Hackers!!

Hackers are trying to get in.

Not to alarm anyone, but if you didn’t know already, unscrupulous individuals are trying to get into your system every day.  Most people are protected by their routers and firewall software.   These allow traffic to come into your device ONLY if you have initiated a connection to the remote device from within your own network or computer.

Fair enough.  But for someone who wants to play with their network from remote locations, herein lies the problem.  In order to connect to my Linux box from anywhere outside of my home, I first have to direct port 22 (for SSH) in  my router to my linux.  Now I can have access.  But so can anyone else who attempts a connection to my IP address.  Likely they have a script running that methodically runs down IP addresses, trying to get a response.  Now when they hit my IP address with SSH, instead of the standard no response, they get a LOGIN: prompt.  Now they know it’s something worth trying to access.  The next script starts trying standard login names, then when it hits a upon a valid name, it then goes through the passwords.  Here’s what it looked like last night.

This is a small excerpt from my /var/log/auth.log (grep -i failed /var/log/auth.log)

As you can see, they were using standard names alphabetically.  They did way more than that, using standard usernames like “user, sysadmin, admin, guest, matrix, neo, trinity” and so on.  The lesson learned here is that any usernames on your system should not be dictionary words.  Too easy to guess.  Make it something you can remember, but somewhat resembles a secure password (numbers, big & small letters).

iftop

How did I know someone was hitting my box?  Pure luck.  I figured people were trying before, but did not realize to what extent.  I also wonder how many of these script kiddies had hit my box before?

Every now and then when I’m logged into my linux box, I like to just play around to keep myself in practice of some of the many tools there are, like ipcalc and such.  One of the tools I’ve installed is iftop. It’s much like top, but for network interfaces.  I have a second network card on my box connected to my Cisco router.  The port on that router mirrors all the other ports so that it can see ALL the traffic on my network.  The benefit of this is when I run iftop on this interface, I can see ALL my traffic, not just the data specific to that IP address.  It’s great too for working with WireShark.

(sudo iftop -p -B -i eth1)  (iftop does not come with linux, you must install it)

I can see devices on my network communicating with each other.  Nagios on my linux box polling devices, websites being delivered to another PC on my home network, the router looking for other routers, etc.   What I did see last night though was a URL that did not look right.  It ended with a .gr, not the usual .com, .net, .org and was not on my local network.

I performed a whois on that sucker and found it was from Greece.  The University of Patras in Greece.   Ahhhhh, it figures.  Kid goes to college, takes some computer science cources, learns all about computers, networking and so on.  Now he figures he can make his own little scripts to access networks around the world.  And he is probably successful at times.  Not this time.  I found him.

Now that I see him, what to do?  Well, since I’ve a Cisco router and the know-how.  I create an ACL (access control list) to block him.   I could have blocked just his address, but was not sure if he’d just get another one somehow and try again, so I wanted to block the whole country.  My friend Sean had recently created a perl script that will create an ACL for you to include EVERY ip range for the country of your choice.  Perfect.  I ran this sucker and WOW, Greece had 180 IP ranges.  Weird enough, none of them included my hackers address ( I mean the University of Greece).  We’ll work on that later.  So I applied the new ACL, including a range for the university and applied it to my Interface.

As you can see by the last few lines of my ACL, that after it was applied (BTW, my /var/log/auth.log automatically stopped logging because now he could not get through) I still had 4,677 hits from him.  But he was stopped at the router.

That last line was to make sure anyone else (myself especially) could get through.   Okay, so that does not stop the others.  We’ll get to that soon.  But in the mean time, this particular misfit is denied.

Yes, I need to block out the world and yet still let myself in.   So now I’ll create a smaller ACL that denies everyone except my local region.  This being because I may want to get in from different places, i.e. my parents, work, coffee shops, etc.

So a smaller and complete ACL is shown below.

