Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On 11 Aug 2010, at 19:16, Dale wrote: Stroller wrote: On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote: ... Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. I'm pretty sure that's a trivial setting for expiration policy and a PAM plugin or option to enforce complexity. Thing about changing passwords to often, the person forgets what the password is. Then don't change it with frequency. It was Mr Valliant-Saunders who seemed to be saying that that is difficult to enforce, and I was merely replying to him. Stroller.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On 11 Aug 2010, at 21:30, Alan McKinnon wrote: ... My users pick their own passwords - I present a list of 5 from apg and let them pick one apg's results seem awfully unmemorable by default. I tend to prefer random password generators that create pronounceable nonsense words, by stringing together random syllables, rather that just letters. Do you know if apg can do that? I'm sure it's in the manpage, so forgive me for not parsing it at this time of the morning. Stroller.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Thursday 12 August 2010 15:01:12 Stroller wrote: On 11 Aug 2010, at 21:30, Alan McKinnon wrote: ... My users pick their own passwords - I present a list of 5 from apg and let them pick one apg's results seem awfully unmemorable by default. I tend to prefer random password generators that create pronounceable nonsense words, by stringing together random syllables, rather that just letters. Do you know if apg can do that? I'm sure it's in the manpage, so forgive me for not parsing it at this time of the morning. Yes, it can do that. It's for that reason I use it. The command I use is: $ apg -m8 -x8 -MCNL Badnack9 VeOsFid5 JucWeac9 EowtUzt1 SceybEf8 ByejCys1 passwords are 8 chars simply because some elements of the environment have that limitation. As you can see, the passwords tend to be pronounceable. And many, many tests run have convinced me that the passwords have sufficient entropy to be good enough - good enough being defined as john the ripper didn't brute force it in 48 hours -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Thursday 12 August 2010 20:21:23 Alan McKinnon wrote: The command I use is: $ apg -m8 -x8 -MCNL Badnack9 VeOsFid5 JucWeac9 EowtUzt1 SceybEf8 ByejCys1 After following this thread I emerged apg, thinking it looked useful. But according to the man page and apg --help, the only upper-case options are N and E. No M. This is version 2.3.0b-r4; which version are you using? -- Rgds Peter. Linux Counter 5290, 1994-04-23.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Thursday 12 August 2010 21:43:17 Peter Humphrey wrote:
On Thursday 12 August 2010 20:21:23 Alan McKinnon wrote:
The command I use is:
$ apg -m8 -x8 -MCNL
Badnack9
VeOsFid5
JucWeac9
EowtUzt1
SceybEf8
ByejCys1
After following this thread I emerged apg, thinking it looked useful.
But according to the man page and apg --help, the only upper-case
options are N and E. No M. This is version 2.3.0b-r4; which version are
you using?
[I] app-admin/apg
Available versions: 2.3.0b-r4 {cracklib}
Installed versions: 2.3.0b-r4(15:30:43 10/06/10)(cracklib)
Homepage:http://www.adel.nursat.kz/apg/
Description: Another Password Generator
I think you're reading the man page wrong. Look under -M
--
alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Stroller wrote: On 11 Aug 2010, at 19:16, Dale wrote: Stroller wrote: On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote: ... Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. I'm pretty sure that's a trivial setting for expiration policy and a PAM plugin or option to enforce complexity. Thing about changing passwords to often, the person forgets what the password is. Then don't change it with frequency. It was Mr Valliant-Saunders who seemed to be saying that that is difficult to enforce, and I was merely replying to him. Stroller. For some reason I missed the original of his. I still can't find it even tho it is quoted here. My reply wasn't to you but just a general reply. Most of my replies are general. Nothing aimed at you tho. Dale :-) :-)
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Walter Dnes wrote: On Tue, Aug 10, 2010 at 09:16:20PM -0500, Dale wrote I used to use wvdial as well as pon and I don't recall having to be root. I added myself the dial-up group if I recall correctly. It just worked for me. I also don't use sudo here either. ;-) As I mentioned, I also have to copy a new ssmtp.conf. I'm aware of the -C option for ssmtp, but then I'd have to muck around with mutt when switching between ADSL and dialup. This way, mutt doesn't care. It just works. A, so it's not pon that needs the permissions but another program. That makes sense. Sort of had me confused for a minute. Don't worry, I have those minutes a lot. lol They sometimes pass pretty quick but some take a bit longer. Dale :-) :-)
