Looking for opinion on how "secure" my Desktop is

The following is the report from nmap to scan my system's ports to determine my exposures/weaknesses.

I was hoping to get comments regarding

  • what can be done to "clamp-down" even more (namely the how), and

  • what other scans do I need to perform in order to ensure that I have full coverage and no blind spots.

Also, please note that I have a custom (stripped down) version of /etc/services. :slight_smile:


Question:
Can systemd services assign/enable port access without it being one of the defined services in "/etc/services" ?


Session report from script:

root:~# NET__ScanHostServicePorts.sh

Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-10 21:13 EDT
NSE: Loaded 121 scripts for scanning.
NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed

Initiating Parallel DNS resolution of 1 host. at 21:13
Completed Parallel DNS resolution of 1 host. at 21:13, 0.09s elapsed

Initiating SYN Stealth Scan at 21:13
Scanning 192.168.0.11 [65535 ports]

Discovered open port XXXXX/tcp on 192.168.0.11     (this is my host IP on the home LAN)
Discovered open port XXXXX/tcp on 192.168.0.11

Completed SYN Stealth Scan at 21:13, 1.25s elapsed (65535 total ports)
NSE: Script scanning 192.168.0.11.

NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 14.06s elapsed

NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.01s elapsed

Nmap scan report for 192.168.0.11
Host is up, received localhost-response (0.0000090s latency).
Scanned at 2024-09-10 21:13:01 EDT for 15s
Not shown: 65533 closed ports
Reason: 65533 resets

PORT      STATE SERVICE REASON
XXXXX/tcp open  http    syn-ack ttl 64
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
XXXXX/tcp open  netperf syn-ack ttl 64

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.45 seconds
           Raw packets sent: 65535 (2.884MB) | Rcvd: 131072 (5.505MB)

root:~# 

Command:

nmap -vv -T5 -p1-65535 --script "default and safe" `hostname -I`

AFAIK systemd can launch anything and everything as a service. Provided that systemd is executed with root privileges, its children are executed with root privileges. Well, networking belongs to the kernel and a program with root privileges can open any TCP/IP ports at all.

2 Likes

Thank you, Eugene. So, are you saying that "/etc/services" is not a controller/prerequisite for service activation, that it is only an artifact of the old UNIX system and can be "ripped out" with no impact on any services?

No. I'not saying that. /etc/services just associates human readable names of well-known TCP/IP ports (aka services) with their real numbers.
And yes, /etc/services is not access control list, i.e. it has nothing to do with permissions to open TCP/IP ports.

2 Likes

So, if my "/etc/security/access.conf" file contains the following:

###	Permit root login from local			### Look at /etc/hosts for host IP aliases
+:root:LOCAL localhost hostname
#
###     Permit designated users to access from local
+:username:LOCAL localhost hostname
#
###     Permit all local services/users to access from local
#+:ALL:LOCAL localhost hostname
+:ALL:LOCAL ALL
#
###	Deny access to all from any remote
-:ALL:ALL

and in my "/etc/ssh/ssh_config" I have the following:

########################################################################
###
###     Custom settings for localhost
###
########################################################################

###     Group 1 - Restrictive
    PermitRootLogin no                          
    ForwardAgent no                             
    ForwardX11 no                               
    ForwardX11Trusted no                        
    DenyUsers root                              
    DenyGroups root                             

###     Group 2 - Permissive
    AllowUsers nonexistent                      
    AllowGroups nonexistent                    

and lastly, my "/etc/sudoers" contains the default, namely:

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

and there are no entries/files in sudoers.d.

Therefore, can I safely say that nobody, no matter how, can get into my box, even if my test web server has a port open? Or do I need to further clamp down the webserver specifically. Note that I have no configured programmed actions for the webserver as yet.

I am afraid, you can not. According to https://linux.die.net/man/5/access.conf The /etc/security/access.conf file specifies (user/group, host), (user/group, network/netmask) or (user/group, tty) combinations for which a login will be either accepted or refused. Web server does not require a login before an incoming connection. It accepts the connection and since then it can optionally require login. You can limit incoming addresses/networks in your firewall and/or web server configurtion.

If I get it right, your ssh configuration disables access for everybody. Would not it be easier to disable ssh at all?

4 Likes

I wanted to leave the ssh functionality in place, in case I was crazy enough to attempt "port-knocking" at some point in the future, and that would be more as a proof of concept. I have absolutely no interest (or need) to attemp any access from remote. :slight_smile:

As for the web server, I have the following "/etc/apache2/apache2.conf" configuration:

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require local granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require local granted
</Directory>

Wouldn't the "Require local granted" clauses block any server response to remote http requests, even if the outsider managed to identify my custom port number?

Surely. Require local will work.

2 Likes

Thank you, Eugene. I very much appreciate your taking the take for that review and feedback.

1 Like

You are welcome, Eric!

1 Like

Sorry Eugene. I forgot one last thing.

From your above comments, do I understand that there is no net benefit to trim down the "/etc/services" file and leave only references to the operational/live services?

And ... should I ONLY perform my internet browsing using a user account that does NOT have Admin privileges (i.e. my userid at install should not be used)?

Do not edit /etc/services, please. It is just a reference. More than that, some commands use it to present port names instead of port numbers. E.g.

:~$ netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
~$ netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN     
ugn@evm:~$

No doubt, running a browser under root account is very insecure idea. AFAIK, admin group membership grants a user sudo privileges only and does not pose a security problem.

3 Likes

Thank you again, Eugene. No, I wouldn't be crazy enough to browse as root, but I thought there might be a chance at privilege escalation if I browsed as my "install" ID (i.e default 1000). If not, I am glad to hear that, and won't bother creating a new ID dedicated for browsing. :slight_smile:

Just to clarify, I do mean a distinct second Linux user ID, and not a distinct second Firefox profile/ID.

2 Likes

The most secure browsing techniques I am aware of involves browsing from within a (local) virtual machine. That VM is reverted to basic snapshot after each browsing session. Even easier solution is a VM which is every time booted from live CD ISO.

3 Likes

While I understand, and appreciate the VM concept, I will have to reflect on whether that would be too restrictive for me. But thank you for raising the point of awareness. I will need to dig in to determine if I can work within those limitations.

Thank you again, Eugene. Much appreciated!

2 Likes

It is my pleasure, Eric!

1 Like