Marc,
here is what one of my friends recommended for scan detectors and other
security related stuff
letter included, it is pretty long, but definitely worth reading.
-----8<---------------------------------------------------------------------
-------------
The semi-good news....
Hey Filip....don't feel alone. A good friend of mine and a superior UNIX
Admin (...and now a practiced hacker), when he was first starting out...he
was royally hacked on his site. It happens to many Admins who first put a
box out on the web. There are a number of sites that can help give you steps
to go by, supply you with tools, and supply you with updates....but what it
usually takes is starting with a extreeeeemmly stingy inetd.conf, and EVERY
service OFF but those that are essential (really for a web server, that
should be HTTP/HTTPS and maybe SSH, with FTP only turned on manually when
needed). Your Fire Wall should be separate from your web server and those
separate from your mail server. Of course, for a home situation that is not
always possible....and then it brings up serious security issues that need
to be balanced carefully.
The bad news...
I hate to say this, but there are no easy solutions. Linux is tricky,
because it is a hacked together (no pun intended) system to begin with. Open
BSD is the most secure free UNIX out of the box...while Linux is not.
Solaris and many of the pay-to-use UNIX systems are about 50% secure out of
the box. You see, Linux...in particular Red Hat, has been designed with
"ease-of-use" when it is shipped. This makes it very insecure.
The really bad news....
If they have changed the index file, that means they have root. You have
been rooted, and without a finely tuned binary checker (with MD5
comparisons), you will not know if you have any hacked binaries. What this
means is whoever hacked you probably has a Trojan into your system, and may
be able to log back in with ease (providing the server is up...which it
seems to be...just checked). If you have been rooted by someone fairly good,
and they have buried a Trojan...and you do not have a full backup or MD5
checksum listing of every file...then you will need to wipe out the old OS
and reinstall Linux. Before you do this you may want to print out or copy
your configuration files for any of the complex applications. Your other
UNIX admin friends may tell you something different, but from what you have
said below. your hack may already be traded on some of the root sites, and
you will probably get hacked again if you don't wipe it out and start over.
Light at the end of the tunnel....
At this point, get a good book on Hacking/Security on Linux or UNIX
(Stacey's:). After the reinstall, you can take steps to protect your box.
The steps listed in the "semi-good news" will help. Once you feel you have
secured the system you will need to run a few scans. A good first start is a
simple port scan using Nmap, this will list all ports open, guess at the OS
type/version, and calculate the IP sequencing difficulty level. This should
give you a pretty good starting point (Nmap is free at www.insecure.org).
Then you will want to run a more in-depth scan using something like ISS. ISS
is not free, but I have a Windows NT bootleg copy if you want it:() Satan is
pretty old, but can be used for more in-depth scans....and there are a few
others...but unfortunately they usually cost $$$. If you get the more
in-depth scans, that will give you a starting point to secure your system
even further. If you are running your Fire Wall, web server, and e-mail
server on the same box you will need to be careful, and possibly update
binaries or tweak configurations of the out of the box services to a greater
degree than normal. Once you have tweaked things after the first scan, scan
again and see if your fixes hold. Then, you will want to setup more
verbose/centralized logging (such as setting up another server as a Syslog
server), and setup some type of log monitoring system that can alert you to
suspicious activities (Swatch..). You will also want to setup a system
binary watcher (Tripwire) or such to make sure that no one tampers in the
future:) There are also some cool semi-free IDS systems out there....but it
is not too hard to setup your own (Perl/shell). Also, check out some of the
hack sites and sign up for Linux security newsletters.
Whew.....good security is hard work:)
Hope that helps, and let me know if you need further help
BTY: Check out www.rootshell.com
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
[EMAIL PROTECTED]
----- Original Message -----
From: "marc fleury" <[EMAIL PROTECTED]>
To: "jBoss Developer" <[EMAIL PROTECTED]>
Sent: Monday, January 22, 2001 10:38 AM
Subject: RE: [jBoss-Dev] securing your servers
yes, my home machine was hacked as well and then my provider machine from
there hence jboss down.
It also proves "dreamhost" detected the intrusion (as I did) but wasn't able
to do anything to prevent it or repair it. :(
I had to reinstall linux as well. It seems the first script kiddies were
good and just "parasited" the machine but didn't damage it (and I don't mind
some parasites, all trees have them). But then a "sloppy" script kiddy came
along and boom.
So being badly raped when I was a "security newbie" I decided to look at it
in detail.