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote: ... Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. I'm pretty sure that's a trivial setting for expiration policy and a PAM plugin or option to enforce complexity. Stroller.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On 10 Aug 2010, at 19:50, Alan McKinnon wrote: ... The major threat by analysis on a workstation is stepping away for a leak and forgetting to lock the screen. sudo is adequate protection against this as long as more than 5 minutes have elapsed since the last sudo was run - ... And I seem to recall the 5 minute grace period can be changed or removed in it sudo's settings. There was a big furore about this in the Mac community a couple of years ago, before someone pointed out that sudo existed and was established on Linux, too. Stroller.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Stroller wrote: On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote: ... Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. I'm pretty sure that's a trivial setting for expiration policy and a PAM plugin or option to enforce complexity. Stroller. Thing about changing passwords to often, the person forgets what the password is. I have a good strong password for my bank and credit card. If I had to change it every month, six months or something, I would set it to something simple so that I could remember what the password is. Then I would write it down to help me remember it as well. Changing the password often can actually lead to other issues. Dale :-) :-)
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Wednesday 11 August 2010 18:58:02 Stroller wrote: On 10 Aug 2010, at 19:50, Alan McKinnon wrote: ... The major threat by analysis on a workstation is stepping away for a leak and forgetting to lock the screen. sudo is adequate protection against this as long as more than 5 minutes have elapsed since the last sudo was run - ... And I seem to recall the 5 minute grace period can be changed or removed in it sudo's settings. There was a big furore about this in the Mac community a couple of years ago, before someone pointed out that sudo existed and was established on Linux, too. Stroller. And the clueless nutjobs on Ubuntu had exactly the same furore when Warty came out 6 years ago. And every other distro before that. And every other *nix before that right back to when sudo was released for the first time. Every time it's the same. Rant! Rave! Go ballistic about . about I dunno weird stuff about sudo!! Not a friggin brain cell amongst the lot of them. I've developed a savage delight in systematically dismantling people's objections to sudo and showing how clueless they usually are. People who do understand sudo and know it doesn't fit their needs never seem to rant about it :-) -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Wednesday 11 August 2010 20:16:42 Dale wrote: Stroller wrote: On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote: ... Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. I'm pretty sure that's a trivial setting for expiration policy and a PAM plugin or option to enforce complexity. Stroller. Thing about changing passwords to often, the person forgets what the password is. I have a good strong password for my bank and credit card. If I had to change it every month, six months or something, I would set it to something simple so that I could remember what the password is. Then I would write it down to help me remember it as well. Changing the password often can actually lead to other issues. I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
On 08/11/2010 01:30 PM, Alan McKinnon wrote: I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) The bigger buggerboo I see is the password complexity [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
On Thursday 12 August 2010 00:11:12 Bill Longman wrote: On 08/11/2010 01:30 PM, Alan McKinnon wrote: I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) The bigger buggerboo I see is the password complexity [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists Your reasoning makes sense, until you consider password length limits imposed by machines. Cisco routers authenticating via Tacacs for instance often support nothing more than DES hashing yuck. The hash routines accept up to 10 characters for a password but only use the first 8 to calculate the hash. There are Solaris version nowhere near EOL yet that have similar limits. All this makes my life as a system integrator cum authenticate go-to guy very tricky indeed. Luckily management tends to say Just do what Alan says. It makes him shut up and go away. :-) p.s. dig the use of vapid. Wonderful word, truly splendid. Communicates in 5 letters something that takes paragraphs any other way. I shall make a note for future use. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords
On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon alan.mckin...@gmail.comwrote: On Thursday 12 August 2010 00:11:12 Bill Longman wrote: On 08/11/2010 01:30 PM, Alan McKinnon wrote: I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) The bigger buggerboo I see is the password complexity [il]logic. There's this vapid requirement of all these different types of characters needed in one's password, yet the thing you really want to enforce is adequate entropy. If my password is an entire sentence, it will not be brute-forced, even if I used just ASCII A-z. There's just too much key space in 4.7^32. At 10^5 attempts per second, you're likely to find the answer in half a billion years. I hope your keyboard still works, let alone exists Your reasoning makes sense, until you consider password length limits imposed by machines. Cisco routers authenticating via Tacacs for instance often support nothing more than DES hashing yuck. The hash routines accept up to 10 characters for a password but only use the first 8 to calculate the hash. There are Solaris version nowhere near EOL yet that have similar limits. All this makes my life as a system integrator cum authenticate go-to guy very tricky indeed. Luckily management tends to say Just do what Alan says. It makes him shut up and go away. :-) p.s. dig the use of vapid. Wonderful word, truly splendid. Communicates in 5 letters something that takes paragraphs any other way. I shall make a note for future use. -- alan dot mckinnon at gmail dot com Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN in your login.defs file and are still relying on the back end's ability to safely store your passwords in DES format, well, you're in trouble.