The following is the report from nmap to scan my system's ports to determine my exposures/weaknesses.
I was hoping to get comments regarding
what can be done to "clamp-down" even more (namely the how), and
what other scans do I need to perform in order to ensure that I have full coverage and no blind spots.
Also, please note that I have a custom (stripped down) version of /etc/services.
Question:
Can systemd services assign/enable port access without it being one of the defined services in "/etc/services" ?
Session report from script:
root:~# NET__ScanHostServicePorts.sh
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-10 21:13 EDT
NSE: Loaded 121 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:13
Completed Parallel DNS resolution of 1 host. at 21:13, 0.09s elapsed
Initiating SYN Stealth Scan at 21:13
Scanning 192.168.0.11 [65535 ports]
Discovered open port XXXXX/tcp on 192.168.0.11 (this is my host IP on the home LAN)
Discovered open port XXXXX/tcp on 192.168.0.11
Completed SYN Stealth Scan at 21:13, 1.25s elapsed (65535 total ports)
NSE: Script scanning 192.168.0.11.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 14.06s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.01s elapsed
Nmap scan report for 192.168.0.11
Host is up, received localhost-response (0.0000090s latency).
Scanned at 2024-09-10 21:13:01 EDT for 15s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON
XXXXX/tcp open http syn-ack ttl 64
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
XXXXX/tcp open netperf syn-ack ttl 64
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.45 seconds
Raw packets sent: 65535 (2.884MB) | Rcvd: 131072 (5.505MB)
root:~#
Command:
nmap -vv -T5 -p1-65535 --script "default and safe" `hostname -I`
AFAIK systemd can launch anything and everything as a service. Provided that systemd is executed with root privileges, its children are executed with root privileges. Well, networking belongs to the kernel and a program with root privileges can open any TCP/IP ports at all.
Thank you, Eugene. So, are you saying that "/etc/services" is not a controller/prerequisite for service activation, that it is only an artifact of the old UNIX system and can be "ripped out" with no impact on any services?
No. I'not saying that. /etc/services just associates human readable names of well-known TCP/IP ports (aka services) with their real numbers.
And yes, /etc/services is not access control list, i.e. it has nothing to do with permissions to open TCP/IP ports.
So, if my "/etc/security/access.conf" file contains the following:
### Permit root login from local ### Look at /etc/hosts for host IP aliases
+:root:LOCAL localhost hostname
#
### Permit designated users to access from local
+:username:LOCAL localhost hostname
#
### Permit all local services/users to access from local
#+:ALL:LOCAL localhost hostname
+:ALL:LOCAL ALL
#
### Deny access to all from any remote
-:ALL:ALL
and in my "/etc/ssh/ssh_config" I have the following:
########################################################################
###
### Custom settings for localhost
###
########################################################################
### Group 1 - Restrictive
PermitRootLogin no
ForwardAgent no
ForwardX11 no
ForwardX11Trusted no
DenyUsers root
DenyGroups root
### Group 2 - Permissive
AllowUsers nonexistent
AllowGroups nonexistent
and lastly, my "/etc/sudoers" contains the default, namely:
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
and there are no entries/files in sudoers.d.
Therefore, can I safely say that nobody, no matter how, can get into my box, even if my test web server has a port open? Or do I need to further clamp down the webserver specifically. Note that I have no configured programmed actions for the webserver as yet.
I am afraid, you can not. According to https://linux.die.net/man/5/access.conf The /etc/security/access.conf file specifies (user/group, host), (user/group, network/netmask) or (user/group, tty) combinations for which a login will be either accepted or refused. Web server does not require a login before an incoming connection. It accepts the connection and since then it can optionally require login. You can limit incoming addresses/networks in your firewall and/or web server configurtion.
If I get it right, your ssh configuration disables access for everybody. Would not it be easier to disable ssh at all?
I wanted to leave the ssh functionality in place, in case I was crazy enough to attempt "port-knocking" at some point in the future, and that would be more as a proof of concept. I have absolutely no interest (or need) to attemp any access from remote.
As for the web server, I have the following "/etc/apache2/apache2.conf" configuration:
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require local granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require local granted
</Directory>
Wouldn't the "Require local granted" clauses block any server response to remote http requests, even if the outsider managed to identify my custom port number?
From your above comments, do I understand that there is no net benefit to trim down the "/etc/services" file and leave only references to the operational/live services?
And ... should I ONLY perform my internet browsing using a user account that does NOT have Admin privileges (i.e. my userid at install should not be used)?
Do not edit /etc/services, please. It is just a reference. More than that, some commands use it to present port names instead of port numbers. E.g.
:~$ netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
~$ netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
ugn@evm:~$
No doubt, running a browser under root account is very insecure idea. AFAIK, admin group membership grants a user sudo privileges only and does not pose a security problem.
Thank you again, Eugene. No, I wouldn't be crazy enough to browse as root, but I thought there might be a chance at privilege escalation if I browsed as my "install" ID (i.e default 1000). If not, I am glad to hear that, and won't bother creating a new ID dedicated for browsing.
Just to clarify, I do mean a distinct second Linux user ID, and not a distinct second Firefox profile/ID.
The most secure browsing techniques I am aware of involves browsing from within a (local) virtual machine. That VM is reverted to basic snapshot after each browsing session. Even easier solution is a VM which is every time booted from live CD ISO.
While I understand, and appreciate the VM concept, I will have to reflect on whether that would be too restrictive for me. But thank you for raising the point of awareness. I will need to dig in to determine if I can work within those limitations.