sudoers

Where’s my SUDO?

Installing different flavors of Linux can be fun and exciting at times.  And it can have you scratching your head.

Take for instance, my first Linux install was Ubuntu.  Of course, this is a nice intro to anyone new to the Linux game, especially with it’s nice graphical interface.  Now when I looked for help on the net, I was directed to use the SUDO command whenever I needed to issue a command requiring Super User abilities.  This was a nice feature and worked as expected.

Now even though Ubuntu is a derivitive of Debian, it is not exactly the same.  It apparently came packaged with SUDO, whereas when I went to install Debian, it did not.  Shortly after my install, I attempted to install or configure certain things, and I was given the response that the SUDO command was not found.  I thought I had broken something.  But alas, all was not lost.

Super User

Of course, what SUDO does is issues the command that follows as if you were logged in as Super User.  Now, I had to install SUDO, but without SUDO.  Easy enough.  Just log in as Super User with the “su” command.  Of course, the password you setup for the super user is necessary.

Once in, no SUDO or anything else is needed to use your godlike skills.  Issue the APTITUDE INSTALL SUDO (or apt-get if you prefer) to install SUDO.  Make sure to exit out of super user when you’re done.

Now that you’ve got SUDO installed, you may still have trouble, this being due to the fact that you are not on the list of privileged users to issue Super User commands at will.  You must add yourself to the /etc/sudoers file.  Oh darn, you can’t do that without SUDO abilities.  Or can you.  Oh yeah, never should have exited out of Super User mode so quickly.  I guess I did tell you to, did I not?  That’s okay, back in, edit the file with your favorite editor and voila, exit out of Super User again.  We’re done now, I promise.

While you’re in the sudoers file, find the line that reads # User privilege specification and copy/paste the line below that reads root    ALL=(ALL) ALL and then change root to your name.  You can add other users this way as well, however the more you add, the more problems you invite.  It’s best to reserve this privilege only to those you trust.

Hackers!!

Hackers are trying to get in.

Not to alarm anyone, but if you didn’t know already, unscrupulous individuals are trying to get into your system every day.  Most people are protected by their routers and firewall software.   These allow traffic to come into your device ONLY if you have initiated a connection to the remote device from within your own network or computer.

Fair enough.  But for someone who wants to play with their network from remote locations, herein lies the problem.  In order to connect to my Linux box from anywhere outside of my home, I first have to direct port 22 (for SSH) in  my router to my linux.  Now I can have access.  But so can anyone else who attempts a connection to my IP address.  Likely they have a script running that methodically runs down IP addresses, trying to get a response.  Now when they hit my IP address with SSH, instead of the standard no response, they get a LOGIN: prompt.  Now they know it’s something worth trying to access.  The next script starts trying standard login names, then when it hits a upon a valid name, it then goes through the passwords.  Here’s what it looked like last night.

This is a small excerpt from my /var/log/auth.log (grep -i failed /var/log/auth.log)

As you can see, they were using standard names alphabetically.  They did way more than that, using standard usernames like “user, sysadmin, admin, guest, matrix, neo, trinity” and so on.  The lesson learned here is that any usernames on your system should not be dictionary words.  Too easy to guess.  Make it something you can remember, but somewhat resembles a secure password (numbers, big & small letters).

iftop

How did I know someone was hitting my box?  Pure luck.  I figured people were trying before, but did not realize to what extent.  I also wonder how many of these script kiddies had hit my box before?

Every now and then when I’m logged into my linux box, I like to just play around to keep myself in practice of some of the many tools there are, like ipcalc and such.  One of the tools I’ve installed is iftop. It’s much like top, but for network interfaces.  I have a second network card on my box connected to my Cisco router.  The port on that router mirrors all the other ports so that it can see ALL the traffic on my network.  The benefit of this is when I run iftop on this interface, I can see ALL my traffic, not just the data specific to that IP address.  It’s great too for working with WireShark.

(sudo iftop -p -B -i eth1)  (iftop does not come with linux, you must install it)

I can see devices on my network communicating with each other.  Nagios on my linux box polling devices, websites being delivered to another PC on my home network, the router looking for other routers, etc.   What I did see last night though was a URL that did not look right.  It ended with a .gr, not the usual .com, .net, .org and was not on my local network.

I performed a whois on that sucker and found it was from Greece.  The University of Patras in Greece.   Ahhhhh, it figures.  Kid goes to college, takes some computer science cources, learns all about computers, networking and so on.  Now he figures he can make his own little scripts to access networks around the world.  And he is probably successful at times.  Not this time.  I found him.

Now that I see him, what to do?  Well, since I’ve a Cisco router and the know-how.  I create an ACL (access control list) to block him.   I could have blocked just his address, but was not sure if he’d just get another one somehow and try again, so I wanted to block the whole country.  My friend Sean had recently created a perl script that will create an ACL for you to include EVERY ip range for the country of your choice.  Perfect.  I ran this sucker and WOW, Greece had 180 IP ranges.  Weird enough, none of them included my hackers address ( I mean the University of Greece).  We’ll work on that later.  So I applied the new ACL, including a range for the university and applied it to my Interface.

As you can see by the last few lines of my ACL, that after it was applied (BTW, my /var/log/auth.log automatically stopped logging because now he could not get through) I still had 4,677 hits from him.  But he was stopped at the router.

That last line was to make sure anyone else (myself especially) could get through.   Okay, so that does not stop the others.  We’ll get to that soon.  But in the mean time, this particular misfit is denied.

Yes, I need to block out the world and yet still let myself in.   So now I’ll create a smaller ACL that denies everyone except my local region.  This being because I may want to get in from different places, i.e. my parents, work, coffee shops, etc.

So a smaller and complete ACL is shown below.

I changed the real IP addresses for display purposes.  The first 3 lines permit access from 2 major ISPs in my geographical area.  Line 90 allows DNS queries to succeed.  Line 91 allows FTP connections (I’d rather not as it’s not too secure, but I have a couple websites that the hosting companies don’t seem to care too much about the security).  Line 92 allows PING to work.  It’s nice to be able to ping a website and get a response just to know certain things are working while I’m troubleshooting.  Then line 100 allows anything that I’ve initated to come through.  So if I want to access a web page hosted at the University of Greece, I can.  But their students cannot enter my domain.

Take a look at that last line that denies everyone else, there’s 16 matches.  I have these logged, as you can see.  From the log I found hits from China, France and Poland.  All within a few hours.

Log Entry:
Apr 28 23:55:57.064:  list 2100 denied tcp 83.16.20.98 –   Connection attempt from Poland.

More to come

Now this does not totally protect me.  I am still vulnerable from my local area, but for a limited time.  Sean has offered me access to his secure network that will allow me to do one thing and one thing only from there, to connect to my network.  Now he has a static IP address, so my ACL can then be written to allow an un-established connection from the outside from that particular IP address only.

Another safeguard is IPTABLES.  I have briefly toyed with this firewall option built into Linux that is very flexible.  Supposedly one can set it up to allow a set number of failed login attempts before it disables that particular IP address for a set amount of time.  This would seriously slow down script kiddies and others.  However if I were to mistype my password that number of times, I could lock myself out for some time as well.  Oh well, guess I better slow down on my typing.