Paul,
Paul Robinson [EMAIL PROTECTED] said:
They also have each individual workstation / server / printer
given a internet ip address (This is also going to change once said
firewall is set up) which was just asking for trouble.
When you reassign your IP addresses, I would suggest that you read RFC 1918
regarding use of private IP addresses, and do NAT at the firewall. You can
handle internal IP addresses through DHCP, giving your printers and main servers
static leases. Works quite well, and is far more manageable than administering
bucketloads of static addresses.
What I'd like to be able to do before I set up said firewall is
set up a sort of packet sniffer box in between the internet and one of the
servers that this person is using. Hopefully to find out who they are and
what they are doing.
That's fine, but you've prolly missed the window of opportunity to gather
evidentiary data which could be used to convict the attacker(s).
The best you'll probably be able to do is determine what exploits they used
etc. In the meantime, while setting up the sniffer etc, the attacker is using
your system(s) to compromise others, bounce mail off of, steal company IP, etc
etc etc.
Nice exercise to do from an administrative point of view, but not good from a
security/company standpoint.
Also, make sure your IT manager(s) know what you're doing.
I was currently working on setting up a linux box to
install that netsaint package that I asked about a few weeks back. So
currently we have a Slackware 4.0 (2.2.6 kernel) box which has the
default setup + latest apache php 4 and mysql. I can add a second nic
and turn off all services and use this box.
I would question the need for a web server plus scripting languages on this sort
of machine. The last thing you need is for your sniffer logs to be compromised
It will have to fit in seamlessly and both my work colleagues and
the intruder must not suspect any change. I was thinking that it would be
something like below:
The diagram shows the existing network being split in half. For one, I don't
see how this can work without one or the other networks being re-addressed or
subnetted (which will impact users). Also, as soon as you bring up this box,
the attacker will know about it (through ARP broadcasts). Do you think the
attacker is NOT running a sniffer as well?
I would suggest that you configure this sniffer as such:
Internet+--Server
|
|
|
Sniffer
The sniffer machine sits off a hub on the network, with its' network interface
set to promiscuous mode. Because there is no re-subnetting etc, there is no
impact to existing users, or the attacker.
You should also install a firewall on this box, and turn off everything you
don't need (like web servers, X, databases, portmap, etc).
I was thinking of using snort for this as I've heard
it's pretty rcomprehensive and I've seen the ruleset generation page and
Snort is your friend in this case, along with the original sniffer logs.
When you're finished, burn the logs to CDROM.
Rebecca Richards, CCSA CCSE, Unix/Security Consultant, e-Secure Pty Ltd
Secure in a Networked World Phone: (02) 9438 4984 Fax: (02) 9438 4986
Suite 201, 2-4 Pacific HighwayMobile: 0412 823 206
St Leonards NSW Australia Email: [EMAIL PROTECTED]
ACN 068 798 194 http://www.e-secure.com.au
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
