured (see Chapter 11), they are also not needed until you begin turning on services.
Although externally accessible services are disabled, some programs do use network connections to communicate between processes on the same system. For example, X-Windows uses some local network connections to communicate between applications. There are two common ways to identify what services are running: netstat and nmap.
As mentioned in Chapter 7, the netstat command provides useful statistics about the network interfaces on your system. Besides summarizing traffic flows, netstat can also show established network connections and open network services. Running the command all by itself generates a long list of current TCP, UDP (datagram), and Unix sockets.
Tip | The netstat command usually generates a large amount of data. You should pipe the output into a pager such as more or less. (The less command is similar to more, but enables you to scroll backwards.) |
$ netstat | more Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 marvin.local.lan:55419 bugs.local.lan:ssh ESTABLISHED tcp 0 0 localhost:44235 localhost:46274 ESTABLISHED tcp 0 0 marvin.local.lan:38446 foghorn.local.lan:ssh ESTABLISHED tcp 0 0 localhost:46274 localhost:44235 ESTABLISHED tcp6 0 0 chutney.local.lan:ssh foghorn.local.lan:1074 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 4 [ ] DGRAM 13124361 /dev/log unix 2 [ ] DGRAM 5610 @/org/kernel/udev/udevd unix 2 [ ] DGRAM 12548 @/org/freedesktop/hal/u dev_event unix 2 [ ] DGRAM 13232791 unix 2 [ ] DGRAM 13198909 unix 2 [ ] DGRAM 13124142 unix 3 [ ] STREAM CONNECTED 13123939 /var/run/cups/cups.sock unix 3 [ ] STREAM CONNECTED 13123938 unix 2 [ ] DGRAM 13123531 -More-
The first part of the netstat output shows TCP connections. This can also be shown using netstat -t. Connections show the local address (in this case, my localhost is named marvin), the connected remote systems (bugs and foghorn), and the connection state. The states represent the TCP connection's status. There are two states that you will often see:
ESTABLISHED-A network connection exists between the two systems.
TIME_WAIT-A connection has terminated and the system is just waiting for any final packets before tearing down the connection.
Along with these common states, there are many other states that exist for very short durations. For example, SYN_SENT and SYN_RECV indicate that a connection is starting. These will quickly switch over to the ESTABLISHED state. There are also plenty of states that indicate a connection is closing. For example, FIN_WAIT1, FIN_WAIT2, CLOSE, and CLOSE_WAIT. These states rarely exist for more than the blink of an eye before switching over to the TIME_WAIT state.
The second part of the netstat output shows Unix services. These include connectionless UDP packets (DGRAM) and connection-oriented sockets (STREAM). You can limit the display to just these packets by using netstat -x.
Besides showing established connections, netstat can display waiting network services. The command netstat -l shows all the listening servers.
$ netstat -l | more Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:nfs *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:40867 *:* LISTEN tcp 0 0 localhost:42309 *:* LISTEN tcp 0 0 *:935 *:* LISTEN tcp 0 0 *:netbios-ssn *:* LISTEN tcp 0 0 localhost:44235 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 localhost:8118 *:* LISTEN tcp 0 0 localhost:socks *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 localhost:9050 *:* LISTEN tcp 0 0 localhost:6010 *:* LISTEN tcp 0 0 *:668 *:* LISTEN tcp 0 0 *:microsoft-ds *:* LISTEN tcp6 0 0 *:ssh *:* LISTEN tcp6 0 0 ip6-localhost:6010 *:* LISTEN udp 0 0 *:32768 *:* udp 0 0 *:nfs *:* udp 0 0 *:netbios-ns *:* -More-
This example shows a large number of available network services including Tor (port 9050), NFS and LPD (printer), and even Samba (netbios). If you only want to list TCP or UDP services, you can use netstat -lt or netstat -lu, respectively. netstat -lx shows the local Unix services and sockets.
Although netstat usually shows many services, not all are accessible from across the network. For example, the Unix services are usually restricted to the local system and are not externally accessible. In addition, many TCP and UDP services may be bound to the loopback interface rather than the external network interface. These are denoted by the localhost interface name.
A better way to identify running services is with the nmap command (sudo apt-get install nmap). This network-mapping tool can identify every network-accessible service on a host and can even scan an entire subnet in minutes.
