[ale] compromised?

John Wells jbwellsiv at yahoo.com
Mon Dec 17 11:53:17 EST 2001 

Thanks for the detailed description.  I'm a bit busy
with work right now but hope to get this done in the
next few days.

I appreciate all the input.  I'll let you know how it
turns out.

John

--- Dow Hurst <dhurst at kennesaw.edu> wrote:
> John,
> If you didn't have any services advertised on the
> outside interface then
> it isn't very likely you have any problems.  The
> checksum idea is a good
> one since it compares from the original CD to what
> is currently on the
> disk.  If you nmap your machine, what services does
> it show?  SSH and
> ICMP?  Or did you have telnet available?  This info
> helps alot since
> telnetd has issues while your version of SSH might
> not.  If you only had
> iptables evaluating packets, SSH v2, and ICMP as
> contactable ports
> running services then I wouldn't worry too much, but
> would still do the
> check.  If you have other services such as FTP or
> TELNET then I would
> possibly just reload the box from scratch following
> this philosophy:
> 
> Only allow an SSHD daemon to run as your
> LAN/Internet access into the
> box, limit ICMP to what is necessary, and pass to
> the inner network only
> what is absolutely necessary.  In otherwords, deny
> all by default, allow
> only what's required.
> 
> I suggest this only since reloading is sometimes
> easier the second time
> around since you know exactly what you want at this
> point.  I usually
> pick the minimum install selections during a SuSE
> install, and then add
> a couple of security rpms that weren't in that
> selection.  After I get
> the install done, I will configure all network
> services except sshd to
> off.  Load your iptable rules from a floppy where
> you saved them out
> before you blew away the first go around.  Get them
> installed and
> running.  Reboot the box to force the reconfig to
> show you everything
> you could have forgotten to turn off.  Nmap the box
> to see exactly what
> a cracker would see.  Now, update the box from SuSE,
> Redhat, Debian, or
> wherever using the normal methods.  You'll probably
> already have gotten
> ftp client rules in your iptables at this point so
> your update should
> work.  If not, you'll need to allow an outgoing ftp
> connection to your
> preferred server.  You can be specific on the IP of
> the server in your
> rules.
> 
> (Comment: How much would it cost the ALE group to
> sponsor a SSH based
> rpm repository?  I've never had to donate money to
> ALE but that would be
> a neat project.  What if twoguys.org was reinstated
> as the first SSH
> based rpm repository.  ALE could look at modifying
> the rpm source to use
> scp instead of ftp for retrievals.)
> 
> Review the install log for changes.  Reboot again
> and re-nmap.  If you
> only see exactly what you planned then hook it up to
> the DSL modem,
> connect to your ISP, and get an ALE'R to check it
> again for you with
> nmap.  After all of this, I would think you are
> done.  Any comments?
> Dow
> 
> 
> John Wells wrote:
> > 
> > I've been cutting my teeth on iptables rules on a
> > linux router I'm creating for my DSL connection. 
> I'm
> > finally to the point where I feel at least a bit
> > confident that the script is sorta good, but in
> the
> > meantime I've been running iptables wide open with
> > just masquerading enabled.
> > 
> > My question is, now that I'm at the point where
> I'm
> > going to lock the box down fairly well, is there a
> > need to wipe it clean and reinstall linux?  I
> remember
> > hearing in Bob Toxen's ale presentation that a
> default
> > box can be compromised with minutes after being
> > brought up live on the net.
> > 
> > What's the probability that my router's been hit,
> and
> > with Masquerading wide open, what's the
> possibility
> > that someone could have left something behind that
> > won't play nice in the future?  Will locking down
> the
> > box be enough?
> > 
> > Thanks for your input.
> > 
> > John
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> > your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> > or bid at http://auctions.yahoo.com
> > 
> > ---
> > This message has been sent through the ALE general
> discussion list.
> > See http://www.ale.org/mailing-lists.shtml for
> more info. Problems should be
> > sent to listmaster at ale dot org.
> 
> -- 
>
__________________________________________________________
> Dow Hurst                   Office: 770-499-3428
> Systems Support Specialist  Fax:    770-423-6744
> 1000 Chastain Rd.
> Chemistry Department SC428 
> Email:dhurst at kennesaw.edu
> Kennesaw State University        
> Dow.Hurst at mindspring.com
> Kennesaw, GA 30144
> *********************************
> *Computational Chemistry is fun!*
> *********************************


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list