[NTLUG:Discuss] Weird Messages

MadHat madhat at unspecific.com
Wed Jan 3 09:11:28 CST 2001 

Computer security is what I do for a living.  It doesn't matter what OS you 
use unless you keep up with the patches, only run what you have to, and put 
any and all restrictions that you can on the services you have to run (like 
tcp_wrappers or ACLs).  Other than that, it becomes much more specific to 
what you are running and what your final goal is (wether or not to allow 
people in... what kind of access to allow...  wether or not to have 
authentication...  how strong of authentication/encryption... etc...).

On my system, there are no connections allowed in (unless completing on 
open connection, state checking), only out (this is my house, not at my 
job), but this means certain protocols won't work (like RTSP) and I have 
accepted that loss, but I feel I am fairly secure _today_.

The best thing you can do, is look at your systems form the outside 
in.   This is easier to do if you have a "always-on" connection (DSL, 
Cable,  ISDN, frame relay, T1...) and a computer you can dial into a free 
service with (like spinway, or one of their partners, like barns and nobel, 
but this is not Linux compatible).  And look at it like one of the people 
that wants to get into your system...  run nmap 
(http://www.insecure.org/nmap) against it or for those that have Windows, 
nmap has been ported to WinNT and 2K, or you can use something like super 
scan (http://www.foundstone.com/rdlabs/tools.html) or the other tools 
available from foundstone.  Or look at http://Razor.bindview.com as they 
have some good opensource tools as well.

The problem is that there are a specific set of tools for testing web 
servers, then some for testing mail, ftp, etc...  each service has a set of 
tools to try for known holes, but not everything has a tool.  You often 
have to go at it by hand, which is when it gets ugly for the average 
computer user.

Security is an exhausting, ongoing process.  It is not something you can do 
once and assume that you are done...


At 10:39 PM 1/2/2001 -0600, Scott Womer wrote:
>Along the same lines as the previous poster of this thread... hacking into
>linux servers.  Or more accurately...  being cracked.  Every time I feel
>like I've shut all the doors I could, someone comes in and blows them wide
>open.  In fact... this last time (01/01) I can't tell how the bastard(s) got
>in.
>
>I've been seriously hacked at least ½ a dozen times in the last six months
>(that I know of) and one server twice now.  Most of them were used as
>launchpads for silly IRC-bots, but one was used to launch DOS attacks on
>other sites.  The inital attack on me was traced back to the U of Israel,
>and the servers attacked from my machine were, like my employer, large
>utility companies.  Am I just paranoid, or does that smell of informational
>terrorism against our country's infrastructure?
>
>Now I'm at the point where I need to ask for help.  On my test server, which
>coincidentically seems to be their main interest, I've tested Bastille, but
>it screwed me up so bad, I had to reinstall just to get the blasted thing to
>boot again.  I've updated every piece of software installed to the latest
>stable version, I've shut down most all services, the only non-essential
>daemon running is sendmail.  I can telnet, and ftp as a user, but nothing
>anonymous.  I'm running PortSentry which gives me a false sense of security
>cause it only blocks the scanners, it's not helping me now that they know
>where I'm at.
>
>I've made major gains at getting Linux accepted at my company, and I know
>others in my industry are watching me closely and I really don't want to
>give them an excuse to not trust Linux.
>
>I need help with Bastille... what options work well?  I need input as to
>other utilities that are know to help, like monitoring the file system for
>any changes, How can I set up servers to only allow certain services like
>http to be widely accessible, but shut everything else down to just a couple
>IPs that can access them?  and anything else really....
>
>I fancy myself a fairly decent Unix admin, 13 year HP-UX admin by profession
>and 6 year Linux admin by religion.  So you'd be hard pressed to talk over
>my head.
>
>Even though I ask for input for my own benefit, I think an extended thread
>on this subject would benefit the group as a whole.
>
>
>Thanks,
>Scott Womer
>
>_______________________________________________
>http://ntlug.org/mailman/listinfo/discuss

--
MadHat at unspecific.com

More information about the Discuss mailing list