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Tuesday 10 August 2010 03:18:05 William Hubbs wrote: On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote: On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman bill.long...@gmail.com wrote: On 08/09/2010 01:08 PM, Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mick michaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. ...excepting, of course, sudo bash -l which means you've given away the keys to the kingdom. I actually prefer sudo su - -- as long as I'm giving it away! :o) Afaik, there is no reason for sudo su - It should be either su - or, if you are using sudo, sudo -i So what is the difference between sudo -i and sudo su - then? Please be precise. The disadvantage of su - is that it requires the user to know the root password. But, sudo -i does the same thing without requiring the user to know the root password. You seem to have confused ideas about authentication and authorization. They are not the same thing and harder is not always better. I have 100+ machines (all distinctly different) that my team runs and sudo is on all of them. They all have a root password but no-one knows it anymore, it's tucked away nice in the safe just in case the whole team dies in a plane crash. Meanwhile, we know each user is authenticated - ssh let them in with the right key, which they managed to unlock. To run a command as root, they must re- authenticate with their password (unused till this point) and then they can do their jobs. We also know that they are authorized - this is the entire point of /etc/sudoers and it has no other purpose than authorizing users to do things what, when and where. Knowing a root password is simply a second factor of authentication. It might as well be their own password. Well-known root password opens a security can of worms anyway and you don;t want to do where that leads. So tell me again why sudo su - is inherently bad? Other than three extra keystrokes that is? And what about sudo implementations that don't support -i? -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs willi...@gentoo.org wrote: On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote: On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman bill.long...@gmail.com wrote: I actually prefer sudo su - -- as long as I'm giving it away! :o) Afaik, there is no reason for sudo su - It should be either su - or, if you are using sudo, sudo -i The disadvantage of su - is that it requires the user to know the root password. But, sudo -i does the same thing without requiring the user to know the root password. You either didn't think or didn't actually try it. sudo su - needs a password, but it's the user password. Running su as root never needs a password. Accordingly, this works on a stock Ubuntu with no root password. su - requires the root password unless you're already root, and the root password may or may not exist. I didn't know about sudo -i (thanks), but when I tried sudo -i it immediately asked for a password, for which the user password was sufficient. So it's entirely equivalent to but slightly shorter than my version. I'll stick with mine because it's made of parts I already know and won't forget. I think that if sudoers don't need to enter passwords, they're still equivalent, but I have not tried this. -- Kevin O'Gorman, PhD
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Tue, Aug 10, 2010 at 2:50 PM, Alan McKinnon alan.mckin...@gmail.comwrote: On Tuesday 10 August 2010 15:03:19 Kevin O'Gorman wrote: On Mon, Aug 9, 2010 at 6:18 PM, William Hubbs willi...@gentoo.org wrote: On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote: On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman bill.long...@gmail.com wrote: I actually prefer sudo su - -- as long as I'm giving it away! :o) Afaik, there is no reason for sudo su - It should be either su - or, if you are using sudo, sudo -i The disadvantage of su - is that it requires the user to know the root password. But, sudo -i does the same thing without requiring the user to know the root password. You either didn't think or didn't actually try it. sudo su - needs a password, but it's the user password. Running su as root never needs a password. Accordingly, this works on a stock Ubuntu with no root password. su - requires the root password unless you're already root, and the root password may or may not exist. I didn't know about sudo -i (thanks), but when I tried sudo -i it immediately asked for a password, for which the user password was sufficient. So it's entirely equivalent to but slightly shorter than my version. I'll stick with mine because it's made of parts I already know and won't forget. I think that if sudoers don't need to enter passwords, they're still equivalent, but I have not tried this. Sounds to me like he's whinging about sudo and not much else. I find this to be common and far too many people advancing the idea can't define to me basic security concepts. I have also yet to meet someone with a beef against sudo that can show a fundamental weakness with it, and I'm not talking about an isolated case of buffer overflow either - that can happen with any software. I mean a weakness in the methodology of sudo itself. Many people have a stuck idea in their heads that the root password is a magic security bullet. In fact, it's no such thing. Like any other password it is simply something you need to prove you know in order to to authenticate yourself. The major threat by analysis on a workstation