On Wed, 1 Nov 2000, Benjamin Scott wrote:
> On Wed, 1 Nov 2000, Tom Laurie wrote:
> > They got a call from ATT Broadband yesterday saying that their computer
> > was being used to hack into other computers and sure enough, when you
> > reboot their server it says Zombie at some point.
>
> Wipe the drives and reinstall the system.
>
> Unless you have an offline copy of an Intrusion Detection System, that is
> the only way to ensure system integrity after a compromise.
That can't be stressed enough. Once your machine has been compromised,
unless you've gone to great pains to be able to determine EXACTLY what's
been changed on the system (i.e. by running an IDS and spending a lot of
time to make sure it's configured well for your site), you CAN'T trust
ANYTHING on your system. So re-install is the ONLY option.
>
> > Once it is off, how can I protect against it ?
>
> Keep your security updates up to date. Most distributions/vendors have a
> security updates web page and/or mailing list.
This is crucial. Once a peice of software has a known exploit, the script
kiddies come out in full force. The details of the compromise are made
available both by security sites (once the fix is known usually) and also
by underground sites (usually immediately) so once the cat is out of the
bag, your system is a target. So much like in a fire fight scenario, you
want to make yourself harder to hit, by making yourself a moving
target. Staying up-to-date with security updates is how you do that.
> Use strong passwords.
>
> Keep the number of people with privileged accounts to a minimum.
These are also good advice, of course.
> Do not use unencrypted channels for anything other then anonymous access.
>
> Turn off unnecessary services.
Next to keeping on top of updates, these last two are the most important
(I edited the order they were in from the original message). Not using
encryption makes it possible for attackers to read passwords and other
potentially sensitive information as it travels along the physical wire to
your machine.
Any service that allows a connection from the outside world is a potential
threat to your machine's security, so turn off the ones you don't
need.
Install OpenSSH to replace telnet and rlogin... it's a secure encrypted
connection. It can also do other neat things like forward X sessions over
the encrypted tunnel.
Once you do that, TURN OFF telnet, rlogin, and ftp (unless you NEED
anonymous ftp, but if you don't REALLY need it, you shouldn't use
it). Those services are inherenlty insecure. Block them at your firewall
if you can. That goes for any other un-needed service as well.
>
> Understand the services you are running, the configuration you are using,
> and the security implications thereof. This takes the most time,
> unfortunately, but generally leads to the best security. In an ideal world,
> with ideal vendors, this would not be necessary. But this is not an ideal
> world.
Unfortunately, if you are concerned about security (and everyone who's
connected SHOULD be), this is the only way to get the upper hand. You
need to familiarize yourself with the ways that people can attack your
machine, which involves knowing the methods, AND knowing what you have
that's vulnerable.
Once you have that, you need to familiarize yourself with how to defend
against those attacks. Until you do this, your machine is vulnerable.
> BTW, these rules are not specific to Linux, or even Unix. They apply
> regardless of the software you are running.
Right. Windows machines are vulnerable too, though the kinds of attacks
to which they are vulnerable are a smaller subset of those to which Linux
is vulnerable. Reason? They generally come with much less to attack.
Linux is more powerful, and the more power you have, the more vulnerable
you are to someone trying to take it away from you (or in this case, to
borrow it).
--
We sometimes catch a window, a glimpse of what's beyond
Was it just imagination stringing us along?
------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
