|Marc,
|here is what one of my friends recommended for scan detectors and other
|security related stuff
|
|letter included, it is pretty long, but definitely worth reading.
|-----8<------------------------------------------------------------
|---------
|-------------
|The semi-good news....
|
|Hey Filip....don't feel alone. A good friend of mine and a superior UNIX
|Admin (...and now a practiced hacker), when he was first starting out...he
|was royally hacked on his site. It happens to many Admins who first put a
|box out on the web. There are a number of sites that can help give
|you steps
|to go by, supply you with tools, and supply you with updates....but what it
|usually takes is starting with a extreeeeemmly stingy inetd.conf, and EVERY
|service OFF but those that are essential (really for a web server, that
|should be HTTP/HTTPS and maybe SSH, with FTP only turned on manually when
yes but inetd is even a bitch.... some recommend disabling it altogether and
replace with rc.d scripts when the services are needed.
I guess it kind of makes sense. inetd is there to spare ressources just in
case you need that service to run from time to time, i.e. it is not the
primary usage of your box (example pop on a httpd based server)... then
yeah.. but since it is not the first role of the box then don't fucking put
it there in teh first place... you know?
just kidding.
|needed). Your Fire Wall should be separate from your web server and those
|separate from your mail server. Of course, for a home situation that is not
which is essentially what he is saying here.
|always possible....and then it brings up serious security issues that need
|to be balanced carefully.
|
|The bad news...
|
|I hate to say this, but there are no easy solutions. Linux is tricky,
|because it is a hacked together (no pun intended) system to begin
|with. Open
|BSD is the most secure free UNIX out of the box...while Linux is not.
I was unaware of that. Another constraint I have on the new box is that it
will host jboss instance running on apache and we will be able to test beans
online etc... this is done in conjunction with dever-online's "wantjava"
(btw, commercial plug) so we have to have a good VM and (afaik) there is no
good 1.3 VM on BSD (?)
That being said, I am curious to know if the box I configured is really
secured...
|Solaris and many of the pay-to-use UNIX systems are about 50% secure out of
|the box. You see, Linux...in particular Red Hat, has been designed with
|"ease-of-use" when it is shipped. This makes it very insecure.
yes, well the inetd stuff was full of services I didn't want. One thing
that was quite ok with the install is that when I desselected packages for
installation (ftpd, sendmail etc) it would automaticcaly put the right
xinet.d configuration (that is also why xinet.d >> inet.d directory based,
plugin like , configuration... we would do the same for "JBoss" modules at
some point :)
so while it was a bit "non secure" it was quite solid if you used the right
package install selection. I wish they would have a "secure box"
"configuration" as a select in their install choices.
Another thing was the rc*.d scripts and the stuff in /etc/init.d with loads
of real daemons spawned at boot time, this I had to manually go in and
remove... a bit of annoying work but still ok, almost everything removed.
is it secure now? could be...
|The really bad news....
|
|If they have changed the index file, that means they have root. You have
|been rooted, and without a finely tuned binary checker (with MD5
|comparisons), you will not know if you have any hacked binaries. What this
TRIPWIRE! is the word. Love it!
|means is whoever hacked you probably has a Trojan into your system, and may
|be able to log back in with ease (providing the server is up...which it
|seems to be...just checked). If you have been rooted by someone
|fairly good,
|and they have buried a Trojan...and you do not have a full backup or MD5
|checksum listing of every file...then you will need to wipe out the old OS
|and reinstall Linux.
Yep! exactly what tripwire does for you... notify of modified files (not
just perms or size)
| Before you do this you may want to print out or copy
good point it doesn't automate the storage and restoral of "critical" files
(AFAIK) but that would be a kick ass feature, maybe that is part of their
"commercial version" :), hey we could write a "restore config" series of
beans that keep the files in memory... ooooh... and then when JBoss comes
up...
