>>>>> "Joshua" == Joshua Newman <[EMAIL PROTECTED]> writes:
Joshua> I have 3 questions: 1. Does anyone know default RH 7.2
Joshua> 3. Does anyone know where I can find these guys so that I
Joshua> can fuck 'em up. I feel violated, though after talking to
Joshua> John Hunter I feel like I just had my cherry popped and
Joshua> have learned a lesson. (A windozer friend has been
Joshua> harping on me saying "See, the open source community isn't
Joshua> as lovey dovey good natured as you said...")
They're just jealous.
The standard wisdom is, don't retaliate. They are badder ass than you
are; don't incur their wrath. After all, they've already root kitted
you -- I don't recommend taking them on. Plus, it may be illegal.
That said, you can legally and innocuously bring the box back up and
see who tries to ssh you on port 15000 by dropping and logging the
connection with netfilter. You'll know that is a cracked box so do the
community a service and shut it down by reporting it. Of course, that
is a pain in the ass that is probably not worth your time, but by my
estimate, is the only reasonable revenge move.
1. At RHL install, choose custom security and enable only ssh
2. Go to a RH mirror and get all the latest security updates and
install them with rpm -Uhv
3. Configure netfilter to only allow the ports you absolutely need. I
recommend disallowing ping cause a lot of crackers will do a ping
sweep before a port scan. Install the lastest 2.4.x kernel and
rebuild it for netfilter (iptables rather than ipchains). If you
want to enable secure ftp, you will need a stateful packet filter,
and AFIK ipchains ain't got it. I can help you set up your
iptables rules.
4. Run an intrusion detection system like snort. If you see a hint of
a port scan, modify your netfilter config to disallow all requests
from that host (and report them to shut down the offending host)
5. Run a system integrity checker like tripwire. I have my tripwire
reports sent to a 3rd party email service like Yahoo, under the
assumption that if they've hacked my box, they can hack my reports.
But they are unlikely to crack yahoo.
6. Keep an eye on the RHL 7.2 security updates page, and on
comp.linux.security/
7. If all this seems excessively time consuming, it is. Do what you
can.
8. Pay attention to physical security. The easiest way to rootkit a
box is to reboot it with a linux floppy. You can set up BIOS and
lilo safeguards which will deter the casual attacker.
http://new.linuxnow.com/docs/content/Security-HOWTO-html/Security-HOWTO-3.html
9. Make backups. Then at least you can recover your work, especially
if you can determine when the compromise happened. if you don't
have access to a tape drive, I can provide some tapes to you over
ssh with the tar --rsh-command=/usr/bin/ssh option. This is really
easy, honestly.
In summary, in my view, you must know about ssh, packet filtering, and
regular backups, and should know about snort, tripwire and physical
security.
ssh: http://www.openssh.org
snort: http://www.snort.org/
tripwire: http://www.tripwire.com/
netfilter: http://netfilter.samba.org/
JDH
_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits
