Re: Hacked!

Post #60,843 by rickmoen 11/3/02 3:56:00 AM Reply	Re: Hacked! Glen, sorry to hear about that. I might be able to offer some help for the future. Glen Austin wrote: [Lots of stuff that, as usual in such cases, left me initially wondering why you were so such you'd had an intruder. Many times people jump to this conclusion without reasonable evidence. And then you said:] After that, I noticed that someone was somehow setting my ethernet card into promiscuous mode. And that's pretty much a smoking gun (unless you're running VMware, in which case it's normal). Another would be suddenly finding that you were out of disk space, and eventually finding concealed directories with names like ".. " (note space character) that seem to have gigs worth of apparently stolen proprietary software, attack tools, rootkit tarballs (which are trojaned replacements for standard utilities that the attacker installs after break-in to conceal his presence), etc. I let someone use my telnet and ftp to move some big files from a training class So, yeah, that was dumb. Anonymous ftp isn't (in itself) a risk, but non-anonymous ftp is, because it exposes shell passwords in plaintext across the open Internet. For the same reason, so is telnet and regular (non-SSL-wrapped) POP3. All bad, and you should never enable inbound access to any of them for anyone. (Machines on a deemed-safe private network might reasonably use them among themselves. Otherwise, never.) There are those who want you to enable them anyway, just this once, just for them, because they think it's necessary. They're mistaken. There are ssh/scp client programs for all OS platforms in common use, even plain MS-DOS. I happnen to maintain the most-comprehensive [link\|http://linuxmafia.com/pub/linux/security/ssh-clients\|list] of those packages anywhere. Your friend needed only to grab one of those for his OS platform, and use it instead of telnet and ftp. So I reloaded RedHat 7.1, but this time I installed with max firewall security. People believe in IP filtering as if they'd waved a dead chicken over their machines and invoked the Great Spirit. Feh. If a service is vulnerable, turn it off. If a particular daemon is buggy as the Watergate Office Building (e.g., wu-ftpd), but you need to offer the service, find a better-built substitute. ...even changed the ipchains config to disallow anything but HTTP, DHCP, and ssh from the outside.... Here's a thought: If you don't need to run a Web server, turn it off. If you don't need to run a DHCP daemon, turn it off. If you don't need to run an SSH daemon, turn it off. What, you're not absolutely sure what services your machine is advertising? First, look at the output of "ps auxw \| more". Next, run nmap against your machines, to find out from an attacker's perspective what services are visible on them. You'll find more about that, and some further tips, in my article for LinuxWorld.com, a couple of years back, [link\|http://www.itworld.com/Sec/2199/LWD000829hacking/\|Attacking Linux]. I may go back and disallow ssh, too, because I've heard that ssh can be hacked. Um, the current OpenSSH v. 3.4p1 doesn't have any known vulnerabilities. But the first question you need to ask is: Do I need to run an SSH daemon at all? If you're not sure, as always, turn it off and find out. If you need it, you'll definitely find out. If it turns out that you need an SSH daemon but for some reason don't trust OpenSSH, you could switch to LSH, a written-from-scratch implementation of the ssh 2.0 protocol only (no 1.5 protocol support). I'd like to run the webserver, but I'm leaving Apache down until I can get the latest patches on it to cover some of the security alerts that have recently come out. Do you need a Web server? If you do, do you need specifically Apache? Apache is stable and featureful, but its full-featured nature means that it has a lot of complexity, and complex code (other things being equal) is security-risky. And there are a couple of dozen less-complex, faster, probably more secure HTTP daemons. Boa, thttpd, fnord.... I list all the open-source ones I know of at [link\|http://linuxmafia.com/~rick/faq/#djb\|http://linuxmafia.com/~rick/faq/#djb] (11 paragraphs down). Why run a complex daemon if you can use a simpler one? I really don't want to upgrade, because the config on the upgrade says I need a 400 mhz machine, and I only have a 300 mhz machine. You know, what it says on the box is horsepockey. RH 8.0 isn't any more processor-intensive than any other Linux distribution. My main desktop box is an AMD K6/233, and it's fine. Linux simply isn't processor-intensive, except in special math-intensive applications. I also started tripwire. Pretty good idea. But Tripwire will keep you busy for a long time trying to tune its reporting, to stop sending you meaningless stuff, and make sure it properly tests directory and file attributes that actually matter. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #60,847 by rickmoen 11/3/02 4:25:27 AM Reply	Re: Hacked! Correction: OpenSSH 3.5p1 has no known vulnerabilities. I run a 3.4p1 with patches backported, and lazily just reported my own version number without bothering to double-check what current release it corresponds to. Sorry. If you lived here, you'd be $HOME already.
Post #61,152 by gdaustin 11/5/02 10:36:13 AM Reply	Thanks... I would like to have OpenSSH because I could access my home Linux system from other places, when I need to. I don't do this a lot of the time, but when I need it, it is really convenient. I would like to have Apache running because I have some stuff I'm coding in PHP/JavaScript I would like to demo to some people. And finally, the IP address I get for the cable modem is DHCP. I don't necessarily need to SERVE DHCP, but I am a client. I have tried asking for a static IP, and for that, they want to make me a "business" customer for 5x the price I'm paying now.
