[TriLUG] attack

James Brigman jbrigman at nc.rr.com
Tue Feb 22 23:58:26 EST 2005 

cate serino wrote:

>After only having my server up for a few hours and to a state that I
>thought was fairly secure, I got hacked with what I think is a man in the 
>middle attack.  Other than turning off ports (telnet, ect.), changing
>root passwords, and editing the hosts.allow and hosts.deny files, what
>can I do to secure my server.  I noticed that he/she was able to run
>ipchains and filter through his/her ip.  In addition, the he/she was able 
>to mount a filesystem on my machine. I have flushed the ipchains and
>unmounted the filesystem.  Am I missing anything?  I have not had my
>server up for a year.  Has the Internet become that bad in one year? 
>  
>
Cate - Yes, it's that bad. Those of us who care to keep attack logs have 
seen them go from 40k/week up to 200k/week currently. This list is full 
of people who are better at security than I am, but I'll offer you some 
suggestions to start off with, and leave the more sophisticated stuff to 
the wizards...

1) Go to a fresh distro. One of the guys mentioned CentOS. SuSE 9.2 is a 
good one too. An absolute necessity for servers is getting shadow 
passwords. If this person had root on your machine, they could've used 
some direct attack, but if they were able to snag an /etc/passwd file 
and work on cracking it, they pw0ned you.
2) Turn off telnet, ftp and all the r-services. In modern distros, those 
are typically off anyway.
3) It's critical to keep accounts to a minimum and control them 
carefully. With tools like John The Ripper, you can hack bad passwords 
in no time.
4) If your server is a webserver, security is going to be really 
difficult. There's hacked-up httpd's out there that can be used to 
harvest your server traffic off the wire in real time.
5) Check the inetd.conf and eliminate anything you can do without.
6) I know it sounds primitive, but hard-coded hosts files and static 
routes might help fight man-in-the-middle. If you think that's how they 
got to you, that might not be a bad idea. More trouble, but this server 
sounds like it's out there flapping in the wind.
7) Even more than using iptables/chains on the box itself, I'd protect 
it with a separate firewall that implements NAT as well. I like firmware 
firewalls because they are quiet and small, but logging with those 
little buggers is very poor compared to a "real" firewall.
8) I have buds who swear by Gentoo and thttp to build secure servers 
with.  You might even think about the possibility of building up a 
distro on a CD-ROM that loads up on the system and runs without a hard 
drive. Then if you are hacked, you reboot the box and you're pristine. 
If there's some security flaw about the CD-ROM "master", you make and 
burn another one without the flaw. I've long wanted to burn a distro 
into eeprom and run a server off a read-only solid state memory.

Hope this helps. I'm sure there are many other clever ideas that can be 
added to these...good luck to you on this!

JKB

More information about the TriLUG mailing list