Its not that hard to stay secure with any linux distro, especially if you are not running public servers..
Here are some steps you can look into. (I do all of these, except for hogwash) 1. Run a firewall like gShield to drop all packets to ports you want closed to the net. (all of them unless you are running servers.) test yourself by doing the full scans at http://scan.sygate.com make sure everything is closed, even high ports. (gShield does that by default.) (see other posts about gShield in expert tonight, its the best off the shelf linux firewall I have seen, and really really easy to setup.) 2. in /etc/hosts.deny put one line: ALL:ALL That closes all access to pretty much everything.. (man hosts_access) Then you have to allow those services that you want to provide to your network.. so add something like this to /etc/hosts.allow : sshd: 192.168.0.3 (which will allow ssh access to only 192.168.0.3) do that for all the stuff where you need to allow internal access. pop3, smb, telnet, imap etc etc etc... 3. tell your server apps to limit themselves to the internal interface. ------- samba: /etc/samba/smb.conf : interfaces = eth0 (where eth0 is your internal ethernet card.) hosts allow = 127. 192.167.0. (where 192.168.0.0/255.255.255.0 is your internal net) ------- xinetd (for pop3 and other similiar services) edit /etc/xinetd.d/ipop3: add to it: only_from = 192.168.0.0/24 (again where the above range is your internal network.) 4. (probably should be no 1.) keep your box up to date using MandrakeUpdate and join the security advisory mailing list at mandrake. 5. (optional, but handy) install portsentry and run it in stealth mode, (portsentry -atcp and portsentry -audp) This will automatically block any IP address's that scan you, (which is the way cracking usually starts.) If you want to go even futher, you could install hogwash as well.. which is like portsentry, but blocks nasty packets not the IP address itself.) Personally if you have done the first 4. then I'd say your far safer then most.. and keep a copy of the config files for next time you install.. you don't have to do all the work each time.. just install and copy the config files back in. I don't even use msec, never had, and unless it gets alot more intuitative, I probably never will.. but do all of the above, you are not going to have any issues.. If your internal services can only be accessed on the internal interface, and you explicitly allow each access to the box via tcpwrappers (hosts.allow/hosts.deny) and your firewall blocks any packets from spoofed internal IP's, (all good firewalls should), and you have no open ports.. (which is to say that everything not NAT (connection sharing) traffic for the internal network is dropped) you are very very hard to hack from outside, as there are no doors to open.. If however you host a dns server, or mail server, or apache web server, then you MUST make sure you keep them all up to date, and limit their access and rights. (mandrake 9.0 does a good job out of the box on this count, for example, postfix runs chroot by default, which means even if it is somehow hacked, it thinks the root directory of the box is /var/spool/postfix, so they can't do damage elsewhere.. As I have said many times above. the first four steps give you very good protection just by themselves.. setup like that, most crackers will give up pretty quick.. there are far to many easier targets out there.. I still have alot of mdk7.2 box's out there running happily with ipchains firewalls and none have been hacked thus far.. just because I follow the rules above.. for a home net server, thats all you need.. if you have a ton of users on your box, and you don't trust them all.. then there is alot of other stuff you can do.. (which i will leave for another discussion.) rgds Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lorne Sent: Sunday, 1 December 2002 1:28 AM To: [EMAIL PROTECTED] Subject: Re: [expert] Hack attack analysis On Saturday 30 November 2002 04:17 am, Franki wrote: > Two good tools for stopping hacks from succeding are the same ones some of > the hackers use.. > > Whisker (a perl script) and nessus. > Thanks, I'll go check them out and run it against my new firewall. > Wisker has been scanning your machine looking for exploits, gives them a > report on vunerable and they probably downloaded some script kiddie tools > and hacked you.. > > Nessus is much more powerful.. and has a huge database of potential > hacks... if you want to know if your easily hackable, run nessus against > your gateway.. you'll be quiet surprised at the results. > > Time for you to wipe your box and reinstall.. perhaps you should try > Hogwash for some proactive protection.. its like portsentry on steriods.. > based on some of the Snort code. > Well the good news is, that I was running mandrake 9.0 on my old 200mhz box, so even though I was using it for all of my email and browsing, I need an excuse to quit using it. :) I already had a brand new partition set up on my faster box, so I just did an ifdown eth0 on the old box and booted up the new. I've spent a couple of days trying to get openbsd working, but