is stepping away for a leak and forgetting to lock the screen. sudo is adequate protection against this as long as more than 5 minutes have elapsed since the last sudo was run - the prankster may have access to the machine but still does not know any password, including yours. A major threat to finding passwords is shoulder surfing. If one frequently enters the root password, it is equally easy for a shoulder surfer to find it as to find the user's password. Note that if you leave your workstation unlocked with a root session open, there is no such timeout as what one has with sudo. Additionally, on a shared machine (i.e. server at work), the root password has to be shared which is a huge hole in itself due to the difficulty of communicating the new password when it is changed. It is trivially easy to communicate a single password for a single user and guarantee it stays secure (major advances in cryptanalysis excepted). -- alan dot mckinnon at gmail dot com Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. Remeber the only secure system is off and disconnected. If you are willing to use it you must apriase the community of the risk of failure; and plan for said risk. Most projects I've enjoyed had various password books usually encrypted with a God key for each department and it's respective responsbile area. Then those keys become an issue in and of themselfs; then it's a matter of procedural control. When the admin or admins leave, change them. Sounds simple, but far too rarely as it happens in pratice that I've headed to a client I haven't visited in a decade or so and find the same password I once used by guessing. Wich always rings true for me as a means to ensure disclosure is to those that I trust; or would trust. The discretionary access model in Gentoo is nice and to be expected; what I'd really like is a way to have my groups integrate from whichever directory service I'm using to meet the DAC mappings required on the local machine so I can enable RBAC or some other Lattice based control with local admins and limit their functions to thier jobs in an EASY fashon. Regards, -- Hazen Valliant-Saunders
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Tuesday 10 August 2010 20:22:13 Hazen Valliant-Saunders wrote: Good Luck getting people to change them frequently and haveing your techs and it departments meeting complexity and length policy. Remeber the only secure system is off and disconnected. I hope you know whom you're talking to here. -- Rgds Peter. Linux Counter 5290, 1994-04-23.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Walter Dnes wrote: On Tue, Aug 10, 2010 at 04:14:41AM +0200, Frank Steinmetzger wrote Am Dienstag, 10. August 2010 schrieb Paul Hartman: Typing that long password into sudo every time I ran a command was a hassle I???ve never used sudo, and never really liked the idea of it. In fact I???m always amused and slightly annoyed by the sheer amount of sudo one can find in your typical ubuntu howto. ;-) There are some things that have to be done as root, but are needed by a regular user. E.g. I have a backup dialup account with 295.ca (guess how much they charge per monthG). When using it, I not only have to run pon, but I also have to copy over the correct ssmtp.conf settings for my dialup ISP. My ~/bin/udialup (USB dialup) script reads like so... #!/bin/bash /usr/bin/sudo /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf /usr/bin/sudo /usr/sbin/pon u295.ca When I exit, I have to copy back the ssmtp.conf that points to my broadband ISP's MTU. My ~/bin/dialdown script reads like so... #!/bin/bash /usr/bin/sudo /usr/sbin/poff /usr/bin/sudo /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf This is after I figured out how to use metric in my network config so that ppp0 and eth0 could co-exist side by side. ppp0 can talk to the outside world via the dialup modem, while eth0 *SIMULTANEOUSLY* talks to my other machines on 192.168.123.248/29 (aka 192.168.123.240 netmask 255.255.255.240). Before that, my udialup script had to tear down eth0, and dialdown had to restart it. Here are some of the entries in /etc/sudoers on my machine i3... waltdnesi3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/295.ssmtp.conf /etc/ssmtp/ssmtp.conf waltdnesi3 = (root) NOPASSWD: /usr/sbin/pon 295.ca waltdnesi3 = (root) NOPASSWD: /usr/sbin/poff waltdnesi3 = (root) NOPASSWD: /bin/cp -f /etc/ssmtp/teksavvy.ssmtp.conf /etc/ssmtp/ssmtp.conf waltdnesi3 = (root) NOPASSWD: /sbin/poweroff waltdnesi3 = (root) NOPASSWD: /usr/bin/rdate time.nrc.ca -s waltdnesi3 = (root) NOPASSWD: /sbin/hwclock --systohc waltdnesi3 = (root) NOPASSWD: /usr/sbin/hibernate This gives me the power to do specific root-level stuff as a regular user, without giving away the keys to the kingdom. Note that none of the entries accepts any parameters, let alone $*. Also. specifying the path prevents running the wrong executable with root-level privileges. I used to use wvdial as well as pon and I don't recall having to be root. I added myself the dial-up group if I recall correctly. It just worked for me. I also don't use sudo here either. ;-) Dale :-) :-)
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Tue, Aug 10, 2010 at 09:16:20PM -0500, Dale wrote I used to use wvdial as well as pon and I don't recall having to be root. I added myself the dial-up group if I recall correctly. It just worked for me. I also don't use sudo here either. ;-) As I mentioned, I also have to copy a new ssmtp.conf. I'm aware of the -C option for ssmtp, but then I'd have to muck around with mutt when switching between ADSL and dialup. This way, mutt doesn't care. It just works. -- Walter Dnes waltd...@waltdnes.org
