Hi all,
I've always been pretty careful about security but I made a mistake this weekend and I wanted to share it with everyone here. Over the weekend I configured a new server for my game hosting company. I went through the same basic process I always go through before installing the machine in the colocation facility. I lock everything down with very restrictive firewall settings and I disable everything that isn't absolutely necesary for running halflife mods. After testing the machine out for a day or two I got a bit lazy and decided to open up wu-ftp so I could use a regular ftp program to upload files. I had the port open for a few hours when someone hacked into the system using a wu-ftp vulnerability. They installed their own rootkit, overwriting the contents of about 60 files in the /bin directory. They created several "group 0" accounts and installed a few processes of their own. I was very lucky to catch this person. On any other day he could have gotten in entirely unnoticed, installed his software, and left my system in a state where he would be invisible to further inspection. I'll have to do a reinstall now. I've cleaned up all results of his break-in as best I can but it wouldn't be fair to my customers to risk their information. Reinstalling is really the only choice in this situation. Here is my advice, geared for linux users: 1. DO NOT RUN: ftp, irc, bind, pop, or any other unnecessary service on a gaming machine. Run sshd on the gaming server and put the other processes on another machine. 2. Run chkrootkit periodically to detect the presence of known rootkits. 3. Use ipchains or iptables to block everything you do not absolutely need. 4. Configure all users except yourself to run in a chrooted jail, if you aren't doing so already. Incidentally, I did this and it is part of what helped me catch him, as he had to edit /etc/ftpaccess to give himself priveleges on the accounts he created. The hacker forgot to change /etc/ftpaccess back to the original. If he had, I may never have noticed any problems at all. 5. Install AIDE, a free program that makes it easy to know when someone has been on your system. 6. DO NOT RUN ANY HALFLIFE PROCESSES THAT ALERT THE WORLD ABOUT YOUR SERVERS UNTIL THE ABOVE STEPS ARE TAKEN. I believe that the hacker found out about my vulnerability by watching a program like gamespy for new servers. He happened to catch me while wu-ftp was running. This guy, and people like him, are probably looking at these server lists every day for new machines they can use. 7. Do not use the same root password on multiple machines. I have different passwords on my machines which is a real blessing at a time like this. I don't have to worry that some trojan program has captured my password and will enable a hacker to get onto my other machines. 8. Remember that a hacker doesn't necessarily want to take your system down. In my case I have a dual AMD 1800+ machine with 1.2 Gig of memory and 200 Gig of HD space. This is an ideal server for halflife, but is also a great server for dealing in illegal child porn, bootleg videos, MP3s, etc. Hackers want to use your machine so they install rootkits that make it very hard to detect them. Next time I build a machine I'll use smaller drives so it won't be as tempting. 9. Is your server acting funny? Does ps work in a way you don't expect? Having trouble logging in sometimes? Has your machine become slow, is it using more bandwidth than you expect? Does your disk hover near capacity but you can't find the files that are causing the problem? Chances are you have been hacked. 10. If you think you have been compromised, don't trust ps, last, who, .bash_history, ls, etc to tell you anything. Hackers leave their own versions of these files so that you can't see what they are doing. In my case the hacker used a version of ps that hid 3 processes from me. *IMPORTANT* If you are running wu-ftp and a halflife server I hate to break it to you but you should just assume you are compromised. It took just a few hours for my machine. Get paranoid but don't panic. The first thing you should do is install chkrootkit. Its free and easy to use and it will give you a good indication of whether you've been hit. I'd like to work with some other admins to create a security guide for game servers. If you are interested reply to this thread or email me at [EMAIL PROTECTED] Jim __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
