> I'm at MIT now. We have hacking problems, to the extent that
>on average someone tries a cgi-bin, imapd, mountd, or the bug of the week
>exploit on any given dorm room linux box every single day. To top that
>off, the network topology is such that one can see the packets for the
>entire dorm on ones interface.
ugh, surely you can ask the networking people when they'll be upgrading
to switches? and nudge them in that direction faster? frankly i'm
surprised that MIT is still in the dark ages of networking, altho i
understand that replacing hubs with switches isnt exactly a free process.
> I got my my linux box hacked via a imapd exploit, the guy set up a
>root kit to hide everything, installed his own daemon, and started
>sniffing passwords.
there are programs, tho i cannot now remember the name of any, that will
watch the updates area of redhat (and hey, they now have a separate ftp
server for just updates, which should be more accessible than ftp.redhat.com
has been in the past, so you can actually get timely updates), and autoinstall
new rpms that appear there. i'm sure they'll actually just autoupgrade-or-
do-nothing as well...
check www.freshmeat.net for info on them. i'm sure i saw one come thru in
the last month.
> Ssh is the only intelligent thing to use for terminal sessions.
not only, certainly, but it's certainly the main thing i use. there are
ssl-telnet and other encrypted connection tools. (kerberos being widely
used at MIT, no?)
> Is there any ssh equivalent for file transfers?
scp? rsync with ssh? rdist with ssh? there are certainly instructions
out there (probably in the ssh faq) for tunnelling an ftp-connection's
authentication bits thru an ssh tunnel. for that matter, setting up
ssh tunnelling for any purpose is really pretty easy. the man pages
say it all..
the only reason i can think of that you'd need to use ssh+ftp is when
the person ftping has an account on the server, with a password. usually,
then, said person can, with some minimum of difficulty, set up an ssh
tunnel to that host since all that is really required is ability to login
there.
(you don't need root to run sshd!)
> Any suggestions for improving security... [I've shut-off all the
>daemons that weren't essential.] Firewalls aren't allowed...policy.
using tcpwrappers /etc/hosts.{allow,deny} doesnt fall under that policy,
does it? why not just default-deny everything except ssh, under which
you & trusted folks can connect and modify hosts.allow to include a new
host you want to allow connections from? you could probably automate
this...i've automated similar (upon login, check the output of who for
the host-connected-from, play some sed games with /etc/hosts.allow and
that output, then logout. you could setup a separate login which you can
tell friends the password for that only accepts ssh connections (there
is no reason to connect otherwise---niftytelnet for MacOs and teraterm
for win95 both support ssh connections), which does the magic in its
.login)
> What would be really neat is to setup the computer to watch for
>computers scanning other hosts in the domain and to dynamically modify my
>hosts.deny files to include the scanner.
hope you have an extremely fast computer. =). this seems implausible--
running tcpdump on a busy network is nontrivial in terms of cpu-usage,
running it 24/7 would definitely impact any machine i can think of.
of course, if you have a quad xeon, maybe it's not such a big deal tho.
if youre mostly concerned about password sniffing that you can't do anything
about (your girlfriend uses eudora to check her email 2x/minute),
you might setup separate accounts for imap/ftp access that don't have
real login shells. reading the security mailing lists never hurts either.
to sum up:
enforce usage of ssh. hosts.deny almost everything (leave yourself a good
way in (eg ssh) because you'll need it someday..)
PS: you might consider being a good network citizen and disabling promisc.
mode in your ethernet driver. it's pretty trivial to modify most of the
linux drivers in this fashion, even for a non-codewhiz like me. if you
spread the word to others, it would be to your benefit...
(check out /usr/src/linux/drivers/net/*.c, search for promisc, usually
theres a comment where it would be turned on, and you can just comment
out a single/few line(s) of code to make yourself a little safer)
luck++
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