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Monday 09 August 2010 18:25:56 Paul Hartman wrote: Hi, today when working remotely I ran nethogs and noticed suspicious network traffic coming from my home gentoo box. It was very low traffic (less than 1KB/sec bandwidth usage) but according to nethogs it was between a root user process and various suspicious-looking ports on outside hosts in other countries that I have no business with. netstat didn't show anything, however, but when I ran chkrootkit told me that netstat was INFECTED. I immediately issued shutdown -h now and now I won't be able to take a further look at it until I get home and have physical access to the box. System uptime was a few months. It was last updated for installation of a 2.6.33 kernel (2.6.35 is out now). I have 3 goals now: 1) Figure out what is running on my box and how long it has been there. 2) Find out how it got there. 3) Sanitizing, or most likely rebuilding the system from scratch. Here's the bad news: An intruder probably gained access through a script kiddie script, which has likely already removed all the logs. Or they have possibly been rotated away by now. I would proceed as follows: 1. Keep that machine off the internet till it is reinstalled 2. Fresh reinstall using boot media that you have downloaded and written elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage tree won't use existing copies on that machine if the hashes don't match. So you can re-use them. If you boot off new install media it is safe to download new distfiles using it. 3. Keep your old partitions around if you want to do forensics, you can mount them somewhere when a reinstall is done and peruse them at your leisure. However, doing that is often a waste of time unless you still have logs. You can use a scanner like nessus to look things over. 4. And it goes without saying that you should change all passwords and keys used on that trojaned machine. I won't feel comfortable about doing item 3 until I learn the cause of 1 and 2. Since this is a home PC, it's not mission-critical and I have other computers so I can afford to leave it offline while I investigate this security breach, but at the same time it's worrisome because I do banking etc from this machine. I'll obviously have to check the status of any other computer on the same network. My user account has sudo-without-password rights to any command. In hindsight this risk may not be worth the extra convenience... A rogue sudo install-bad-stuff anywhere over time could have done me in. Alternatively I was running vulnerable/compromised software. My box has sshd running, root login in ssh is not allowed, and pubkey only logins (no passwords). It is behind a wireless router but port 22 is open and pointing to this box, and a few others needed by other applications. So I will check out which keys exist on the compromised machine and make sure I recognize them all. I'll also need to check the status of any other computer my key is stored on (a mix of linux windows, and my mobile phone). Sigh... I am using ~amd64 and I update deep world about 3 times a week normally. The computer is only a few months old, but it was created by cloning a ~2-years-old computer. I did emerge -e world as part of the upgrade process. If anyone has advice on what I should look at forensically to determine the cause of this, it is appreciated. I'll first dig into the logs, bash history etc. and really hope that this very happened recently. Thanks for any tips and wish me good luck. :) -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, Aug 9, 2010 at 11:48 AM, Alan McKinnon alan.mckin...@gmail.com wrote: On Monday 09 August 2010 18:25:56 Paul Hartman wrote: Hi, today when working remotely I ran nethogs and noticed suspicious network traffic coming from my home gentoo box. It was very low traffic (less than 1KB/sec bandwidth usage) but according to nethogs it was between a root user process and various suspicious-looking ports on outside hosts in other countries that I have no business with. netstat didn't show anything, however, but when I ran chkrootkit told me that netstat was INFECTED. I immediately issued shutdown -h now and now I won't be able to take a further look at it until I get home and have physical access to the box. System uptime was a few months. It was last updated for installation of a 2.6.33 kernel (2.6.35 is out now). I have 3 goals now: 1) Figure out what is running on my box and how long it has been there. 2) Find out how it got there. 3) Sanitizing, or most likely rebuilding the system from scratch. Here's the bad news: An intruder probably gained access through a script kiddie script, which has likely already removed all the logs. Or they have possibly been rotated away by now. I would proceed as follows: 1. Keep that machine off the internet till it is reinstalled 2. Fresh reinstall using boot media that you have downloaded and written elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage tree won't use existing copies on that machine if the hashes don't match. So you can re-use them. If you boot off new install media it is safe to download new distfiles using it. 3. Keep your old partitions around if you want to do forensics, you can mount them somewhere when a reinstall is done and peruse them at your leisure. However, doing that is often a waste of time unless you still have logs. You can use a scanner like nessus to look things over. 4. And it goes without saying that you should change all passwords and keys used on that trojaned machine. Hi Alan, thanks for the advice. I just remembered that my DD-WRT router stats page had an anomaly, on 31st of July it showed I had over 700 terabytes of traffic, which is impossible. Coincidentally, my cable modem stopped working on the same day, so I wrote it off as a bug or a result of the broken modem. I replaced the modem and everything seemed to work normally after that. At this point my mind is running wild thinking of all of the possibilities. Could the router have been infected? The modem? It'll still be another 5 or 6 hours before I'm able to lay my hands on the machine. I'm imagining every doomsday scenario. :) My hope is that it was only a botnet or ssh-scanner or something, and not sniffer or keylogger or anything nefarious. I fear I may never truly be able to know, though.