[TriLUG] attack
Jeff Groves
jgroves at krenim.org
Wed Feb 23 00:34:14 EST 2005
What distribution of Linux was your server running?
Jeff G.
James Brigman wrote:
> cate serino wrote:
>
>> After only having my server up for a few hours and to a state that I
>> thought was fairly secure, I got hacked with what I think is a man in
>> the middle attack. Other than turning off ports (telnet, ect.),
>> changing
>> root passwords, and editing the hosts.allow and hosts.deny files, what
>> can I do to secure my server. I noticed that he/she was able to run
>> ipchains and filter through his/her ip. In addition, the he/she was
>> able to mount a filesystem on my machine. I have flushed the ipchains
>> and
>> unmounted the filesystem. Am I missing anything? I have not had my
>> server up for a year. Has the Internet become that bad in one year?
>>
> Cate - Yes, it's that bad. Those of us who care to keep attack logs
> have seen them go from 40k/week up to 200k/week currently. This list
> is full of people who are better at security than I am, but I'll offer
> you some suggestions to start off with, and leave the more
> sophisticated stuff to the wizards...
>
> 1) Go to a fresh distro. One of the guys mentioned CentOS. SuSE 9.2 is
> a good one too. An absolute necessity for servers is getting shadow
> passwords. If this person had root on your machine, they could've used
> some direct attack, but if they were able to snag an /etc/passwd file
> and work on cracking it, they pw0ned you.
> 2) Turn off telnet, ftp and all the r-services. In modern distros,
> those are typically off anyway.
> 3) It's critical to keep accounts to a minimum and control them
> carefully. With tools like John The Ripper, you can hack bad passwords
> in no time.
> 4) If your server is a webserver, security is going to be really
> difficult. There's hacked-up httpd's out there that can be used to
> harvest your server traffic off the wire in real time.
> 5) Check the inetd.conf and eliminate anything you can do without.
> 6) I know it sounds primitive, but hard-coded hosts files and static
> routes might help fight man-in-the-middle. If you think that's how
> they got to you, that might not be a bad idea. More trouble, but this
> server sounds like it's out there flapping in the wind.
> 7) Even more than using iptables/chains on the box itself, I'd protect
> it with a separate firewall that implements NAT as well. I like
> firmware firewalls because they are quiet and small, but logging with
> those little buggers is very poor compared to a "real" firewall.
> 8) I have buds who swear by Gentoo and thttp to build secure servers
> with. You might even think about the possibility of building up a
> distro on a CD-ROM that loads up on the system and runs without a hard
> drive. Then if you are hacked, you reboot the box and you're pristine.
> If there's some security flaw about the CD-ROM "master", you make and
> burn another one without the flaw. I've long wanted to burn a distro
> into eeprom and run a server off a read-only solid state memory.
>
> Hope this helps. I'm sure there are many other clever ideas that can
> be added to these...good luck to you on this!
>
> JKB
>
--
Law of Procrastination:
Procrastination avoids boredom; one never has
the feeling that there is nothing important to do.
More information about the TriLUG
mailing list