<snip>
|degree than normal. Once you have tweaked things after the first scan, scan
|again and see if your fixes hold. Then, you will want to setup more
|verbose/centralized logging (such as setting up another server as a Syslog
|server), and setup some type of log monitoring system that can alert you to
|suspicious activities (Swatch..).
cool... I will neeed to check if the denver guys offer such centralized
syslog server.
|You will also want to setup a system
|binary watcher (Tripwire) or such to make sure that no one tampers in the
|future:) There are also some cool semi-free IDS systems out there....but it
|is not too hard to setup your own (Perl/shell). Also, check out some of the
|hack sites and sign up for Linux security newsletters.
|
|Whew.....good security is hard work:)
|
|
|Hope that helps, and let me know if you need further help
|
|
|BTY: Check out www.rootshell.com
yep been there done that, cool rootkits :)
marc
|
|
|
|~
|Namaste - I bow to the divine in you.
|~
|Filip Hanik
|Technical Architect
|[EMAIL PROTECTED]
|
|----- Original Message -----
|From: "marc fleury" <[EMAIL PROTECTED]>
|To: "jBoss Developer" <[EMAIL PROTECTED]>
|Sent: Monday, January 22, 2001 10:38 AM
|Subject: RE: [jBoss-Dev] securing your servers
|
|
|yes, my home machine was hacked as well and then my provider machine from
|there hence jboss down.
|
|It also proves "dreamhost" detected the intrusion (as I did) but
|wasn't able
|to do anything to prevent it or repair it. :(
|
|I had to reinstall linux as well. It seems the first script kiddies were
|good and just "parasited" the machine but didn't damage it (and I
|don't mind
|some parasites, all trees have them). But then a "sloppy" script kiddy came
|along and boom.
|
|So being badly raped when I was a "security newbie" I decided to look at it
|in detail.
|
|Fascinating, had a great time, didn't sleep much last week :)
|
|essentially I disable EVERYTHING (telnet, ftp), I use xinetd which is more
|secure than inetd and then I turn off all the services in xinetd
|but pop3s a
|secure pop version on ssl. ssh is the only way to get in (telneat really
|good on windows) Of course I do all the installation off line. And then I
|put "tripwire" to monitor the main directories turn it on, once it is on I
|put the machine online.
|
|then I downloaded a rootkit and diagnosed my own machine for attacks :)
|fascinating.
|
|so much fun. Anyone knows of a good "scan detector"?
|
|marc
|
|
||-----Original Message-----
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED]]On Behalf Of Filip Hanik
||Sent: Monday, January 22, 2001 10:22 AM
||To: jBoss Developer
||Subject: [jBoss-Dev] securing your servers
||
||
||Just wanted to let everybody that run RedHat at home (maybe even the JBoss
||servers?)
||I got hit by the Ramen Noodle worm on my server at home (I forgot to turn
||off some inetd services - in this case the print service) and my
||machine got
||rooted.
||This means, I have to reinstall my machine from scratch, so be careful all
||of you who run Linux (especially redhat).
||If you run FreeBSD your safe!! :)
||
||take a look at the article
||http://news.cnet.com/news/0-1003-200-4508359.html?tag=st.ne.1430735..ni
||
||Filip
||
||~
||Namaste - I bow to the divine in you.
||~
||Filip Hanik
||Technical Architect
||[EMAIL PROTECTED]
||
||----- Original Message -----
||From: "marc fleury" <[EMAIL PROTECTED]>
||To: "jBoss Developer" <[EMAIL PROTECTED]>
||Sent: Monday, January 22, 2001 9:55 AM
||Subject: RE: [jBoss-Dev] jndi/UserTransaction
||
||
||Hello,
||
||sorry for the delay I am finally out of the water re website
|(well almost).
||
||I am very interested in a integration of
||a/new TM or extended TM
||b/ Jeremie from France Telecom... it is the new JOnAS TM and I believe we
||can buy ourselves distributed TM with it.
