cate serino wrote:
After only having my server up for a few hours and to a state that ICate - Yes, it's that bad. Those of us who care to keep attack logs have seen them go from 40k/week up to 200k/week currently. This list is full of people who are better at security than I am, but I'll offer you some suggestions to start off with, and leave the more sophisticated stuff to the wizards...
thought was fairly secure, I got hacked with what I think is a man in the middle attack. Other than turning off ports (telnet, ect.), changing
root passwords, and editing the hosts.allow and hosts.deny files, what
can I do to secure my server. I noticed that he/she was able to run
ipchains and filter through his/her ip. In addition, the he/she was able to mount a filesystem on my machine. I have flushed the ipchains and
unmounted the filesystem. Am I missing anything? I have not had my
server up for a year. Has the Internet become that bad in one year?
1) Go to a fresh distro. One of the guys mentioned CentOS. SuSE 9.2 is a good one too. An absolute necessity for servers is getting shadow passwords. If this person had root on your machine, they could've used some direct attack, but if they were able to snag an /etc/passwd file and work on cracking it, they pw0ned you.
2) Turn off telnet, ftp and all the r-services. In modern distros, those are typically off anyway.
3) It's critical to keep accounts to a minimum and control them carefully. With tools like John The Ripper, you can hack bad passwords in no time.
4) If your server is a webserver, security is going to be really difficult. There's hacked-up httpd's out there that can be used to harvest your server traffic off the wire in real time.
5) Check the inetd.conf and eliminate anything you can do without.
6) I know it sounds primitive, but hard-coded hosts files and static routes might help fight man-in-the-middle. If you think that's how they got to you, that might not be a bad idea. More trouble, but this server sounds like it's out there flapping in the wind.
7) Even more than using iptables/chains on the box itself, I'd protect it with a separate firewall that implements NAT as well. I like firmware firewalls because they are quiet and small, but logging with those little buggers is very poor compared to a "real" firewall.
8) I have buds who swear by Gentoo and thttp to build secure servers with. You might even think about the possibility of building up a distro on a CD-ROM that loads up on the system and runs without a hard drive. Then if you are hacked, you reboot the box and you're pristine. If there's some security flaw about the CD-ROM "master", you make and burn another one without the flaw. I've long wanted to burn a distro into eeprom and run a server off a read-only solid state memory.
Hope this helps. I'm sure there are many other clever ideas that can be added to these...good luck to you on this!
JKB
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
