thanks all. i am going to bed. i fear i am going to have to reload the server :-( ----- Original Message ----- From: "Brion Hase" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 11:08 PM Subject: Re: [sclug-general] security
> Use the following URL: > http://www.cert.org/tech_tips/root_compromise.html > > General Answer to Original Question: > > I think one of the best rules is to not give users shell access unless you > absolutely have to. If you have a single program which they must run, run > the program from their ".profile". If there are specific programs that > they must run, set them up with a menu. Bill talked a few months ago about > using PDMenu (http://www.kitenet.net/programs/pdmenu/). If the users don't > need shell access, use "/bin/true" as their shell. Shutting off shell > access does not necessarily prevent rootkits, but it help make it more > difficult for the attacker. > > Make sure when you or your users log onto the system you are either on the > console or you are using ssh. Take the Telnet client and server off the > system!! A student could run a traffic sniffer from a laptop or > workstation (Windows or Linux) to get passwords. > > Another rule of thumb is always keep the system packages updated. With > RedHat, the up2date function works well, run it every day or put it into > cron. If you don't need a package or service take it off the > system. There is also some RPM options which will check the signatures of > packages against the RPM files. As Ted says, make sure you also have the > current "openssh" packages installed. > > I noticed you said you are running FTP. Never use "wuftpd", my experience > has been that "wuftpd" has historically been full of problems. Look at > using ncftpd (http://ncftpd.com/) or a different FTP server. A lot of > rootkits use your FTP clients to get the kit transferred to your > system. Move your FTP client binaries to a directory not in your path or > get them off the system. You can still run them using the full path. The > "wget" command is also getting popular for this. > > Also check your /etc/initd.conf file (or xinetd files) for unknown > services. Check out what files the rootkit waxes and get them replaced. > > Run port scans regularly to check for open ports (put it in cron). Also, > get and install Port Sentry (http://www.psionic.com/). Setup ipchains or > iptables to block ports which are not used or better yet use a firewall to > block ports. > > There are dozens of other tricks and utilities you can use. Check some of > the security sites that should be on the links page of sclinux.org. What > you are looking for is ways to "Harden" your system. As Ted kind of points > out, remote logging may also be a good thing to do. > > There are some simple ways to detect when a root kit is on your system. It > doesn't stop them but it does normally pick them up when they are > there. We are trying to get Jeromey Hannel ([EMAIL PROTECTED]) to give a > presentation next year on stopping root kits. He has been working hard on > some related work and certifications and is very knowledgeable on the subject. > > Brion. > > > At 10:58 PM 12/12/02 -0600, you wrote: > >where can i find that info on this website? i noticed the files top and ps > >are modified and pointed to >/dev/null > >----- Original Message ----- > >From: "Brion Hase" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Thursday, December 12, 2002 10:45 PM > >Subject: Re: [sclug-general] security > > > > > > > The ifconfig file is a pretty basic target. Copy one over from another > > > system to the /root directory and try that. Check http://www.cert.org/ to > > > see which files the kit usually attacks. > > > > > > Brion. > > > > > > At 10:40 PM 12/12/02 -0600, you wrote: > > > >the .bash_history is root's, ifconfig is in /sbin but it doesnt do > >anything > > > >when i run it, it says file not found. when i tried to telnet to port > >1010 > > > >it refused me > > > >----- Original Message ----- > > > >From: "dax wood" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Sent: Thursday, December 12, 2002 10:37 PM > > > >Subject: Re: [sclug-general] security > > > > > > > > > > > > > have you tried telnet 'ing to the open port for some indication of the > > > > > program running? > > > > > > > > > > and try /sbin/ifconfig > > > > > or locate ifconfig > > > > > > > > > > and who's .bash_history file are you talking about > > > > > ? > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > i just ran chkrootkit, it has found a possible LKM infection. port > > > > > > 1010 is > > > > > > open, nmap says it doesnt know what it is. i cant tell what rootkit > > > > > > was > > > > > > used. anyone have any ideas on how to stop this? i know the who file > > > > > > doesnt > > > > > > work, ifconfig doesnt work, .bash_history is linked to another file > >i > > > > > > cant > > > > > > find. any suggestions? > > > > > > ----- Original Message ----- > > > > > > From: "dax wood" <[EMAIL PROTECTED]> > > > > > > To: <[EMAIL PROTECTED]> > > > > > > Sent: Thursday, December 12, 2002 10:22 PM > > > > > > Subject: Re: [sclug-general] security > > > > > > > > > > > > > > > > > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > > > All, > > > > > > > > I have installed a redhat 7.2 box in a local school system. Its > > > > > > > > functions include: > > > > > > > > > > > > > > > > Servers: > > > > > > > > FTP > > > > > > > > HTTP > > > > > > > > SSH > > > > > > > > DHCP > > > > > > > > DNS > > > > > > > > Email > > > > > > > > > > > > > > > > I have discovered someone created a user account with the home > > > > > > dir of > > > > > > > > /var/.bash2 > > > > > > > > they granted themselves group member of a pricipal. i noticed > > > > > > three > > > > > > > > files in their home dir of what appears to be a root exploit > > > > > > called > > > > > > > > dr. dolittle. i have not heard of this exploit. anyhow, i > > > > > > disabled > > > > > > > > the account. > > > > > > > > i was curious as to how to prevent this from the future. i > > > > > > suspect it > > > > > > > > is a student causing this. i am wondering if i can disable the > > > > > > shell > > > > > > > > access to all except a select few. will this cause problems with > > > > > > > > email services, etc? > > > > > > > > will this prevent users from getting to a shell to run these > > > > > > > > exploits? > > > > > > > > any help would be greatly appreciated..... > > > > > > > > thanks > > > > > > > > daniel kuecker > > > > > > > > > > > > > > > > > > > > > > Best guess would be that some one guessed or manipulated a > > > > > > privlaged > > > > > > > account password. Look at logs for connections(if this was a real > > > > > > > hacker you will not find any thing) Red Hat has drwxr-xr-x on > >/var? > > > > > > so > > > > > > > proof of a root hack if that is the case. > > > > > > > as far as the shell goes you can allways play with the > > > > > > inittab > > > > > > > file! > > > > > > > > > > > > > > In any case you need to upgrade to 8.0 otherwise due to a lot of > > > > > > > httpd->apache and openssl security holes your like fish in a > > > > > > barrel. > > > > > > > > > > > > > > I was a kid once( :) _) and i can remember a certain > > > > > > area12 > > > > > > > hack on the schools main servers long ago...... in a mac unix far > > > > > > away > > > > > > > never at a school do you use pen or pencil as a password > > > > > > > > > > > > > > ------ted---- > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > > > Do you Yahoo!? > > > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > > > http://mailplus.yahoo.com > > > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > Do you Yahoo!? > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > http://mailplus.yahoo.com > > > > > > > > > > > > >
