[ale] compromised?
John Wells
jbwellsiv at yahoo.com
Mon Dec 17 11:53:17 EST 2001
Thanks for the detailed description. I'm a bit busy
with work right now but hope to get this done in the
next few days.
I appreciate all the input. I'll let you know how it
turns out.
John
--- Dow Hurst <dhurst at kennesaw.edu> wrote:
> John,
> If you didn't have any services advertised on the
> outside interface then
> it isn't very likely you have any problems. The
> checksum idea is a good
> one since it compares from the original CD to what
> is currently on the
> disk. If you nmap your machine, what services does
> it show? SSH and
> ICMP? Or did you have telnet available? This info
> helps alot since
> telnetd has issues while your version of SSH might
> not. If you only had
> iptables evaluating packets, SSH v2, and ICMP as
> contactable ports
> running services then I wouldn't worry too much, but
> would still do the
> check. If you have other services such as FTP or
> TELNET then I would
> possibly just reload the box from scratch following
> this philosophy:
>
> Only allow an SSHD daemon to run as your
> LAN/Internet access into the
> box, limit ICMP to what is necessary, and pass to
> the inner network only
> what is absolutely necessary. In otherwords, deny
> all by default, allow
> only what's required.
>
> I suggest this only since reloading is sometimes
> easier the second time
> around since you know exactly what you want at this
> point. I usually
> pick the minimum install selections during a SuSE
> install, and then add
> a couple of security rpms that weren't in that
> selection. After I get
> the install done, I will configure all network
> services except sshd to
> off. Load your iptable rules from a floppy where
> you saved them out
> before you blew away the first go around. Get them
> installed and
> running. Reboot the box to force the reconfig to
> show you everything
> you could have forgotten to turn off. Nmap the box
> to see exactly what
> a cracker would see. Now, update the box from SuSE,
> Redhat, Debian, or
> wherever using the normal methods. You'll probably
> already have gotten
> ftp client rules in your iptables at this point so
> your update should
> work. If not, you'll need to allow an outgoing ftp
> connection to your
> preferred server. You can be specific on the IP of
> the server in your
> rules.
>
> (Comment: How much would it cost the ALE group to
> sponsor a SSH based
> rpm repository? I've never had to donate money to
> ALE but that would be
> a neat project. What if twoguys.org was reinstated
> as the first SSH
> based rpm repository. ALE could look at modifying
> the rpm source to use
> scp instead of ftp for retrievals.)
>
> Review the install log for changes. Reboot again
> and re-nmap. If you
> only see exactly what you planned then hook it up to
> the DSL modem,
> connect to your ISP, and get an ALE'R to check it
> again for you with
> nmap. After all of this, I would think you are
> done. Any comments?
> Dow
>
>
> John Wells wrote:
> >
> > I've been cutting my teeth on iptables rules on a
> > linux router I'm creating for my DSL connection.
> I'm
> > finally to the point where I feel at least a bit
> > confident that the script is sorta good, but in
> the
> > meantime I've been running iptables wide open with
> > just masquerading enabled.
> >
> > My question is, now that I'm at the point where
> I'm
> > going to lock the box down fairly well, is there a
> > need to wipe it clean and reinstall linux? I
> remember
> > hearing in Bob Toxen's ale presentation that a
> default
> > box can be compromised with minutes after being
> > brought up live on the net.
> >
> > What's the probability that my router's been hit,
> and
> > with Masquerading wide open, what's the
> possibility
> > that someone could have left something behind that
> > won't play nice in the future? Will locking down
> the
> > box be enough?
> >
> > Thanks for your input.
> >
> > John
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> > your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> > or bid at http://auctions.yahoo.com
> >
> > ---
> > This message has been sent through the ALE general
> discussion list.
> > See http://www.ale.org/mailing-lists.shtml for
> more info. Problems should be
> > sent to listmaster at ale dot org.
>
> --
>
__________________________________________________________
> Dow Hurst Office: 770-499-3428
> Systems Support Specialist Fax: 770-423-6744
> 1000 Chastain Rd.
> Chemistry Department SC428
> Email:dhurst at kennesaw.edu
> Kennesaw State University
> Dow.Hurst at mindspring.com
> Kennesaw, GA 30144
> *********************************
> *Computational Chemistry is fun!*
> *********************************
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list