Da Rock wrote:
On Sat, 2008-04-12 at 16:46 +0300, Antti J. Huhtala wrote:
la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti:
On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote:
Your tip about not allowing username/password combinations is a good
one. Any examples of an implementation of eg. key pairs?
Yes, that would be good to see.
Mikkel already answered this one in another post.
Yeah I noticed that- I'll get back to that shortly.
May I also ask if any of you guys having
these attacks are behind a firewall and/or NAT?
At present, no separate router or other firewall, just the one Fedora 8
provides. I've only briefly tried NAT in my LAN but not long enough to
observe whether invasion attempts were extended to the LAN.
I use ssh but so far I
don't believe I've had any trouble- I'd like to be a little better
informed on this though: ie symptoms etc.
The problem with describing the various symptoms an intrusion may cause
is that it is difficult to avoid getting a little paranoid watching eg.
unexpected and rather frequent hard disk activity. That's why I had to
remove beagled from my F7 installation. The hard disk light was on all
the time - or so it seemed.
There are plenty of knowledgeable people on this list who could tell you
much more than I can. Anyway, I monitor my system for intrusion attacks
by having the Network Monitor (or whatever the English term is) icon
permanently on my lower panel. Another icon I have there is the System
Status (or whatever..). If either of these shows high activity that I
have not caused myself, I look at top in terminal window to see what's
going on. Usually it is yum-updatesd or makewhatis - sort of household
chores.
It may be worthwhile to occasionally click on Network Monitor icon to
see how many packages have gone in and out the Internet interface. If I
haven't updated or downloaded anything, the input/output ratio is
usually well over 100:1. Most of this traffic is ARP broadcast packets -
but of course the 10-minute-interval e-mail traffic is there also. Some
of it is rejections from my box to whoever is trying to connect, ie,
rejections of potential intruders.
As I said before, an almost sure sign of a compromised box is that
logwatch messages suddenly stop coming. Then it is time to run Wireshark
for some length of time to see what is going *out* of your box. 'Whois'
is another friend you probably need then.
Sounds like its not so much an attack on the machine as much as using it
as a platform to initiate other attacks- would this be correct?
IF this is the case, then a NAT would be a major hindrance to this. If
an attacker can't gain direct access to the machine, then ssh would
probably not possible- at worst would be a very good deterent as the
attacker would look for an easier target because he's not interested in
the machine itself.
Please, correct me if I'm wrong here. I'd love to see some log entries
for this attack too. In some ways I'm a bit green on security, but I
have been making some major progress in my education on how the attacks
work. But then, with security everybody has something to learn, don't
they?
I doubt any one person knows it all. One of the facts is that most of
the interesting information isn't owned by root at all but by the users.
Its very true as most informed people don't run as root, however you
gotta be root to delete,modify, or even look at the logs. Someone who
wants to make sure you don't catch on will try to modify the log files,
after all the longer they can keep you from noticing the longer they
will have the run of the machine. You can send your logs to a remote
machine. Now they have two machines to compromise, assuming of course
your actually checking the logs regularly. As I have pointed out you
have to be root to look at the logs. So protect root at all costs
because yes the user information might be interesting but if they own
root your gonna have to go to extremes to feel secure again. Keep the
list of installed programs to a minimum. If you don't use it on a semi
regular basis uninstall it. If your not programming then why do you need
a compiler? If you use samba once a month then you may want to leave it
installed but you might as well close the ports on the firewall and open
them manually when you need them. Same thing for the services. In the
end it all depends on how paranoid you want to get. How important is the
information your protecting? Most of the things I have said are easy to
do if your root and the local user but if your System Admin for even a
medium sized network it can get to be a pain to go around making sure
these things are done and of course even if your users only use Samba
once or twice a month you probably aren't going to turn it off till they
ask or whine about why it doesn't work in the first place. Now your
talking something like directory services and a root user that
potentially can access everyone's files in the directory and modify
their settings as well. Now root is more important than the user again.
The more I learn about security the greener I feel. Often I have noticed
that it really depends on your perspective, user vs. sys admin. A sys
admin will have to make trade offs to ensure people can get their work
done but a saavy user can often get around things because its a trade
off, instead of outright denial. The sys admin is also often at the
mercy of a computer illiterate boss who only cares that he can get
things done when he feels like it and doesn't realize the potential
dangers of what he's asking for and even after its explained to him, he
still doesn't care and forces the sys admin into a bad spot because he's
signing the paycheck. Ultimately the user has to be responsible for
his/her own security. The sys admin has bigger fish to fry than any one
user's concerns. Of course this is only a tiny portion of a much bigger
picture. Someday system security will get solved but until then....let's
hope as the studies suggest that you or one of your coworkers won't sell
their password for a frozen Snickers bar. Frozen Snickers
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmaggggggggggghhhhhhhhhh. Whoa easy
Homer!! New Castle.......you guessed it , I just gave up my password.
Max