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Monday 09 August 2010 17:25:56 Paul Hartman wrote: My user account has sudo-without-password rights to any command. Ouch! There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? You have decided wisely to reinstall because you can't be sure of this OS anymore. Please keep us updated on what you find from the forensic analysis. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, Aug 9, 2010 at 8:09 PM, Mick michaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. RobbieAB
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On 08/09/2010 01:08 PM, Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mick michaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. ...excepting, of course, sudo bash -l which means you've given away the keys to the kingdom.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mickmichaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. RobbieAB I don't use sudo here but I assume a admin would only know that a nasty command has been ran well after it was ran? Basically, after the damage has been done, you can go look at the logs and see the mess some hacker left behind. For me, that isn't a whole lot of help. You still got hacked, you still got to reinstall and check to make sure anything you copy over is not infected. Assuming that they can erase dmesg, /var/log/messages and other log files, whose to say the sudo logs aren't deleted too? Then you still have no records to look at. I agree with the other posters tho, re-install from scratch and re-think your security setup. Dale :-) :-)
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
100809 Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mick michaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. I follow 2 simple rules: (1) never start X as root -- I open in a raw terminal, then 'startx', so it's ok to login there as root to get some system fixes done, but of course logout again before starting X as user -- (2) do all system stuff in a virtual root terminal on its own desktop, where the prompt says 'root' in red letters the background is black (my user terminal has a white background): that's down in the basement, where all the pipes wires are you need a hard hat safety boots you need to unlock the basement door, whose key is the root password. also, my user terminal says : 524: gx which sudo which: no sudo in (/sbin:/usr/sbin:/usr/local/sbin::/bin:/usr/bin:/usr/local/bin:/usr/kde/3.5/bin) -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Monday 09 August 2010 21:25:37 Dale wrote: Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mickmichaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. RobbieAB I don't use sudo here but I assume a admin would only know that a nasty command has been ran well after it was ran? Basically, after the damage has been done, you can go look at the logs and see the mess some hacker left behind. For me, that isn't a whole lot of help. You still got hacked, you still got to reinstall and check to make sure anything you copy over is not infected. Assuming that they can erase dmesg, /var/log/messages and other log files, whose to say the sudo logs aren't deleted too? Then you still have no records to look at. I agree with the other posters tho, re-install from scratch and re-think your security setup. That's the problem with any compromise worth its salt, all logs will be tampered to clear traces of interfering with your system. Monitoring network traffic from a healthy machine is a good way to establish suspicious activity on the compromised box and it also helps checking for open ports (nmap, or netcat) to find out what's happening to the compromised box. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Mick wrote: On Monday 09 August 2010 21:25:37 Dale wrote: Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mickmichaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. RobbieAB I don't use sudo here but I assume a admin would only know that a nasty command has been ran well after it was ran? Basically, after the damage has been done, you can go look at the logs and see the mess some hacker left behind. For me, that isn't a whole lot of help. You still got hacked, you still got to reinstall and check to make sure anything you copy over is not infected. Assuming that they can erase dmesg, /var/log/messages and other log files, whose to say the sudo logs aren't deleted too? Then you still have no records to look at. I agree with the other posters tho, re-install from scratch and re-think your security setup. That's the problem with any compromise worth its salt, all logs will be tampered to clear traces of interfering with your system. Monitoring network traffic from a healthy machine is a good way to establish suspicious activity on the compromised box and it also helps checking for open ports (nmap, or netcat) to find out what's happening to the compromised box. Yep, cause when they are in the system, they can do what they want. Once they get root privileges, nothing else matters after that. It's just a matter of the clean up which from what I have always read is a reinstall. It's not good to hear but it's the best way to know for sure you are safe. Me tho, I would start from scratch and not even chroot into the old install. I might mount and try to read a log file or copy my world file but that would be about it. I'm not sure I would trust anything else. I just hope this never happens to me. :/ Dale :-) :-)
