Wes Morriston enscribed thusly:
> On a several occasions, somebody has managed to break into my networked
> SuSE Linux box and do some damage. On two occasions, the damage has
> made it impossible for me to log in to my own site.
> Yesterday, for example, I found the following entries in /etc/passwd.
> slage::0:0::/root:/bin/bash
> Slage::999:999::/tmp:/bin/bash
Ouch.
Do you use IRC? There are a couple of IRC trojans running around
which reputedly do some nasty stuff like this. I don't remember if they
added these specific accounts but I seem to recall something similar. I'll
try and dig up some more info on it later.
> I certainly didn't put these lines in my /etc/passwd file. In
> /var/log/warn and in /var/log/messages I find a lot of stuff like this.
> Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on
> `ttyp1' from `192.117.189.128'
> Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on
> `ttyp0' from `192.117.189.128'
> I don't know how this person managed to add lines to my /etc/passwd
> file. By the time s/he was done, I couldn't log into my own system
> under *any* legitimate name and passwd, and had to boot from a floppy
> and reinstall a bunch of stuff. Is that some sort of security device
> kicking in? If so, what is the best way of undoing the damage?
> Can anyone advise me about the best method of preventing this sort of
> thing?
1) Go through your system and make sure you are not running ANY
services you don't intend, haven't configured, aren't using, or don't
understand. I helped a web site clean out and intruder who broke in
using innd even though they weren't even running a news system. Installing
services that users do not need or understand is one of my major "button
pushes" against EVERY distribution out there. Some vendors and consultants
are now complaining that Linux is way TOO easy to install because it allows
users to unknowningly install poorly configured servers and shoot themselves
in the foot. They are correct. This is going to be the topic of my next
"On the Ramparts" security article up on LinuxWorld <www.linuxworld.com>.
2) If you are exporting any file systems via, nfs or smb (samba) or
anything else, make sure your access permissions are carefully checked.
3) DO NOT run nfs, smb or nis over the greater Internet. The
risk is just TOO great (NIS is jokingly referred to as "Network Intruder
Service").
4) If you are operating an anonymous ftp service, watch your
permissions closely! If you're not - make sure you're not. :-)
5) If you are running a web server, check and recheck your CGI
scripts. Do not allow other users to install arbitrary CGI scripts.
Do not use unrestricted server side includes.
6) If you have a "chat server" (IRC is only one example) running
on your system, make sure that common users can not insert arbitrary
HTML (Hostile JavaScript anyone?) into your pages.
7) If you are running a telnet service, rlogin service, or rsh
service to access your system remotely - WHY?!?!? These are seriously
insecure and allow passwords and user id's to be "sniffed". Use a
secure shell (ssh) connection for remote access and disable all non-encrypted
remote access to the server.
8) If you are running POP or IMAP for remote downloading of E-Mail,
switch to SSL encryted versions of this. You can use stunnel or edssl to
set up SSL enabled servers. Several E-Mail clients support SSL POP and/or
SSL IMAP. SSL enabled fetchmail is available from the North American
Cryptographic Archives <www.cryptography.org>.
9) Never run routinely as root! Do your routine work as a
non-superuser user and step up to root only when needed. This is
a common failing with most newbies to Linux (and Unix is general).
A year or so ago we had a Linux "virus" running around. It could
only be propagated because people were running as root and allowing
it to modify system binaries. Bad BAD practice. This can not possibly
be understated! If you routinely run as the root user, you might as
well be running DOS - you have just about that much security!
10) If you are going to use IRC, use extreme caution and stay on
top of IRC security announcements. I don't use IRC and can't point you
to the best source of those warnings. The number of times IRC trojan
warnings show up on BugTraq and related lists are scary. I'll see if
I can hunt down some sources and post a followup later.
11) Make sure you are not using easily guessable passwords. From
your log snippet, it looks like your are running the shadow password
file system. GOOD - that slows up anyone who tries to grab your encrypted
passwords to run crack on them. You should run crack (available at your
favorite hack shop - www.rootshell.com) on your own password system just
to make sure there aren't any that you missed.
12) Watch out for unusual "suid" programs. "Find" is your friend.
13) Browse through some of the "white hat hacker" sites and get a feel
for some of the recent danger points. RootShell <www.rootshell.com> and
L0pht <www.l0pht.com> (Those are zer0's in there) are good places to start.
There are also some linux security sites out there.
14) Poke around the public databases. We have some where I work at
Internet Security Systems <www.iss.net>. There are a few others sites that
we also link to from there.
15) Check out tripwire. That can alert you to modified binaries and
permissions. There are commercial variations of this application, including
one from Internet Security Systems. Some are more extensive than tripewire,
some are not.
16) Run a network security scanner on your system! Satan is one
such scanner. Internet Security Systems also produces a commercial
security scanner. The ISS scanner is free to download and run against
your local host. Even if you don't intend to purchase the ISS scanner,
or can't afford it (sorry, it can be a bit expensive), I would encourage
you to get the local host eval (it's fully functional) and run it on your
system.
17) Get on some security mailing lists such as linux-security or
BugTraq. You can find the addresses and subscription information on
some of the web sites listed above.
18) Put up the firewalling code, even on single systems, and block
EVERYTHING that you do not understand or do not specifically want. This
can put a serious crip in some rootkit backdoors.
Ooookkkkk.... Better stop now...
These are just some starter ideas.
Disclaimer... I'm the Senior Researcher for Internet Security
Systems and rather proud of the Internet Scanner, which I helped develop.
For that reason, I'm probably more biased than even other people at ISS
regarding that scanner product. This was not intended as a commercial
plug. If the free version of that scanner is helpful in securing your
personal systems, then I feel I have "done a good thing". Download it
and enjoy.
Thinking about it now, I think that an article for "On the Ramparts"
devoted to how to find security information like this would be appropriate.
> Thanks.
> Wes
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
