Not quite that easy, but I think I have it fixed....

Post #111,572 by gdaustin 7/26/03 10:45:44 AM Reply	Not quite that easy, but I think I have it fixed.... Thanks. I had to use the init= option to open a root shell. Then I had to figure out how to remount the root drive as rw. Just finished and am rebooting now. Glen Austin
Post #111,576 by gdaustin 7/26/03 12:23:14 PM Reply	Fixed... Now I'm changing all the passwords in the system. Then, I'll start looking at all the listening processes on the system. They can attack something that isn't listening. Glen
Post #111,577 by pwhysall 7/26/03 1:17:48 PM Reply	Shouldn't you be fixing this at the firewall? That's what I do. That way I limit the amount of stuff I have to secure. Peter [link\|http://www.debian.org\|Shill For Hire] [link\|http://www.kuro5hin.org\|There is no K5 Cabal] [link\|http://guildenstern.dyndns.org\|Blog]
Post #111,638 by gdaustin 7/27/03 6:31:42 PM 7/27/03 6:36:08 PM Reply	This box IS my firewall... I thought I had it set up pretty tight, took an IPTABLES script from gfolkert, turned off FTP and TELNET, moved ssh to a high-numbered port. Still, the passwd file was dated July 12th, and I was building and installing apache2 about that time. So it is possible I changed the root pw and forgot. I tried all the common variants I use and none worked. Also, I have a co-worker at work who "hacks for fun". If you tell him to break into your box, he will. Then he gives you a list of things to fix. I did about 1/2 the list, so I need to go back to him and find out about things like chroot (which I didn't do) and others. It is possible, he set his little cracker software out against my box. He doesn't attack people maliciously, he says, and he usually tells you when he does something. Glen Austin Edited by gdaustin July 27, 2003, 06:36:08 PM EDT Expand All History
Post #111,640 by pwhysall 7/27/03 6:33:44 PM Reply	Re: This box IS my firewall... apt-cache search firewall, then :-) I'm sure Rick will leap in with some useful suggestions for tools to help automate the firewall process. Me, I have a hardware firewall and have never ever configured firewalling on a Linux box. Peter [link\|http://www.debian.org\|Shill For Hire] [link\|http://www.kuro5hin.org\|There is no K5 Cabal] [link\|http://guildenstern.dyndns.org\|Blog]
Post #111,578 by orion 7/26/03 2:02:12 PM Reply	If you haven't already you might want to look into tools like SNORT: [link\|http://www.snort.org/\|http://www.snort.org/] They might help you.
Post #111,587 by rickmoen 7/26/03 5:28:52 PM Reply	Chasing ghosts? Glen wrote: Now I'm changing all the passwords in the system. Then, I'll start looking at all the listening processes on the system. They can attack something that isn't listening. Umm..., is the only reason you think you've suffered security compromise the fact that suddenly what you thought was your root password didn't work, and you weren't entirely sure whether you'd changed it? No other signs of break-in whatsoever? That sounds more than a little thin. However, if you haven't looked at all the listening processes on the system, it's indeed about time. I'm curious about how you're doing that without trusting any of the tools on the suspect system. (Yes, I am being mildly ironic. How to examine a running system for signs of compromise is a difficult problem.) Rick Moen rick@linuxmafia.com If you lived here, you'd be $HOME already.
Post #111,644 by gdaustin 7/27/03 6:48:39 PM Reply	Now I'm thinking I changed it... The passwd file was dated 7/12, and that's the date I installed apache2 and php. I set up a tester web server with PHP installed on that very date. I've been getting the latest apt-get about once every two weeks. Maybe I need to be a little more vigilant about that. I'll take a look at snort, and I'll get the rest of the list from my "hacker" co-worker. I'd like for this system to be pretty "hard", if it can be. Glen Ausitn

Welcome to IWETHEY!