it is so foreign to me, I got frustrated and installed Mandrake security. I just don't have a sense for how secure it is yet. > I've found tripwire on mandrake to be something of a pain.. I had to modify > it to even get it to compile. > that ended up happening to me. I started to install it and had nothing but trouble and ran out of time. > > rgds > > Frank > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Lorne > Sent: Saturday, 30 November 2002 1:11 AM > To: [EMAIL PROTECTED] > Subject: [expert] Hack attack analysis > > > Well guys... it has been 5 years since somone got in. They finally did it. > I've been using the floppy disk coyote linux for years now. They aren't > keeping up it seems and the last update I got was in January. The first > clue was zone alarm on my boys box popped up some denials. Regrettably, I > walked over to my firewall, hit the reset button and didn't give it another > thought. > Now I've lost all the logs on that server and don't know what state it was > in. > > About an hour later I notice that my linux box was showing 2 ip addresses > in my samba server list that weren't even on my subnet! NOW it has my full > attention!!! I did not have tripwire installed. Just ran out of time, but I > DID have snort loaded and not fully or properly configured I don't think. > However, I DID get some interesting log entries that I thought I'd pass on > to > see what you guys thought, and perhaps shed some light on how they are > whacking my firewall. I'm in the process of setting up an openbsd firewall. > That should give them something to chew on for awhile. > > I'm sure I've been hacked but good, because they screwed up my ntp, set my > nic > to promisuous mode, and looks like they gained root access. > > Here are some snippets of what my messages log shows: > > Nov 24 10:50:24 mandrake snort[1213]: [1:485:2] ICMP Destination > Unreachable (Communication Administratively Prohibited) [Classification: > Misc activity] [Priority: > 3]: {ICMP} 150.176.17.242 -> 192.168.100.7 > > Nov 24 11:07:52 mandrake snort[1213]: [1:466:1] ICMP L3retriever Ping > [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} > 192.168.100.8 -> 192.168.10 > 0.7 > Nov 24 11:23:31 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4232 -> 66.150.3.68:80 > > port scans it appears, or buffer overflows on numerous ports? > > {TCP} 192.168 > .100.8:4246 -> 66.150.3.68:80 > Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4249 -> 66.150.3.68:80 > Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4252 -> 66.150.3.68:80 > Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4255 -> 66.150.3.68:80 > Nov 24 14:07:36 mandrake snort[1213]: [1:1287:5] WEB-IIS scripts access > [Classification: sid] [Priority: 2]: {TCP} 192.168.100.8:4756 -> > 204.155.175.40:80 > Nov 24 07:49:40 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:1087 -> 64.2 > 36.17.133:80 > Nov 24 07:55:20 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:1126 -> 64.2 > 36.17.133:80 > Nov 24 08:04:07 mandrake snort[1213]: [1:1564:4] WEB-MISC login.htm access > [Classification: sid] [Priority: 2]: {TCP} 192.168.100.6:1242 -> > 207.25.71.118:80 > Nov 24 08:06:30 mandrake ntpd[1251]: time correction of 25199 seconds > exceeds > sanity limit (1000); set clock manually to the correct UTC time. > Nov 24 08:06:30 mandrake kernel: eth0: Setting promiscuous mode. > Nov 24 08:14:02 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:1356 -> 64.1 > 24.82.22:80 > Nov 24 09:24:42 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.5:1353 -> 216.239.51.101:80 > Nov 24 12:25:37 mandrake snort[1213]: [1:853:5] WEB-CGI wrap access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:3018 -> 64.124.8 > 2.13:80 > Nov 24 14:45:45 mandrake snort[1213]: [1:1408:5] DOS MSDTC attempt > [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} > 66.150.3.68:80 -> 192.168.100. > 8:3372 > Nov 24 15:03:09 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow > [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: > {TCP} > 192.168.100.5:15 > 09 -> 68.6.19.4:25 > Nov 24 15:04:54 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow > [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: > {TCP} > 192.168.100.5:15 > 10 -> 68.6.19.4:25 > > ****** somehow right in here, my samba server goes absolutely nuts. It has > been forced to be master browser and he gets into a pissing match with my > xp box, forcing election after election. My guess is to find out who is > running shares on my little network. ? > > Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session opened for user root > by (uid=503) > Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session closed for user root > Nov 24 23:57:50 mandrake su(pam_unix)[7362]: session opened for user root > by (uid=503) > Nov 24 23:58:03 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:3190 -> 63.2 > 41.29.144:80 > > There you go, I'm screwed. SU access. So at this point, I'm thinking > rebuild eh? I ran a chkrootkit, nothing showed, but who knows what has been > done. I'm > thinking I need to learn tripwire eh? :(
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
