[Discuss] Port Scanning

[kentborg at borg.org (Kent Borg)]

On 8/1/24 14:34, Daniel M Gessel wrote:
> This thread makes me want to ask:
>
> As an amateur (and neophyte) sys-admin, what should I be doing to 
> check for vulnerabilities and attacks? My brother runs a publicly 
> visible server, but I'm not familiar with the tools he uses and when I 
> ask him, it all goes over my head!

Ask him to slow down long enough for a followup question, listen to the 
answer, then go off and learn enough to understand what he said. Repeat. 
(Be nice to him, he might teach you a lot.)


> Is there a guide/book/website that might help me keep my systems from 
> being easily attacked? 

I don't know about a book, there is a lot of information the the web, 
though the spam is getting worse of late.


Maybe your first project is to learn enough to do the following?

- Start minimal: a server that has sshd listening on port 22, has only 
you as a user, and nothing else running as a service, only the default 
OS software installed at all.

- Don't store any sensitive data on that machine.

- From another Linux machine do something like "nmap -A -T3 1.2.3.4", 
but put in your IP address instead of 1.2.3.4. What ports are open? Why? 
You only want port 22.

- Make sure you have a good password that you haven't used elsewhere.

- Keep your software up to date. (Regularly run "sudo apt update", see 
what it says.)

- You should now be able to "ssh 1.2.3.4" and log in, and no one else. 
Only log in from a paranoid machine (don't log in from a potentially 
spyware infested machine that might steal your password). Make sure root 
is not allowed to login over ssh.

At this point I would say you are in really good shape and that machine 
is safe to put on the internet. It doesn't do much, but that is a big 
part of why it is safe! 1. It is so simple it is probably configured 
correctly. 2. No sensitive data so the consequences of someone 
exploiting a mistake you might have made are low.


> I run Debian (or RPi OS, which is Debian derived) on everything.

I run my e-mail server on a Raspberry Pi 4! I don't trust SD cards, so I 
went through some effort to boot completely independently of SD cards, 
from redundant disks. I have it working and I trust it a lot.



Some General Advice

Background stuff:

1. Be worried, but not too worried.

2. Think clearly.

3. Learn.

4. Try stuff, carefully, take notes, be organized. (When you want to 
undo something you tried and don't like, your notes will be valuable.)

4. Repeat.


Foreground stuff:

1. Be very limited in what you decide to run, less software means less 
stuff to go wrong. If some tantalizing package looks cool, but isn't 
available from your distribution, be skeptical about downloading it 
anyway. Run programs that are well respected, avoid obscure packages 
that it seems no one runs, even if they are available in your distribution.

2. Run stuff that has clear documentation so you have some hope of 
configuring it well. Play with a copy on some local machine before 
putting on a public facing machine.

3. Be prompt about updating your software when your distribution has an 
update ("sudo apt update"). That is another reason to run software from 
your distribution and not manually installed: much easier to get updates.

4. Limit your risk. I have a couple servers exposed to the internet. My 
e-mail server would be very bad if I got broken into, so I am very 
conservative about what runs on it. The web server would be merely very 
annoying if it got hacked, so I am willing to be more "flexible" with 
it, but that means storing nothing sensitive there. Note, I am willing 
to log into the less trusted web server from the more trusted e-mail 
server, but not the other way around (log into the more trusted e-mail 
server from the less trusted web server).

5. Use good passwords, write them down, keep them safe, and do not reuse 
passwords between different accounts.

6. Port scan yourself, see what ports are open, know why, make sure you 
know what they are for, and that they are correct.

7. Use a firewall, but only as an extra protection, first convince 
yourself you have been so careful that you don't really need it. (See #6.)

8. Change Raspbian's sudo configuration to require your password.


Ask questions.


-kb