On Sun, 2008-04-13 at 11:48 -0400, max wrote: > Da Rock wrote: > > On Sat, 2008-04-12 at 16:46 +0300, Antti J. Huhtala wrote: > >> la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti: > >>> On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote: > >>>> Your tip about not allowing username/password combinations is a good > >>>> one. Any examples of an implementation of eg. key pairs? > >>> Yes, that would be good to see. > >> Mikkel already answered this one in another post. > > > > Yeah I noticed that- I'll get back to that shortly. > > > >>> May I also ask if any of you guys having > >>> these attacks are behind a firewall and/or NAT? > >> At present, no separate router or other firewall, just the one Fedora 8 > >> provides. I've only briefly tried NAT in my LAN but not long enough to > >> observe whether invasion attempts were extended to the LAN. > >>> I use ssh but so far I > >>> don't believe I've had any trouble- I'd like to be a little better > >>> informed on this though: ie symptoms etc. > >>> > >> The problem with describing the various symptoms an intrusion may cause > >> is that it is difficult to avoid getting a little paranoid watching eg. > >> unexpected and rather frequent hard disk activity. That's why I had to > >> remove beagled from my F7 installation. The hard disk light was on all > >> the time - or so it seemed. > >> There are plenty of knowledgeable people on this list who could tell you > >> much more than I can. Anyway, I monitor my system for intrusion attacks > >> by having the Network Monitor (or whatever the English term is) icon > >> permanently on my lower panel. Another icon I have there is the System > >> Status (or whatever..). If either of these shows high activity that I > >> have not caused myself, I look at top in terminal window to see what's > >> going on. Usually it is yum-updatesd or makewhatis - sort of household > >> chores. > >> It may be worthwhile to occasionally click on Network Monitor icon to > >> see how many packages have gone in and out the Internet interface. If I > >> haven't updated or downloaded anything, the input/output ratio is > >> usually well over 100:1. Most of this traffic is ARP broadcast packets - > >> but of course the 10-minute-interval e-mail traffic is there also. Some > >> of it is rejections from my box to whoever is trying to connect, ie, > >> rejections of potential intruders. > >> As I said before, an almost sure sign of a compromised box is that > >> logwatch messages suddenly stop coming. Then it is time to run Wireshark > >> for some length of time to see what is going *out* of your box. 'Whois' > >> is another friend you probably need then. > > > > Sounds like its not so much an attack on the machine as much as using it > > as a platform to initiate other attacks- would this be correct? > > > > IF this is the case, then a NAT would be a major hindrance to this. If > > an attacker can't gain direct access to the machine, then ssh would > > probably not possible- at worst would be a very good deterent as the > > attacker would look for an easier target because he's not interested in > > the machine itself. > > > > Please, correct me if I'm wrong here. I'd love to see some log entries > > for this attack too. In some ways I'm a bit green on security, but I > > have been making some major progress in my education on how the attacks > > work. But then, with security everybody has something to learn, don't > > they? > > > I doubt any one person knows it all. One of the facts is that most of > the interesting information isn't owned by root at all but by the users. > Its very true as most informed people don't run as root, however you > gotta be root to delete,modify, or even look at the logs. Someone who > wants to make sure you don't catch on will try to modify the log files, > after all the longer they can keep you from noticing the longer they > will have the run of the machine. You can send your logs to a remote > machine. Now they have two machines to compromise, assuming of course > your actually checking the logs regularly. As I have pointed out you > have to be root to look at the logs. So protect root at all costs > because yes the user information might be interesting but if they own > root your gonna have to go to extremes to feel secure again. Keep the > list of installed programs to a minimum. If you don't use it on a semi > regular basis uninstall it. If your not programming then why do you need > a compiler? If you use samba once a month then you may want to leave it > installed but you might as well close the ports on the firewall and open > them manually when you need them. Same thing for the services. In the > end it all depends on how paranoid you want to get. How important is the > information your protecting? Most of the things I have said are easy to > do if your root and the local user but if your System Admin for even a > medium sized network it can get to be a pain to go around making sure > these things are done and of course even if your users only use Samba > once or twice a month you probably aren't going to turn it off till they > ask or whine about why it doesn't work in the first place. Now your > talking something like directory services and a root user that > potentially can access everyone's files in the directory and modify > their settings as well. Now root is more important than the user again. > The more I learn about security the greener I feel. Often I have noticed > that it really depends on your perspective, user vs. sys admin. A sys > admin will have to make trade offs to ensure people can get their work > done but a saavy user can often get around things because its a trade > off, instead of outright denial. The sys admin is also often at the > mercy of a computer illiterate boss who only cares that he can get > things done when he feels like it and doesn't realize the potential > dangers of what he's asking for and even after its explained to him, he > still doesn't care and forces the sys admin into a bad spot because he's > signing the paycheck. Ultimately the user has to be responsible for > his/her own security. The sys admin has bigger fish to fry than any one > user's concerns. Of course this is only a tiny portion of a much bigger > picture. Someday system security will get solved but until then....let's > hope as the studies suggest that you or one of your coworkers won't sell > their password for a frozen Snickers bar. Frozen Snickers > mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmaggggggggggghhhhhhhhhh. Whoa easy > Homer!! New Castle.......you guessed it , I just gave up my password. > > Max > But then, thats why you don't give root access to a run of the mill user- or anyone unless you REALLY trust them. I don't trust anybody, so I have a real problem...
