[TriLUG] attack

Jeff Groves jgroves at krenim.org
Wed Feb 23 00:34:14 EST 2005 

What distribution of Linux was your server running? 

Jeff G.

James Brigman wrote:

> cate serino wrote:
>
>> After only having my server up for a few hours and to a state that I
>> thought was fairly secure, I got hacked with what I think is a man in 
>> the middle attack.  Other than turning off ports (telnet, ect.), 
>> changing
>> root passwords, and editing the hosts.allow and hosts.deny files, what
>> can I do to secure my server.  I noticed that he/she was able to run
>> ipchains and filter through his/her ip.  In addition, the he/she was 
>> able to mount a filesystem on my machine. I have flushed the ipchains 
>> and
>> unmounted the filesystem.  Am I missing anything?  I have not had my
>> server up for a year.  Has the Internet become that bad in one year?  
>>
> Cate - Yes, it's that bad. Those of us who care to keep attack logs 
> have seen them go from 40k/week up to 200k/week currently. This list 
> is full of people who are better at security than I am, but I'll offer 
> you some suggestions to start off with, and leave the more 
> sophisticated stuff to the wizards...
>
> 1) Go to a fresh distro. One of the guys mentioned CentOS. SuSE 9.2 is 
> a good one too. An absolute necessity for servers is getting shadow 
> passwords. If this person had root on your machine, they could've used 
> some direct attack, but if they were able to snag an /etc/passwd file 
> and work on cracking it, they pw0ned you.
> 2) Turn off telnet, ftp and all the r-services. In modern distros, 
> those are typically off anyway.
> 3) It's critical to keep accounts to a minimum and control them 
> carefully. With tools like John The Ripper, you can hack bad passwords 
> in no time.
> 4) If your server is a webserver, security is going to be really 
> difficult. There's hacked-up httpd's out there that can be used to 
> harvest your server traffic off the wire in real time.
> 5) Check the inetd.conf and eliminate anything you can do without.
> 6) I know it sounds primitive, but hard-coded hosts files and static 
> routes might help fight man-in-the-middle. If you think that's how 
> they got to you, that might not be a bad idea. More trouble, but this 
> server sounds like it's out there flapping in the wind.
> 7) Even more than using iptables/chains on the box itself, I'd protect 
> it with a separate firewall that implements NAT as well. I like 
> firmware firewalls because they are quiet and small, but logging with 
> those little buggers is very poor compared to a "real" firewall.
> 8) I have buds who swear by Gentoo and thttp to build secure servers 
> with.  You might even think about the possibility of building up a 
> distro on a CD-ROM that loads up on the system and runs without a hard 
> drive. Then if you are hacked, you reboot the box and you're pristine. 
> If there's some security flaw about the CD-ROM "master", you make and 
> burn another one without the flaw. I've long wanted to burn a distro 
> into eeprom and run a server off a read-only solid state memory.
>
> Hope this helps. I'm sure there are many other clever ideas that can 
> be added to these...good luck to you on this!
>
> JKB
>

-- 
Law of Procrastination:
        Procrastination avoids boredom; one never has
        the feeling that there is nothing important to do.

More information about the TriLUG mailing list