Glen, sorry to hear about that. I might be able to offer some help for the future.
Glen Austin wrote:
[Lots of stuff that, as usual in such cases, left me initially wondering why you were so such you'd had an intruder. Many times people jump to this conclusion without reasonable evidence. And then you said:]
After that, I noticed that someone was somehow setting my ethernet card into promiscuous mode.
And that's pretty much a smoking gun (unless you're running VMware, in which case it's normal). Another would be suddenly finding that you were out of disk space, and eventually finding concealed directories with names like ".. " (note space character) that seem to have gigs worth of apparently stolen proprietary software, attack tools, rootkit tarballs (which are trojaned replacements for standard utilities that the attacker installs after break-in to conceal his presence), etc.
I let someone use my telnet and ftp to move some big files from a training class
So, yeah, that was dumb. Anonymous ftp isn't (in itself) a risk, but non-anonymous ftp is, because it exposes shell passwords in plaintext across the open Internet. For the same reason, so is telnet and regular (non-SSL-wrapped) POP3. All bad, and you should never enable inbound access to any of them for anyone. (Machines on a deemed-safe private network might reasonably use them among themselves. Otherwise, never.)
There are those who want you to enable them anyway, just this once, just for them, because they think it's necessary. They're mistaken. There are ssh/scp client programs for all OS platforms in common use, even plain MS-DOS. I happnen to maintain the most-comprehensive [link|http://linuxmafia.com/pub/linux/security/ssh-clients|list] of those packages anywhere. Your friend needed only to grab one of those for his OS platform, and use it instead of telnet and ftp.
So I reloaded RedHat 7.1, but this time I installed with max firewall security.
People believe in IP filtering as if they'd waved a dead chicken over their machines and invoked the Great Spirit. Feh. If a service is vulnerable, turn it off. If a particular daemon is buggy as the Watergate Office Building (e.g., wu-ftpd), but you need to offer the service, find a better-built substitute.
...even changed the ipchains config to disallow anything but HTTP, DHCP, and ssh from the outside....
Here's a thought: If you don't need to run a Web server, turn it off. If you don't need to run a DHCP daemon, turn it off. If you don't need to run an SSH daemon, turn it off. What, you're not absolutely sure what services your machine is advertising? First, look at the output of "ps auxw | more". Next, run nmap against your machines, to find out from an attacker's perspective what services are visible on them.
You'll find more about that, and some further tips, in my article for LinuxWorld.com, a couple of years back, [link|http://www.itworld.com/Sec/2199/LWD000829hacking/|Attacking Linux].
I may go back and disallow ssh, too, because I've heard that ssh can be hacked.
Um, the current OpenSSH v. 3.4p1 doesn't have any known vulnerabilities. But the first question you need to ask is: Do I need to run an SSH daemon at all? If you're not sure, as always, turn it off and find out. If you need it, you'll definitely find out.
If it turns out that you need an SSH daemon but for some reason don't trust OpenSSH, you could switch to LSH, a written-from-scratch implementation of the ssh 2.0 protocol only (no 1.5 protocol support).
I'd like to run the webserver, but I'm leaving Apache down until I can get the latest patches on it to cover some of the security alerts that have recently come out.
Do you need a Web server? If you do, do you need specifically Apache? Apache is stable and featureful, but its full-featured nature means that it has a lot of complexity, and complex code (other things being equal) is security-risky. And there are a couple of dozen less-complex, faster, probably more secure HTTP daemons. Boa, thttpd, fnord.... I list all the open-source ones I know of at [link|http://linuxmafia.com/~rick/faq/#djb|http://linuxmafia.com/~rick/faq/#djb] (11 paragraphs down). Why run a complex daemon if you can use a simpler one?
I really don't want to upgrade, because the config on the upgrade says I need a 400 mhz machine, and I only have a 300 mhz machine.
You know, what it says on the box is horsepockey. RH 8.0 isn't any more processor-intensive than any other Linux distribution. My main desktop box is an AMD K6/233, and it's fine. Linux simply isn't processor-intensive, except in special math-intensive applications.
I also started tripwire.
Pretty good idea. But Tripwire will keep you busy for a long time trying to tune its reporting, to stop sending you meaningless stuff, and make sure it properly tests directory and file attributes that actually matter.
Rick Moen
rick@linuxmafia.com