ipcops logo
ipcop support
community support wiki
[[howto:secured]]
ipcops.com | ipcop.org | unofficial FAQ
 
You are here: start » howto » secured

Securing an Existing IPCOP Installation

This tutorial comes from a post on IPCOPS.com about securing an existing IPCOP installation. The idea behind this tutorial is how to determine if the IPCOP box has been compromised and how to secure it. While it may be easier to simply reinstall IPCOP, several sections below deal with identifying where IPCOP is/was compromised.

Gain command line access to IPCOP

  • Connect to IPCOP via SSH using port 222
    (on Windows connect using Putty)

Check for accounts with SSH access to IPCOP

  • Type ’cd /etc’
  • Type ’cat shadow’

You should see a list of accounts that looks something like this (from a standard ipcop 1.4.15 install): 

            root:$1$hdc0QEkF$s7WXTQkflifmfUHFOv9bc1:12869:0:99999:7:::  
            bin:x:12766:0:99999:7:::  
            daemon:x:12766:0:99999:7:::  
            mail:x:12766:0:99999:7:::  
            squid:x:12766:0:99999:7:::  
            ntp:x:12766:0:99999:7:::  
            sshd:x:12766:0:99999:7:::  
            nobody:x:12766:0:99999:7:::  
            snort:x:12766:0:99999:7:::  
            logwatch:x:12766:0:99999:7:::  
            dnsmasq:x:12766:0:99999:7:::  
            cron:x:12766:0:99999:7:::  
            backup:$1$FoQ/Vevr$y/JyzdQw1nLmgddvxBj.f0:13567:0:99999:7:::

Note - only accounts with something other than an ’x’ in the second field can be used for direct login. From this you’ll be able to see if there are any ’backdoor’ accounts. You can use the setup program to change the password of the ’root’ and ’backup’ accounts, as well as the web ’admin’ account. If this box is thought to be compromised, change all of these at this point. Don’t use familiar words. Don’t write them down.

  • Reset unknown accounts with ’passwd [AcctName]’ where [AcctName] is the unknown account name

Note - The password will not show when you type it in and must be at least 5 characters and less than 127 characters.

Check for public key SSH access to IPCOP

  • Type ’cd /etc/ssh’
  • Type ’vi sshd_config’
    You will now be in the VI editor. VI is a complex program, but the principle is, you move about then tell it when you want to change something. You are looking for a section that starts with RSSAAuthentication, and you want to change it so that it looks like the section below:
            RSAAuthentication yes  
            PubkeyAuthentication no  
            #AuthorizedKeysFile     .ssh/authorized_keys  
             
            # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts  
            RhostsRSAAuthentication no  
            # similar for protocol version 2  
            HostbasedAuthentication no  
            # Change to yes if you don’t trust ~/.ssh/known_hosts for  
            # RhostsRSAAuthentication and HostbasedAuthentication  
            IgnoreUserKnownHosts yes  
            # Don’t read the user’s ~/.rhosts and ~/.shosts files  
            IgnoreRhosts yes


Note - Line 6 has been uncommented and changed from yes to no. In vi, use ’x’ to delete a character and use ’cw’ to change a word. Use ’:wq’ to write and quit.

Check for accounts with web access to IPCOP

  • Type ’cat /var/ipcop/auth/users’
    You should get an output similar to this
            admin:$apr1$VfogQ/..$B37VwrOg4S7a2ve9o4YUp.


There should be only one line in here. If there are two or more, then the box has been compromised. Use VI to remove the extra lines.

  • Type ’vi /var/ipcop/auth/users’
    In VI use ’dd’ to delete a line and ’:wq’ to save your changes
howto/secured.txt · Last modified: 2009/05/10 03:16 by ds531