This makes me stop and think... Although I've noticed absolutely no strange behavior from my server, heaven knows it's probably a wonderful candidate for being rooted.. It's running a pretty old version of Linux, and I know that the ipchains are at least partially broken (hopefully broken-safe rather than broken-wide-open, but exactly---"hopefully"), and hasn't been updated in ages.. And it's directly connected to the Internet (it IS the firewall).
So with that in mind, what are people's favorite tools to use to detect intrusion? I've heard of "rootkit detection tools" but know shamefully little about them, so I'm very interested in folks' suggestions. As I already mentioned, I've no particular reason to believe I HAVE been hacked.. but no particular reason to feel secure that I HAVEN'T, either... Cheers, ~Brian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joseph Tate Sent: Tuesday, February 22, 2005 10:12 PM To: Triangle Linux Users Group discussion list Subject: Re: [TriLUG] attack When you're hacked, the best thing to do is wipe the disks and restore from backups. Now, if you have a system that's not patched, that system can be hacked in moments. When bringing a server up for the first time, or after an extended disconnection, it's best to update all the packages before connecting to the wild. The other best thing to do is shutdown all but the necessary services. Make sure that all passwords are "good", and that all default passwords have been changed. Use Iptables/Ipchains religiously for both incoming and outgoing connections. A server that hasn't been connected in a year most likely has a distribution on it that is no longer being updated. If you're going to be using a system infrequently, or over a long period of time, pick a distribution that is likely to stick around for a while, like Debian, or CentOS, or one of the commercial distros, like RHEL or SuSE. They have slower release cycles and longer maintenance windows than other popular distributions. On Tue, 22 Feb 2005 21:43:20 EST, cate serino <[EMAIL PROTECTED]> wrote: > Hi, > > After only having my server up for a few hours and to a state that I > thought was fairly secure, I got hacked with what I think is a man in the > middle attack. Other than turning off ports (telnet, ect.), changing > root passwords, and editing the hosts.allow and hosts.deny files, what > can I do to secure my server. I noticed that he/she was able to run > ipchains and filter through his/her ip. In addition, the he/she was able > to mount a filesystem on my machine. I have flushed the ipchains and > unmounted the filesystem. Am I missing anything? I have not had my > server up for a year. Has the Internet become that bad in one year? > > Many thanks, > > Cate Serino > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- Joseph Tate Personal e-mail: jtate AT dragonstrider DOT com Web: http://www.dragonstrider.com -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
