What distribution of Linux was your server running?
Jeff G.
James Brigman wrote:
cate serino wrote:
After only having my server up for a few hours and to a state that I
thought was fairly secure, I got hacked with what I think is a man in
the middle attack. Other than turning off ports (telnet, ect.),
changing
root passwords, and editing the hosts.allow and hosts.deny files, what
can I do to secure my server. I noticed that he/she was able to run
ipchains and filter through his/her ip. In addition, the he/she was
able to mount a filesystem on my machine. I have flushed the ipchains
and
unmounted the filesystem. Am I missing anything? I have not had my
server up for a year. Has the Internet become that bad in one year?
Cate - Yes, it's that bad. Those of us who care to keep attack logs
have seen them go from 40k/week up to 200k/week currently. This list
is full of people who are better at security than I am, but I'll offer
you some suggestions to start off with, and leave the more
sophisticated stuff to the wizards...
1) Go to a fresh distro. One of the guys mentioned CentOS. SuSE 9.2 is
a good one too. An absolute necessity for servers is getting shadow
passwords. If this person had root on your machine, they could've used
some direct attack, but if they were able to snag an /etc/passwd file
and work on cracking it, they pw0ned you.
2) Turn off telnet, ftp and all the r-services. In modern distros,
those are typically off anyway.
3) It's critical to keep accounts to a minimum and control them
carefully. With tools like John The Ripper, you can hack bad passwords
in no time.
4) If your server is a webserver, security is going to be really
difficult. There's hacked-up httpd's out there that can be used to
harvest your server traffic off the wire in real time.
5) Check the inetd.conf and eliminate anything you can do without.
6) I know it sounds primitive, but hard-coded hosts files and static
routes might help fight man-in-the-middle. If you think that's how
they got to you, that might not be a bad idea. More trouble, but this
server sounds like it's out there flapping in the wind.
7) Even more than using iptables/chains on the box itself, I'd protect
it with a separate firewall that implements NAT as well. I like
firmware firewalls because they are quiet and small, but logging with
those little buggers is very poor compared to a "real" firewall.
8) I have buds who swear by Gentoo and thttp to build secure servers
with. You might even think about the possibility of building up a
distro on a CD-ROM that loads up on the system and runs without a hard
drive. Then if you are hacked, you reboot the box and you're pristine.
If there's some security flaw about the CD-ROM "master", you make and
burn another one without the flaw. I've long wanted to burn a distro
into eeprom and run a server off a read-only solid state memory.
Hope this helps. I'm sure there are many other clever ideas that can
be added to these...good luck to you on this!
JKB
--
Law of Procrastination:
Procrastination avoids boredom; one never has
the feeling that there is nothing important to do.
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