I changed the real IP addresses for display purposes.  The first 3 lines permit access from 2 major ISPs in my geographical area.  Line 90 allows DNS queries to succeed.  Line 91 allows FTP connections (I’d rather not as it’s not too secure, but I have a couple websites that the hosting companies don’t seem to care too much about the security).  Line 92 allows PING to work.  It’s nice to be able to ping a website and get a response just to know certain things are working while I’m troubleshooting.  Then line 100 allows anything that I’ve initated to come through.  So if I want to access a web page hosted at the University of Greece, I can.  But their students cannot enter my domain.

Take a look at that last line that denies everyone else, there’s 16 matches.  I have these logged, as you can see.  From the log I found hits from China, France and Poland.  All within a few hours.

Log Entry:
Apr 28 23:55:57.064:  list 2100 denied tcp 83.16.20.98 –   Connection attempt from Poland.

More to come

Now this does not totally protect me.  I am still vulnerable from my local area, but for a limited time.  Sean has offered me access to his secure network that will allow me to do one thing and one thing only from there, to connect to my network.  Now he has a static IP address, so my ACL can then be written to allow an un-established connection from the outside from that particular IP address only.

Another safeguard is IPTABLES.  I have briefly toyed with this firewall option built into Linux that is very flexible.  Supposedly one can set it up to allow a set number of failed login attempts before it disables that particular IP address for a set amount of time.  This would seriously slow down script kiddies and others.  However if I were to mistype my password that number of times, I could lock myself out for some time as well.  Oh well, guess I better slow down on my typing.

Vanity Plate

Take a Break

Okay, I’m going to take a break at this moment from the regularly non-scheduled blogging of Networking and Linux to share something still Linux related.  My new vanity plate.

I’ve always toyed with the idea of getting a vanity plate, but I did not want something too ordinary or obvious.  I wanted something unique, yet still relevant to something a portion of society could relate to or understand.  I did have a few ideas, but they were taken, such as 127001, which would be the IP address 127.0.0.1 which is the localhost or loopback IP address translating basically to “this device”.

Well I recieved my plates in the mail yesterday.

My Vanity Plate

SUDO MV.  For those new to Linux, SUDO is the command given to allow superuser (root) privileges to do whatever it is that regular users do not have access to.  It could be configuring system files, to modifying another users files.  It’s the SUPER USER.  The MV is “move”.  So as my car traverses the data bus known as the highway (not informational nor super) it is being moved by the Super User.  Oh yeah!!

Yes, it’s the little things in life that add up to something big.

To illustrate the point of SUDO a little more I’ve attached a comic from xkcd that was some of the inspiration for my choice of plates.

And that is how things take place in Linux.  There are times I try to run a command or edit a file and I’m denied.  It is then I need to use SUDO.

Tip: If you type a long command and are denied due to needing superuser ability, type “sudo !!“.  The double exclamation points insert the last command.  Try it, you’ll like it.

Debian installation

Cheap Computer

One of the nice things about LINUX (whatever flavor you desire) is that it does not need the latest and greatest top of the line overclocked hardware to operate.   In fact, for my next project, the server I plan on setting up in VLAN 2 will not have a GUI installed, since it will not have a monitor (nor a need for one, as I will do everything I need to it by logging in via another computer on my network or from the internet).  Without having to display graphics and such, this is alot of overhead the Operating System does not have to deal with, leaving it’s processing power to what it needs to do, in this case, pretty much serve up web pages, and monkey with a database perhaps.

Craigslist

Ahhhhh, Craigslist.  The thing I like about Craigslist is that if what I see is not quite adequate, I can look again a few hours later and possibly find what I need.  I found something nice and simple for my needs.   It’s a 100Mhz P3 processor with 512MB of RAM, a 20GB hard drive and a CD-ROM reader.  It has USB ports and a working ethernet port.  Perfect!

To install Debian, the minimum requirements are

Now these are the minimums to run Debian without the GUI.  If I wanted to install the GUI and use it as a server, this still surpasses the minimum requirements.  So we’ll be just fine.

