[NTLUG:Discuss] Secure a system by securing GCC..
Bug Hunter
bughuntr at one.ctelcom.net
Tue Jul 2 08:29:05 CDT 2002
On Mon, 1 Jul 2002, Richard Geoffrion wrote:
> Well folks, it's been real! I guess I'm gonna unplug my cable modem,
> reformat my drives, leave them blank and break out my chisel and stone.
We've been on the internet for 8 years now, with 2 successful crack
attempts and 1 almost successful one, and about 10 to 20 crack attempts
per day. We run around 10 machines.
The first crack attempt was ignorance. (once is free :) the perps
used us to transfer game files around the U.S. and australia.) The second
was a co-lo customer who had responsibility for their equipment. The
third attempt failed due to slight modifications to our user account
creation process. One for the good guys!
I've found the following two items help a lot:
1) make hosts.deny (which has ALL:ALL) be chattr +i
2) if you are running redhat, make /etc/skel/.bash_profile have the word
"exit" in it. The default then makes the user log out of his shell ass
soon as the user logs in, no matter the source (ssh, telnet, etc.)
The third item that helps is to adopt the following policy:
"Deny everything by default. Only permit what you are requested to
permit and you understand well."
And finally,
"keep all security items up to date."
The failed attempt used a Bind 8.2 hole which allowed them to run
programs as root. The cracker deleted hosts.deny, created a user named
rewt, then logged in. Since our default template files logged the perp
out immediately, the perp went away. The info was in the log files the
next day for us to sort out. We went back to bind 4.9, and have used it
ever since.
bug
More information about the Discuss
mailing list