Can my home computer get broken into?

Unfortunately, this is perfectly possible and attempts to do so are quite common. Every time you are connected to your Internet Service Provider (ISP) you are at risk. Read the previous answer if you would like to know how it is possible. Obviously, the risk is much higher if you have a permanent Internet connection (e.g. cable modem), and it is lower if your connections are more transient (as typical with short-duration, over-the phone modem connections).

The real danger is that the intruder, if s/he is able to login onto your machine on any account, may find (may know of) a "local security exploit" and get root access. This is particularly possible if you are a real newbie administrator and/or your machine is not really security oriented (you are at home, aren't you--who would care about security, you think!).

To protect yourself, just never let a stranger log onto your computer. Have fairly long passwords that contain both numbers and letters for all accounts on your computer. Change the passwords occasionally. The best way to enforce the password policies on all users of your computer is to run (as root, available in RedHat) linuxconf and under "password and account policies" change the minimum password length to 6 or more characters, the minimum number of non-alpha characters (i.e., not-letters) to 1 or 2, the number of days after which the password must be changed to something like 90 or less, and set a warning about password expiry to something like 7 days before the expiration. Check here (FAQ2.htm#pass_security) for more info on weak passwords. Absolutely NEVER create an account with no password, or with a silly weak password. Do not habitually work on your computer as "root"--if you run a program with a known "security hole" as root, somebody may find a way to hack you. Older Linux distribution have known security holes, so use an updated version if you let untrusted people log onto your computer, or if you run "server side" network services (e.g., ftp or http server).

It is also an excellent idea to occasionally screen the files that contain a record of all the logins onto your computer: /var/log/secure (the most recent log) /var/log/secure.1 (older log) /var/log/secure.2 (yet older log), etc. There are also other useful log files in the directory /var/log that you might want to view, check them out from time to time. The most typical "warning" sign is a scanning of the ports on your computer: there are repeated entries on connection request from the same IP number to your system telnet, ftp, finger and other ports--somebody tried to learn more about your system.

If you never use remote connections to your home Linux machine, it is an excellent idea to restrict the rights to use the "server side" network services (all the network services are listed in the file /etc/inetd.conf) to the machines on your home network. The access is controlled by two files:/etc/hosts.allow and /etc/hosts.deny . These access-control files work as follows. When an outside connection is requested, the file /etc/host.allow is scanned first and if the name of the machine from which the connection is requested is matched, the access is granted (irrespectively of any entry in /etc/host.deny ). Otherwise, the file /etc/host.deny is scanned, and if the name of the machine from which the connection is requested is matched, the connection is closed. If no matches are found in either file, the permission is granted.

B. Staehle (a Linux modem guru) wrote to me to advice not to install network services at all. "If your network services are not configured properly, you may wind up with your computer owned by some script kiddie. A newbie should _never_ be allowing services (ftp, telnet, www) to the world. If you "must" install these, make sure to only permit connections from systems you control. The file /etc/hosts.deny should contain

ALL: ALL

and /etc/hosts.allow should only have

ALL: 127.0.0.1

to permit connections only from that named host. Do NOT use hostnames! " <end of Bill advice>.

Indeed, my /etc/host.deny is exactly as advised above (ALL: ALL), but my /etc/hosts.allow two extra trusted computers to connect to all my network services, and another computer to access telent and ftp: (the IP numbers are fake):

ALL: 127.0.0.1, 100.200.0.255, 100.200.69.1

in.telnetd, in.ftpd: 100.200.0.2

In the examples above "ALL: ALL" stands for "ALL services, ALL Hosts", meaning "connections to any local network service" coming from "any host".

For more info, check the excellent "Linux Network Administrator Guide" which is surely present on your RedHat (or whatever) distribution CD. I printed this book and had it hardcovered.

To verify which services your computer offers to the outside world, you may want to use a web-based tool. Go to: http://scan.sygatetech.com/ and click on "scan now".

Here are some other places that may be able to scan you: http://crypto.yashy.com/ http://davidovv2.homestead.com/freetoolsservices.html http://privacy.net/ http://scan.sygatetech.com/ http://security1.norton.com/us/intro.asp http://suicide.netfarmers.net/ http://trojanscanner.com/cgi-bin/nph-portscanner http://www.doshelp.com/dostest.htm http://www.dslreports.com/secureme/ http://www.dslreports.com http://www.earthlink.net/freescan/ http://www.grc.com http://www.hackerwhacker.com/ http://www.nessus.org http://www.netcop.com/newscan/fullscan.html http://www.privacyscan.org http://www.sdesign.com/cgi-bin/fwtest.cgi http://www.sdesign.com/securitytest/index.htmll http://www.securityspace.com/ http://www.vulnerabilities.org/nmapemail.html http://grc.com http://www.dslreports.com/scan http://www.dslreports.com/security/sec025.htm

For security reasons, it is also a good idea not to advertise the OS/version that you use. I replaced the contents of the file /etc/issue and /etc/issue.net which on my computer read:

Red Hat Linux release 6.2 (Zoot)

Kernel 2.2.14-5.0 on an i586

with something like this:

WARNING: THIS IS A PRIVATE NETWORK

UNAUTHORIZED USE IS PROHIBITED AND ALL ACTIVITIES ARE LOGGED

IBM S/390 LINUX

This blends a joke with a little bit more security (I hope).

The contents of the files /etc/issue and /etc/issue.net are recreated at every reboot (when the script /etc/rc.local is run). So, to make the changes permanent, I can make these files read-only for all users (as root):

chmod a=r /etc/issue*

Instead of the last command, I could have edited (as root), the script /etc/rc.d/rc.local and commented out 5 lines with ### so that the relevant part reads:

# This will overwrite /etc/issue at every boot. So, make any changes

# want to make to /etc/issue here or you will lose them when you reboot

### echo "" > /etc/issue

### echo "$R" >> /etc/issue

### echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue

### cp -f /etc/issue /etc/issue.net

### echo >> /etc/issue

Another good security measure is to disable ping. Ping is a sonar-like response that your computer sends back when inquired by another computer. It is mostly useful for setup and debugging, to probe whether your machine is available on the network. It can also be used for probing your machine and/or attacking it by flooding with ping requests ("ping of death"). To disable my machine response to pingging from the net, I use the IP masquarading. I took and slightly modified the following command and explanation from http://www.securityfocus.com/focus/linux/articles/linux-securing2.html:

ipchains -A input -p icmp --icmp-type echo-request -i ppp0 -j REJECT -l

(1) (2) (3) (4) (5) (6) (7)

The ipchains flags explained:

1. (A)ppend a new rule.

2. The chain to apply the rule to, in this case the rule will apply to ingress (input) packets.

3. (P)rotocol to apply the rule to. In this case, it is icmp.

4. ICMP type, in this case all icmp echo requests will be blocked. "ICMP echo" means ping.

5. Interface name. In this case, it is the first over-the-phone connection, ppp0.

6. Target, or what should actually be done with the packet in question.

7. Log all packets matching the rules criteria to system log file.

IP masquarading was described in more detail in the chapter on masquerading of this Guide.

Another security precaution I take. I occasionally check if somebody hasn't installed a "root kit" on my system. I use the utility "chkrootkit" (very small, 25k, download from http://www.chkrootkit.org/). After downloading the tarball do:

su [provide password]

cd /usr/local

tar xvzf /home/my_name/chkrootkit.tar.gz

cd /usr/local/chkro<tab>

make

./chrootkit

The last command actually runs the search for a rootkit on my system. "Rootkit" is a software hidden backdoor that somebody who gained once access to your system (as "root") could install in order to listen, monitor, protect her access, etc.