Of course to do the install, we do need a monitor, so I  will use what I have.  After the install, the monitor will be removed and re-connected to its original PC.

Debian

Now of ALL the different distros of Linux out there, why did I chose Debian?  First, it came highly recommended by someone who is quite knowledgeable in the area of Linux and is one of my greatest sources of all Linux knowledge these days.  But also because of it’s ease of use.

The more popular Ubuntu is based on Debian.  One of its great features is its ease of installation of programs.  We’ll get into that later.

The most recent release of Debian is 5.0.1, codename Lenny.  Lenny is named after “Lenny the binoculars” from Toy Story.  In fact all of Debians releases are named after Toy Story characters.  Being a fan of Pixar, I can only say they chose a good theme.

Installation

Now for the installation.  It went very well.  A nice guide with some screen shots of what to expect can be found here.  Keep in mind, that’s just a guide.  For the full manual, you might want to consult this page.

During installation, you are asked a slew of questions, don’t get intimidated, just plod along.  Probably the biggest hurdle is partitioning the hard drive.  Debian has recommended partition sizes, but this is for the Potato release which is quite a few releases back.  The average memory is larger in todays PCs and larger hard drives.   Everyone has  different suggestions, some of which are due to differing systems, but following the guideline at debian.com can help guide you.

It took me about 4 tries before I had all my partitions setup the way I wanted.  The nice thing is that the installer gives you a chance to review your partition setup before proceeding.

An important thing to consider is from where you want to get your updates and other apps you intend to install.  If you don’t plan on connecting your PC to the internet, CD-ROM is fine, but you will be limited.  Otherwise make sure you chose HTTP.

Tweaking

In order to make changes and tweaks, you’ll need to make sure you can edit/copy/move/delete files as superuser.  Hopefully you remember your ROOT password, you’ll need it.  Log in as root and edit /etc/sudoers with the visudo command (very important) .    Look for this section:

# User privilege specification
root    ALL=(ALL) ALL

Underneath the root user, add your username and copy the line above above it.   Now when you are logged in, you’ll have superuser privileges when you preface each command with SUDO.  You’ll need to enter your password alot.  That’s okay, it’s worth the security.

Make sure you get an update as well.  The copy you have, may be a tad bit old and newer updates are likely available.  So issue the command sudo aptitude update.  Of course, make sure you’ve got a good connection to the internet.

If you’re having trouble getting your updates, or if you’re trying to install an app that you know should exist, you may need to edit your /etc/apt/sources.list to the following.

deb http://ftp.debian.org/debian lenny main
deb-src http://ftp.debian.org/debian lenny main

deb http://security.debian.org/ lenny/updates main contrib
deb-src http://security.debian.org/ lenny/updates main contrib

deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main

Now if you have a different release other than lenny, make sure you replace lenny in the file with your particular release name.

Networking

During installation, I opted out of the DHCP setup for my network interface and setup static IP address because I plan on using static IP addresses for my whole network.  If after installation, you find that your network interface is misconfigured edit it with:

sudo nano /etc/network/interfaces

If all goes well, your Linux Box should be up and running.  If you can’t connect to your box remotely, using SSH (I recommend Putty if you’re using a windows machine) to log in, make sure you install OpenSSH server.  You can sudo aptitude install ssh to get both the server and client installed.

Prior to doing any installation, I recommend reading up on the software as much as you can.  You will definitely have some foreknowledge of what to expect and what information you may need to provide.  Be sure to read the installation guide before installing Debian.

Extras

During installation, you will also be asked what packages you want.  I opted out of the GNOME ones since they are for installing the GUI that I did not want.   I did however choose the Web Server.  I can’t remember if it was listed as HTTP, Apache or Web Server.  Nevertheless, that was included and works just fine.  I’ll make another post some day on installing Apache.  Fun.  I might have to uninstall what I’ve got first.  Not fun.