Post #61,477 by rickmoen 11/6/02 6:24:36 PM Reply	Re: Thanks... You're welcome. gdaustin wrote: I would like to have OpenSSH because I could access my home Linux system from other places, when I need to. I don't do this a lot of the time, but when I need it, it is really convenient. Yeah, ditto. If you're really worried about security exposures, you could switch to [link\|http://www.lysator.liu.se/~nisse/lsh/\|LSH] a written-from-scratch implementation of the v. 2.0 SSH protocol only. Some people run the OpenSSH daemon configured to accept v. 2.0 connections only, on grounds of it using theoretically stronger crypto algorithms than the older 1.5 protocol. I figure, if you're going to do that, the same logic would suggest also switching to LSH's simpler codebase. The disadvantage of supporting incoming 2.0-protocol connections only is that you might find yourself sitting at a machine for whose OS only 1.5-protocol client software exists. Here's a summary of the OS-support situation, copied from my [link\|http://linuxmafia.com/pub/linux/security/ssh-clients\|ssh-clients] file: \nOS 2.0 1.5\n== === ===\nAmiga OS - PC\nBeOS - PC\nCisco IOS - P \nJava PC FC\nMacintosh OS v. < 10 FC PC\nMS-DOS - PC\nOpenVMS - FC\nOS/2 P P\nPalmOS - PC\nUnix incl. MacOS X F F\nWin16 PC PC\nWin32 F F\nWinCE - FC\n\nKey: F=free / open-source software (per DFSG/OSD), C=client-only, P=proprietary\nDFSG: [link\|http://www.debian.org/social_contract#guidelines\|http://www.debian.or...ntract#guidelines]\nOSD: [link\|http://www.opensource.org/docs/definition_plain.html\|http://www.opensourc...nition_plain.html]\n("Proprietary" in the software context means non-open-source.)\n So, choose your poison. (Note that you can't really make effective use of either IP-filtering scripts, e.g., ipchains/netfilter, or hostaccess i.e. hosts.allow and hosts.deny files, for incoming SSH service, given that like me you want the option of SSHing in from anywhere.) I would like to have Apache running because I have some stuff I'm coding in PHP/JavaScript I would like to demo to some people. If you mean server-side JavaScript, then Apache does have a module for that, but it might be the case that other open-source httpds for ix do, too. You might want to look around, if you're trying to reduce security exposure. (For client-side JavaScript, obviously any httpd will do.) PHP is definitely possible with a bunch of the other httpds. I cover this in my [link\|http://linuxmafia.com/~rick/lecture-notes/php4\|lecture] on PHP4. And finally, the IP address I get for the cable modem is DHCP.* Hmm. You may encounter some serious difficulties from time to time, with Apache, if nothing else: Apache expects to have a server IP address in its configuration file, and gets really unhappy when the machine IP changes without the configuration file doing likewise. Of course, you could bind it to the loopback address (127.0.0.1), but then it'll be a local-only Web server. On the other hand, if you don't need remote access to the httpd, then that might be actually preferable, as reducing your security exposure further. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #61,523 by jake123 11/6/02 9:28:30 PM Reply	One note: OpenSSH is available for OS/2 Got ported by some guys in Russia. Umm... lessee... here we go: [link\|http://devcenter.os2.ru/openssh/\|OpenSSH/2]. You need to replace part of the generalised system telnet infrastructure to get full benefit out of it... SSH doesn't understand VIO so you need to insert a special software between the daemon and the prompt to make sure the control codes get transmitted to the client properly. It's currently at version 3.4 p1.6. You can get the latest version from [link\|http://hobbes.nmsu.edu\|Hobbes]. If anyone's thinking about checking out Warp, I highly recommend some time cruising through Hobbes to get a feel for what's out there. Other good sites include [link\|http://www.unixos2.org\|UnixOS2], [link\|http://openwatcom.org\|OpenWatcom], [link\|http://os2ports.com\|OS/2 Ports]. Lotsa good stuff out there. --\n-------------------------------------------------------------------\n* Jack Troughton jake at consultron.ca \n [link\|http://consultron.ca\|http://consultron.ca] [link\|irc://irc.ecomstation.ca\|irc://irc.ecomstation.ca] \n Laval Qu\ufffdbec Canada [link\|news://news.consultron.ca\|news://news.consultron.ca] *\n-------------------------------------------------------------------
Post #61,570 by rickmoen 11/7/02 6:10:21 AM Reply	Re: One note: OpenSSH is available for OS/2 jake123 wrote: Got ported by some guys in Russia. Outstanding! Duly added and noted in my OS-coverage chart. Thank you! With that port, OS/2 rises up to the top-rank, along with *ix. Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #61,634 by jake123 11/7/02 11:42:54 AM 11/7/02 11:43:18 AM Reply	Under the covers... There is a LOT of work going into posix compatibility libraries for OS/2. Go look at [link\|http://os2ports.org\|http://os2ports.org] and [link\|http://unixos2.org\|http://unixos2.org]. While my knowledge of stuff like modules and other nix specific setup stuff, a lot of the programs like the gnu text and file utils and so on are very familiar to me... they've been ported to my fave platform for many years now. --\r\n-------------------------------------------------------------------\r\n Jack Troughton jake at consultron.ca \r\n [link\|http://consultron.ca\|http://consultron.ca] [link\|irc://irc.ecomstation.ca\|irc://irc.ecomstation.ca] \r\n Laval Qu\ufffdbec Canada [link\|news://news.consultron.ca\|news://news.consultron.ca] *\r\n------------------------------------------------------------------- Edited by jake123 Nov. 7, 2002, 11:43:18 AM EST Expand All History

Welcome to IWETHEY!