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, Aug 9, 2010 at 2:09 PM, Mick michaelkintz...@gmail.com wrote: On Monday 09 August 2010 17:25:56 Paul Hartman wrote: My user account has sudo-without-password rights to any command. Ouch! Having still not physically touched the machine yet, I don't know if sudo had anything to do with it at all at this point. But I'll assume for a moment that its use was perhaps involved... There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? Essentially. I did not think it through from an internally-defensive standpoint. I only thought of sudo as I am deciding whether to run this command as user or as root. Assuming *I* would be the only one running a program on my computer. My thinking was clearly flawed there... The idea of an attacker being in my system didn't really enter my mind. Or an untrusted program shelling out and running sudo some-bad-stuff without my knowing. Every sudo command is logged, sure, but as Bill pointed out that only works for as long as it takes someone to sudo himself into a root shell (or delete the logs). I don't really audit the sudo logs regularly because of the stupid assumption that I was the only one running any sudo commands. You have decided wisely to reinstall because you can't be sure of this OS anymore. I'm most concerned about learning how this happened because I don't want to reinstall everything only to be compromised again, and with the hope that perhaps any info I find can help others avoid finding themselves in this same situation. If I'm only going to re-create the exact same set-up, I don't know if I can be sure of it then even after reinstalling... Please keep us updated on what you find from the forensic analysis. Sudo was one of the first things that popped into my head. sshd is really the only service open to the outside. Some other ports are open for specific apps, like bittorrent traffic, which is what I was monitoring when I noticed the suspicious activity -- and I was downloading a Linux ISO, I swear. My original plans for tonight were to install Sabayon on an old laptop that is becoming unmanageable from a Gentoo standpoint due to infrequent use and days-long update sessions. I'll put that little project on hold for now... My sshd setup is pubkey only, no root logins, and I use denyhosts to block after 3 failed logins, and it syncs its blocklist from the denyhosts master server many times a day. I use NX Server, but not with the default key, and I don't think there have been any (publicly disclosed) remotely-exploitable opensshd vulnerabilities that would allow an attacker direct entry into a system. I haven't noticed anything out of place on my system, no unusual files or missing items. I take infrequent peeks at my ssh logs, w/who/last and network traffic (as I did today when I discovered it), but I am not religious about reading every log. Life has been quite busy lately and I haven't had as much time to dedicate to that sort of stuff. I has been more like log on, check my email, pay my bills, log off. So, from that outside-entry standpoint I was certainly lulled into a false sense of security about my system. My root account has a very long and complicated password, and my user account was surely impenetrable since I was using pubkey-only SSH logins, right... I have encrypted partitions, but they are mounted when the system is up and running, so they are really pointless against an online attack... Typing that long password into sudo every time I ran a command was a hassle, and clearly I thought myself too intelligent to ever run a malicious piece of code on my own computer. I mean, that's the kind of thing I would never do. I'm careful. I usually look at things before I run them, scan them with clamscan (not that I run outside scripts/binaries very often at all). Right? And what if a seemingly-safe program decided to download and run malware on its own? What if there was a vulnerability that was exploited before it was discovered patched by the community (and my Gentoo update cycle)? What if there was a rogue Firefox add-on stealing passwords or running shell scripts? That would probably never happen, surely someone else would have noticed it and put a stop to it before it got to me, or I would have read a warning about it in the tech news someplace. Yeah, I'm being a bit sarcastic here. ;) I do hope I can find some evidence that leads me to the point of entry. It would set my mind at ease.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman bill.long...@gmail.com wrote: On 08/09/2010 01:08 PM, Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mick michaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. ...excepting, of course, sudo bash -l which means you've given away the keys to the kingdom. I actually prefer sudo su - -- as long as I'm giving it away! :o) -- Kevin O'Gorman, PhD