Warning | In some sensitive network environments, nmap will trigger intrusion detection systems. Before you scan a host cross a network, make sure you won't get in trouble with your local network administrators. |
Table 12-1 lists some of the common command line parameters that I use with nmap. Other parameters are described in the man page for nmap.
Parameter | Purpose |
---|---|
-p portlist | By default, nmap only scans a set of well-known and common ports. This option can be used to specify one or more ports (for example, -p 80 or -p 80,443) or a range of ports (for example, -p 0-65535 or -p 1-1023). |
-P0 | Normally nmap pings the host before scanning it. However, if you enabled iptables or a firewall to drop ICMP packets, then the host cannot be pinged. This option disables pinging hosts before scanning them. |
-sS | This performs a SYN-scan. Rather that performing a full TCP connection, only the initial connection is performed. This type of scan is not detected by some logging systems. I use it because it is faster than performing a full TCP scan. |
-sU | Rather than scanning for TCP services, this will scan for UDP services. |
-sV | When a network service is identified, only the port number is known. This option tells nmap to profile what is running on the port. In many cases, it will identify the name and version of the server. |
-O | While -sV profiles individual services, -O profiles the actual operating system. Using the option, nmap can try to determine the running operating system and version. |
The results from an nmap scan show all of the accessible network services. For example:
$ sudo nmap -sS -sV -p 0-65535 -O 127.0.0.1 Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-02 10:56 MST Interesting ports on localhost (127.0.0.1): Not shown: 65518 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.4 22/tcp open ssh OpenSSH 4.2p1 Debian-7ubuntu3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 111/tcp open rpcbind 2 (rpc #100000) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 515/tcp open printer 668/tcp open mountd 1-3 (rpc #100005) 935/tcp open status 1 (rpc #100024) 1080/tcp open socks? 2049/tcp open nfs 2-4 (rpc #100003) 6010/tcp open unknown 8080/tcp open http-proxy Microsoft ISA Server http proxy 8118/tcp open http-proxy Junkbuster/Privoxy webproxy 9050/tcp open tor-socks Tor SOCKS Proxy 40867/tcp open nlockmgr 1-4 (rpc #100021) 42309/tcp open hpssd HP Services and Status Daemon 44235/tcp open hpiod HP Linux Imaging and Printing System Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.18 - 2.4.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.0 (x86), Linux 2.6.3 - 2.6.10 Service Info: Host: localhost; OSs: Unix, Linux, Windows Nmap finished: 1 IP address (1 host up) scanned in 36.204 seconds
Using nmap to scan your local system won't generate the same results as scanning from a remote host. This is because some network services are restricted to the local host. Also, some network services do their own filtering (for example, Tcpwrappers from Chapter 11) and only permit local connections. Ideally, you will want to scan your system from a different host on the same local network. Scanning my host from a remote system shows:
$ sudo nmap -sS -sV -O -p 0-65535 marvin Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-02 11:00 MST Interesting ports on marvin (10.1.3.5): Not shown: 65525 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.4 22/tcp open ssh OpenSSH 4.2p1 Debian-7ubuntu3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 111/tcp open rpcbind 2 (rpc #100000) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 515/tcp open printer 668/tcp open mountd 1-3 (rpc #100005) 935/tcp open status 1 (rpc #100024) 2049/tcp open nfs 2-4 (rpc #100003) 40867/tcp open nlockmgr 1-4 (rpc #100021) MAC Address: 00:11:D8:AB:39:2C (Asustek Computer) Device type: general purpose|broadband router Running: Linux 2.4.X|2.5.X|2.6.X, D-Link embedded OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.18 - 2.4.20, Linux 2.4.26, Linux 2.4.27 or D-Link DSL-500T (running linux 2.4), Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Service Info: Host: localhost; OSs: Unix, Linux Nmap finished: 1 IP address (1 host up) scanned in 25.491 seconds
Note that the remote scan shows fewer ports and a slightly different operating system profile. (In this case, it discovered my D-Link router as well as my Linux system.)
Tip | Some of the nmap options require root privileges. These include -O and -sS. If you are the only user on your system and you plan to use nmap often, consider making it run with root permissions: sudo chmod u+s /usr/bin/nmap. This way, you don't need to use sudo to do scans. |