||
||let me know if you time/energy/will to take that on. To be quite
||frank I am
||thinking b/ first then talk to ole on possibilities for a/,
||
||marc
||
||
|||-----Original Message-----
|||From: [EMAIL PROTECTED]
|||[mailto:[EMAIL PROTECTED]]On Behalf Of Sethi , Manish
|||Sent: Sunday, January 14, 2001 7:51 AM
|||To: 'jBoss Developer '
|||Subject: RE: [jBoss-Dev] jndi/UserTransaction
|||
|||
|||Hi Everybody,
|||
|||Writing very first mail to the group.
|||
|||I have gone through present implementation og JTA. I want to help in it's
|||development. Now what I want to know is what should we choose out of
|||followings for this job.
|||
|||1. Should we implement JTS/OTS specs at the back. (Probably we
|||would have to
|||start form scrach...)
|||
|||OR
|||
|||2. Should we think of some mechanism of just making TXContext
|||movable around
|||the multiple JVM...
|||
|||
|||-Manish
|||
|||
|||-----Original Message-----
|||From: marc fleury
|||To: jBoss Developer
|||Sent: 1/12/01 10:34 AM
|||Subject: RE: [jBoss-Dev] jndi/UserTransaction
|||
||||Is there a known historical fix for this, such as substituting a
|||different
||||JTA implementation or JNDI implementation? That is, has someone already
|||
|||hi,
|||
|||the jndi implementation is an orthogonal issue. We need to plug in a
|||distributed monitor (JTS/JTA) and hook it up to jndi. The plumbing
|||(propagation, thread association) is already there as it is an
|||adaptation of
|||the old jboss1.0 code.
|||
|||For the record, jboss1.0 used JOnAS distributed TM to provide
|||distributed
|||transactions. We deliberately removed it from 2.0 to provide fast in VM
|||tm.
|||
|||Plugging a new TM is what is needed.
|||
|||marc
|||
|||
||||provided this functionality in the past and able to offer suggestions?
||||Distributed JTA and UserTransaction access by remote clients
||||through JNDI is
||||spec-required.
||||
||||Sean
||||
||||on 1/11/01 11:17 PM, marc fleury at [EMAIL PROTECTED] wrote:
||||
||||> userTransaction is for beans right now. I.e visible in JNDI of beans,
|||but
||||> NOT the globla JNDI.
||||>
||||> marc
||||>
||||>
||||> |-----Original Message-----
||||> |From: [EMAIL PROTECTED]
||||> |[mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark
||||> |Sent: Wednesday, January 10, 2001 8:08 PM
||||> |To: jBoss Developer
||||> |Subject: Re: [jBoss-Dev] jndi/UserTransaction
||||> |
||||> |
||||> |Can't you just access it via the context.getUserTransaction()
|||method?
||||> |It is bound under java:comp/UserTransaction, but this is only
|||available
||||> |from within the EJB while the container is executing a method. Its
||||> |not visable vie jndiView.
||||> |
||||> |
||||> |----- Original Message -----
||||> |From: "Peter Braswell" <[EMAIL PROTECTED]>
||||> |To: "jBoss Developer" <[EMAIL PROTECTED]>
||||> |Sent: Wednesday, January 10, 2001 7:20 PM
||||> |Subject: [jBoss-Dev] jndi/UserTransaction
||||> |
||||> |
||||> |> All,
||||> |>
||||> |> I don't see (jndiView) where the a UserTransaction is
||||> |> bound. I didn't find in the mail archives or docs
||||> |> anything indicating how this gets bound...
||||> |>
||||> |> Any hints?
||||> |>
||||> |> peter
||||> |>
||||> |> __________________________________________________
||||> |> Do You Yahoo!?
||||> |> Yahoo! Photos - Share your holiday photos online!
||||> |> http://photos.yahoo.com/
||||> |>
||||> |>
||||> |
||||> |
||||> |
||||>
||||>
||||
||||
||||
|||
|||
|||
||
||
||
|
|
|
