<quote who="Webmaster"> > We have not been able to determine how a hacker was eble to crack one of > our hosts > and deposit binaries on all the hosts in our network (all hosts are FC3). > > A tripwire report shows the following binaries as being modified. We > think this is part > of "ethereal," an IP packet sniffer. Because so many files have been > modifed (these are just > the ones in /usr/bin), we decided to wipe the system and install FC4. > chkrootkit.0.45 sometimes > reports that an LKM trojan has been installed, but it does not report a > problem each time it is > invoked. When doing automatic updates, use your log report to show which packages were updated. Then use rpm to list the files associated with those packages and compare that list to your change report. > Suggestions as how to prevent this sort of thing would be entertained! > We've already done the > usual things like disallow telnet, use the soft firewall that comes with > FC3, no anonymous FTP, > no known bad php apps (like phpBB). The firewall that comes with FC is a good place to start but you probably want to spend some quality time customizing and expanding it. http://www.netfilter.org/ is a good place to start. You also want to get SELinux working. ACLs are great for preventing unwanted access to system binaries. If you can't get SELinux working, there are other options. It would also be a good idea to jail your apps. I found AIDE (http://www.cs.tut.fi/~rammer/aide.html) to be more useful than Tripwire. Both perform the same function. What services you have exposed to the internet greatly determines what process you will need to follow to secure your box. One thing is for sure, a base install of most Linux distributions, including Fedora are not all that secure.