Sendmail

Todays lesson is about Mail.

Sendmail is a standard tool for your e-mail needs.   There’s alot more to it than I am aware of at this point.  Right now, I just need to make sure I can e-mail OUT to the rest of the internet/world.

To understand a little bit about e-mail and how it all works, you can check this link that briefly explains the purpose and operation of MDAs (Mail Delivery Agents), MTAs (Mail Transfer Agents) and MUAs (Mail User Agents).  This information should come in handy in setting up your own agent.

Sendmail is an MTA as it can transfer e-mail for you, sending and recieving.  I however just have the need to send mail.  I had problems for a while, then I found a nice simple program called sendEmail.  It was simple enough to run without having to configure anything.   But I could not get sendmail to work for some reason.  My sendEmail program worked, but not sendmail.  Why?

To figure this out, I had to figure out how the MTA of my local ISP was working.  Talking with my coworkers, I learned that one can telnet directly into an SMTP server and issue commands from there and send out an e-mail directly.  I gave it a try, and everything worked until I got to the point of telling the server who I wanted to e-mail.  It was then I got the response: 550 Recipient Rejected: Relay not allowed.  What was I doing wrong?

Now I was successful in sending e-mails with sendEmail, so I needed to see what was different.

It was then that I downloaded WireShark, which I was eventually going to want anyway.  I’ll have to blog about that program another day as well.  But for now, I’ll just say that I was able to capture all data going in and out of my eth1 interface and see what was transpiring.  It was there that I saw a command I was not aware of, AUTH LOGIN followed by encrypted data.  AHA!!  That was the answer.

It wasn’t so much that I was doing something wrong, it was that my ISPs server was setup for authentication, of which it was not getting  from me.  Another search online yielded this fine set of instructions.  You’ll need to scroll halfway down the page for the heading Using sendmail as a client with AUTH.

After this setup I was successful in e-mailing myself.

If you are not interested in telnetting into your SMTP server or using WireShark, you can see what’s going on by using the -v option while using the mail command. Below is a successful example.

mail -v -sTesting user@yahoo.com Command from terminal

(blue text is from my box, red from the server)

user@isp.com… Connecting to [127.0.0.1] via relay…
220 ubuntu ESMTP Sendmail 8.14.3/8.14.3/Debian-4; Fri, 3 Apr 2009 18:24:08 -0800; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
>>> EHLO ubuntu
250-ubuntu Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From:<lance@ubuntu> SIZE=69 AUTH=lance@ubuntu
250 2.1.0 <lance@ubuntu>… Sender ok
>>> RCPT To:<user@yahoo.com>
>>> DATA
250 2.1.5 <user@yahoo.com>… Recipient ok
354 Enter mail, end with “.” on a line by itself
>>> .
050 <user@isp.com>… Connecting to smtp.local.net via relay…
050 220 smtp.local.net ESMTP EON-AUTHRELAY2
050 >>> EHLO ubuntu
050 250-smtp.local.net
050 250-PIPELINING
050 250-SIZE 50000000
050 250-AUTH PLAIN LOGIN
050 250-AUTH=LOGIN
050 250 8BITMIME
050 >>> AUTH LOGIN
050 334 <encrypted – text>
050 >>> <encrypted – text>
050 334 <encrypted – text>
050 >>> <encrypted – text>
050 235 Authentication successful
050 >>> MAIL From:<lance@ubuntu> SIZE=333 AUTH=<>
050 250 Sender okay
050 >>> RCPT To:<user@yahoo.com>
050 >>> DATA
050 250 Recipient okay
050 354 Ready
050 >>> .
050 250 Thanks, queued as dm52.49d40e27.c9ac3@dm52
050 <user@yahoo.com>… Sent (Thanks, queued as dm52.49d40e27.c9ac3@dm52)
250 2.0.0 n342O8aV020851 Message accepted for delivery
user@yahoo.com… Sent (n342O8aV020851 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 ubuntu closing connection