Fascinating, had a great time, didn't sleep much last week :)
essentially I disable EVERYTHING (telnet, ftp), I use xinetd which is more
secure than inetd and then I turn off all the services in xinetd but pop3s a
secure pop version on ssl. ssh is the only way to get in (telneat really
good on windows) Of course I do all the installation off line. And then I
put "tripwire" to monitor the main directories turn it on, once it is on I
put the machine online.
then I downloaded a rootkit and diagnosed my own machine for attacks :)
fascinating.
so much fun. Anyone knows of a good "scan detector"?
marc
|-----Original Message-----
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]On Behalf Of Filip Hanik
|Sent: Monday, January 22, 2001 10:22 AM
|To: jBoss Developer
|Subject: [jBoss-Dev] securing your servers
|
|
|Just wanted to let everybody that run RedHat at home (maybe even the JBoss
|servers?)
|I got hit by the Ramen Noodle worm on my server at home (I forgot to turn
|off some inetd services - in this case the print service) and my
|machine got
|rooted.
|This means, I have to reinstall my machine from scratch, so be careful all
|of you who run Linux (especially redhat).
|If you run FreeBSD your safe!! :)
|
|take a look at the article
|http://news.cnet.com/news/0-1003-200-4508359.html?tag=st.ne.1430735..ni
|
|Filip
|
|~
|Namaste - I bow to the divine in you.
|~
|Filip Hanik
|Technical Architect
|[EMAIL PROTECTED]
|
|----- Original Message -----
|From: "marc fleury" <[EMAIL PROTECTED]>
|To: "jBoss Developer" <[EMAIL PROTECTED]>
|Sent: Monday, January 22, 2001 9:55 AM
|Subject: RE: [jBoss-Dev] jndi/UserTransaction
|
|
|Hello,
|
|sorry for the delay I am finally out of the water re website (well almost).
|
|I am very interested in a integration of
|a/new TM or extended TM
|b/ Jeremie from France Telecom... it is the new JOnAS TM and I believe we
|can buy ourselves distributed TM with it.
|
|let me know if you time/energy/will to take that on. To be quite
|frank I am
|thinking b/ first then talk to ole on possibilities for a/,
|
|marc
|
|
||-----Original Message-----
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED]]On Behalf Of Sethi , Manish
||Sent: Sunday, January 14, 2001 7:51 AM
||To: 'jBoss Developer '
||Subject: RE: [jBoss-Dev] jndi/UserTransaction
||
||
||Hi Everybody,
||
||Writing very first mail to the group.
||
||I have gone through present implementation og JTA. I want to help in it's
||development. Now what I want to know is what should we choose out of
||followings for this job.
||
||1. Should we implement JTS/OTS specs at the back. (Probably we
||would have to
||start form scrach...)
||
||OR
||
||2. Should we think of some mechanism of just making TXContext
||movable around
||the multiple JVM...
||
||
||-Manish
||
||
||-----Original Message-----
||From: marc fleury
||To: jBoss Developer
||Sent: 1/12/01 10:34 AM
||Subject: RE: [jBoss-Dev] jndi/UserTransaction
||
|||Is there a known historical fix for this, such as substituting a
||different
|||JTA implementation or JNDI implementation? That is, has someone already
||
||hi,
||
||the jndi implementation is an orthogonal issue. We need to plug in a
||distributed monitor (JTS/JTA) and hook it up to jndi. The plumbing
||(propagation, thread association) is already there as it is an
||adaptation of
||the old jboss1.0 code.
||
||For the record, jboss1.0 used JOnAS distributed TM to provide
||distributed
||transactions. We deliberately removed it from 2.0 to provide fast in VM
||tm.
||
||Plugging a new TM is what is needed.
||
||marc
||
||
|||provided this functionality in the past and able to offer suggestions?
|||Distributed JTA and UserTransaction access by remote clients
|||through JNDI is
|||spec-required.
|||
|||Sean
|||
|||on 1/11/01 11:17 PM, marc fleury at [EMAIL PROTECTED] wrote:
|||
|||> userTransaction is for beans right now. I.e visible in JNDI of beans,
||but
|||> NOT the globla JNDI.
|||>
|||> marc
|||>
|||>
|||> |-----Original Message-----
|||> |From: [EMAIL PROTECTED]
|||> |[mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark
|||> |Sent: Wednesday, January 10, 2001 8:08 PM
|||> |To: jBoss Developer
|||> |Subject: Re: [jBoss-Dev] jndi/UserTransaction
|||> |
|||> |
|||> |Can't you just access it via the context.getUserTransaction()
||method?
|||> |It is bound under java:comp/UserTransaction, but this is only
||available
|||> |from within the EJB while the container is executing a method. Its
|||> |not visable vie jndiView.
|||> |
|||> |
|||> |----- Original Message -----
|||> |From: "Peter Braswell" <[EMAIL PROTECTED]>
|||> |To: "jBoss Developer" <[EMAIL PROTECTED]>
|||> |Sent: Wednesday, January 10, 2001 7:20 PM
|||> |Subject: [jBoss-Dev] jndi/UserTransaction
|||> |
|||> |
|||> |> All,
|||> |>
|||> |> I don't see (jndiView) where the a UserTransaction is
|||> |> bound. I didn't find in the mail archives or docs
|||> |> anything indicating how this gets bound...
|||> |>
|||> |> Any hints?
|||> |>
|||> |> peter
|||> |>
|||> |> __________________________________________________
|||> |> Do You Yahoo!?
|||> |> Yahoo! Photos - Share your holiday photos online!
|||> |> http://photos.yahoo.com/
|||> |>
|||> |>
|||> |
|||> |
|||> |
|||>
|||>
|||
|||
|||
||
||
||
|
|
|