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, Aug 09, 2010 at 05:30:40PM -0700, Kevin O'Gorman wrote: On Mon, Aug 9, 2010 at 1:20 PM, Bill Longman bill.long...@gmail.com wrote: On 08/09/2010 01:08 PM, Robert Bridge wrote: On Mon, Aug 9, 2010 at 8:09 PM, Mick michaelkintz...@gmail.com wrote: There have been discussions on this list why sudo is a bad idea and sudo on *any* command is an even worse idea. You might as well be running everything as root, right? sudo normally logs the command executed, and the account which executes it, so while not relevant for single user systems, it STILL has benefits over running as root. ...excepting, of course, sudo bash -l which means you've given away the keys to the kingdom. I actually prefer sudo su - -- as long as I'm giving it away! :o) Afaik, there is no reason for sudo su - It should be either su - or, if you are using sudo, sudo -i The disadvantage of su - is that it requires the user to know the root password. But, sudo -i does the same thing without requiring the user to know the root password. William
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Am Dienstag, 10. August 2010 schrieb Paul Hartman: Typing that long password into sudo every time I ran a command was a hassle I’ve never used sudo, and never really liked the idea of it. In fact I’m always amused and slightly annoyed by the sheer amount of sudo one can find in your typical ubuntu howto. ;-) It’s one reason why I abstained from installing Truecrypt 6, because it requires sudo (Yes I know, in default setup you can’t do much with it. It is but an issue of principle). However, because I need root commands regularly (for example to initiate the VPN to my uni’s WiFi), I usually have one tab in Yakuake where I do a normal su once after login. And for more safety on my part, I also use different prompts: red hostname for root console, green u...@hostname for nonroot. -- Gruß | Greetings | Qapla' What’s right is right, otherwise it’d be wrong. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/08/2010, at 11:44 AM, Frank Steinmetzger wrote: Am Dienstag, 10. August 2010 schrieb Paul Hartman: Typing that long password into sudo every time I ran a command was a hassle I’ve never used sudo, and never really liked the idea of it. In fact I’m always amused and slightly annoyed by the sheer amount of sudo one can find in your typical ubuntu howto. ;-) It’s one reason why I abstained from installing Truecrypt 6, because it requires sudo (Yes I know, in default setup you can’t do much with it. It is but an issue of principle). However, because I need root commands regularly (for example to initiate the VPN to my uni’s WiFi), I usually have one tab in Yakuake where I do a normal su once after login. And for more safety on my part, I also use different prompts: red hostname for root console, green u...@hostname for nonroot. -- Gruß | Greetings | Qapla' What’s right is right, otherwise it’d be wrong. I hope you realise the use of sudo -i will give you a root shell just like su. The reason sudo is preferred is that it means between multiple administrators, you can eliminate the need for a shared password. sudo can also control who and what groups can access sudo, and even subsets of commands. sudo also has a grace timer in which once you prove your identity with your password once, you can use sudo without a password for a period of time after that. This can also be canceled with sudo -k In terms of system administration best practices, sudo is the way to go. You will see it used in all server administration tasks to escalate privileges, in a secure manner. William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMYLhgAAoJEHF16AnLoz6JhJ8QAL5SO5DRmcQ3wXLdtMZooACu WT4qyfKBnfMqakLJlSWYOH6tuIoK/mVYpeCpQmjpTuKaE90tnLnngCOVnG7puyqG LkPBNew3iOsO0JJcNzCcMiwWQ1C7d2hkSyNl48FVwBwaVgbPmWL6flPLxwHxdbU1 O2Kke8ku2dAVRTg9NdnPnTcc7y1h2/VYLwqSY10ybHS4I6a7YuhEIeGZtCqfEZ6d 0WkbUaU2IJFEVskR2pRV3Oh8FOgjW1XpYPzGrzQgpByghVgDxalFpC89g3xVw2ue bbRZNcn6NfZnfS/ltsCLr0mzSkV9xUXtYJkSQWN2jZbXM5rr+5gQXk1CqYLeDkjS 4HFST6bFfUUl7KMlo/mfH7PSD3Coa1J/DwcZFM9xkMx/sTy/TDsQhG1Qgb5jSn4u /TVYRwkvNj/KXBolDPcEQkZ6h35R8h9gGFRaW9u1+O2YyLC8uOyFUhd0iHNo0+s0 r4Q0wiwnY7I5CI2ZQ5h2blbYzqyvgSa43rYp3rho9cp4LktDKO2qfoIW/CV/0Q6r NmWcuzaU17QTAQn8VL2SUfG0zqXgCI4NlQcU8iNnYFRGUTvdx4crjzrgIqYm2rc+ PbpFuLl4Uz000hsQYXWfy9hwIMbxilT4F9AOpKmyU392GZ/22WUvoMk2uhzt8aCf w44gvZvW1e44buFM2L/z =AR4J -END PGP SIGNATURE-
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
On Mon, 9 Aug 2010 18:07:15 -0500 Paul Hartman paul.hartman+gen...@gmail.com wrote: I do hope I can find some evidence that leads me to the point of entry. It would set my mind at ease. Please let us know. I'm really curious about this also. I hope it wasn't a trojaned package in portage. -- -- -- Keith Dart =
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Alternatively I was running vulnerable/compromised software. My box has sshd running, root login in ssh is not allowed, and pubkey only logins (no passwords). It is behind a wireless router but port 22 is open and pointing to this box, and a few others needed by other applications. So I will check out which keys exist on the compromised machine and make sure I recognize them all. I'll also need to check the status of any other computer my key is stored on (a mix of linux windows, and my mobile phone). Sigh... Since you're sshd setup is pretty secure i'd look at other network services. What else was running, and were there any servers that were only available from the local net (or were less protected from connections from the local net) than the Internet? That's the only case where a router compromise would assist in attacking your gentoo box. There have been some web browser based attacks that have come out against routers recently. They run the attack on your browser (cross site scripting IIRC) to get access to the web interface of the router because that is typically not available via the Internet side interface. Then then run a password guessing attack. Did your router have a strong password?
