Difference between revisions of "Security"

From Anarchaserver
 
(6 intermediate revisions by the same user not shown)
Line 16: Line 16:




rpcinfo -T udp -p
What kind of rpc services are running on the server
rpc is an intern process communication
 
$ rpcinfo -T udp -p
 
   program vers proto  port  service
   program vers proto  port  service
     100000    4  tcp    111  portmapper
     100000    4  tcp    111  portmapper
Line 27: Line 31:
     100024    1  tcp  45698  status
     100024    1  tcp  45698  status


what kind of rpc services are running on the server
rpc is an intern process communication


1) find the executable files which contains portmapper
2) try to uninstall & delete it and make sure we don't uninstall any important programme on the server which is actually used.


1) FIND
# find the executable files which contains portmapper
# try to uninstall & delete it and make sure we don't uninstall any important programme on the server which is actually used.
 
==== FIND ====
 
=====USE CHANGELOG=====
 
Find in the Changelog whether somebody installed or changed the portmapper
 
$ grep -i portmapper Changelog
 
Consult Changelog
 
$ less Changelog
 
If you do changes on the server use Changelog.
Changelog edit file
 
$ nano /root/Changelog
 
=====SEARCH=====
 
Where can we find the executable ?


find in the changelog whether somebody installed or changed the portmapper
$ which portmapper
grep -i portmapper Changelog


If you do changes on the server use Changelog : changelog edit file
Simply find the file
less Changelog
nano /root/Changelog


which portmapper
$locate portmapper
where is the executable ?


locate
Find out in which package of our debian distribution the portmapper is active
simply find a file


find out in which package the portmapper is active
$apt-cache search portmapper
apt-cache search portmapper
remotetea - Sun ONC/RPC support for Java
remotetea - Sun ONC/RPC support for Java


dpkg -l|grep remotetea
Ask whether the package is installed:
gives list of installed packages, and
it is not installed


show the description of a package
$dpkg -l|grep remotetea
apt-cache show rpcbind


rpcbind uses portmapper
After reading online, whe realize that the portmapper is used for NFS systems which are managed by rpcbind. To verify whether portmapper is used, we show the description of a package:
$ apt-cache show rpcbind


netstat -lnptu|grep 111
Rpcbind uses portmapper!
listens to open ports and what kind of services are running and finds the open port 111


netstat -lnptu|grep 111
As portmapper is active on port 111, we listen to open ports and what kind of services are running and find again the open port 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*              LISTEN      1707/rpcbind   
tcp6      0      0 :::111                  :::*                    LISTEN      1707/rpcbind   
udp        0      0 0.0.0.0:111            0.0.0.0:*                          1707/rpcbind   
udp6      0      0 :::111                  :::*                                1707/rpcbind   


2) UNINSTALL
$ netstat -lnptu|grep 111
apt-get remove rpcbind
 
tcp        0      0 0.0.0.0:111  0.0.0.0:*      LISTEN      1707/rpcbind   
tcp6      0      0 :::111        :::*          LISTEN      1707/rpcbind   
udp        0      0 0.0.0.0:111  0.0.0.0:*                  1707/rpcbind   
udp6      0      0 :::111        :::*                      1707/rpcbind
 
==== UNINSTALL====
 
Uninstall the package while verifying its dependencies
 
$ apt-get remove rpcbind


Reading package lists... Done
Reading package lists... Done
Line 77: Line 96:
Reading state information... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
The following packages were automatically installed and are no longer required:
  libgssglue1 libsasl2-modules wwwconfig-common
libgssglue1 libsasl2-modules wwwconfig-common
Use 'apt-get autoremove' to remove them.
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
The following packages will be REMOVED:
  nfs-common rpcbind
nfs-common rpcbind
0 upgraded, 0 newly installed, 2 to remove and 151 not upgraded.
0 upgraded, 0 newly installed, 2 to remove and 151 not upgraded.
After this operation, 805 kB disk space will be freed.
After this operation, 805 kB disk space will be freed.


We don't consider lib's, because packages which are libraries, are not providing anyy services.
We don't consider lib's, because packages which are libraries, are not providing any services. So we autoremove packages&libraries, on which no other package depends and which where not manually installed.
 
$ apt-get autoremove


apt-get autoremove


remove packages&libraries,on which no other package depends and which where not manually installed
To check how may packages are manually installed
$ apt-mark showmanual|wc -l


=== iptables ===
=== iptables ===

Latest revision as of 12:01, 30 June 2016

Bogus http requests

Hackers can send bogus http requests to get the server to generate error pages because the information about the server OS and web server version can be useful to them. The information given out by the server seems not sufficiently reduced. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target. See http://helpinlinux.com/apache-server-tokens/

  • Open up /etc/apache2/conf.d/security
  • Set ServerTokens OS to Prod.
  • Turn ServerSignature to Off.
  • Restart Apache web server.


Portmapper

The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes that provide other ONC RPC services. If you need to run this service, that is perfectly acceptable. However, if this is a mis-configuration, it would be a good idea to stop it.

https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Portmapper


What kind of rpc services are running on the server rpc is an intern process communication

$ rpcinfo -T udp -p

  program vers proto   port  service
   100000    4   tcp    111  portmapper
   100000    3   tcp    111  portmapper
   100000    2   tcp    111  portmapper
   100000    4   udp    111  portmapper
   100000    3   udp    111  portmapper
   100000    2   udp    111  portmapper
   100024    1   udp  37209  status
   100024    1   tcp  45698  status


  1. find the executable files which contains portmapper
  2. try to uninstall & delete it and make sure we don't uninstall any important programme on the server which is actually used.

FIND

USE CHANGELOG

Find in the Changelog whether somebody installed or changed the portmapper

$ grep -i portmapper Changelog

Consult Changelog

$ less Changelog

If you do changes on the server use Changelog. Changelog edit file

$ nano /root/Changelog

SEARCH

Where can we find the executable ?

$ which portmapper

Simply find the file

$locate portmapper

Find out in which package of our debian distribution the portmapper is active

$apt-cache search portmapper remotetea - Sun ONC/RPC support for Java

Ask whether the package is installed:

$dpkg -l|grep remotetea

After reading online, whe realize that the portmapper is used for NFS systems which are managed by rpcbind. To verify whether portmapper is used, we show the description of a package: $ apt-cache show rpcbind

Rpcbind uses portmapper!

As portmapper is active on port 111, we listen to open ports and what kind of services are running and find again the open port 111

$ netstat -lnptu|grep 111

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1707/rpcbind tcp6 0 0 :::111  :::* LISTEN 1707/rpcbind udp 0 0 0.0.0.0:111 0.0.0.0:* 1707/rpcbind udp6 0 0 :::111  :::* 1707/rpcbind

UNINSTALL

Uninstall the package while verifying its dependencies

$ apt-get remove rpcbind

Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libgssglue1 libsasl2-modules wwwconfig-common Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: nfs-common rpcbind 0 upgraded, 0 newly installed, 2 to remove and 151 not upgraded. After this operation, 805 kB disk space will be freed.

We don't consider lib's, because packages which are libraries, are not providing any services. So we autoremove packages&libraries, on which no other package depends and which where not manually installed.

$ apt-get autoremove


To check how may packages are manually installed $ apt-mark showmanual|wc -l

iptables

fail2ban

network wrappers (PAM)