[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)

Randy Arabie rrarabie at arabie.org
Tue Jan 29 07:52:59 MST 2002 

On Tue, 29 Jan 2002, Adam Bultman wrote:

> 
> Okay: This thread has been absolutely fascinating!  I must say.  
> 
> However, here is my question.   At work, I've got a linux box on the 
> Internet.  Red Hat 7.2, and I've used 'bastille' to allegedly lock it down 
> a bit.  I'm running FTP, Sendmail, and ssh.  Yeah, that's it.  Anyway, 
> it's been up on the net for a bit, and I'm wondering: What else can I do 
> to lock it down?  My network segment here isn't scanned much, but I'm 
> still worried about being cracked.  

First, only run what you need.

Follow the errata and security notices for the versions of FTP, Sendmail, and 
ssh you are running.  Look them up on http://www.securityfocus.com/, which has 
a good database of know vulnerabilities for specific versions and platforms.

You could also subscribe to one of the many bug-trac like lists.

Is your ftp deamon running chroot'd?  That can minimize the risk.

> Secondly:  I've got an OpenBSD firewall on my ISDN router acting as a 
> firewall. Is there many stories of OpenBSD getting cracked?  I'm running 
> ssh and ftp on there, and other ports are forwarded elsewhere (sendmail, 
> fr example is sent to a linux box).  

OpenBSD's motto is that a "default" install has never been cracked.  However, 
you may have noticed that when you complete the default install there are no 
ports open, except maybe ssh.

I can't attribute this quote to it's author (and I probaly have it a little 
wrong too), but I've heard it many times:

"The only secure computer is one unplugged and buried in a sealed vault."

Same with any operating system, keep up to date on all the services you have 
running.  Patch, update, patch, update...

> oh, well.  Hope things get cleaned up okay, I'd recommend a clean install, 
> rather than cleaning up the mess that's been made.

I'm not a security expert, but I get to play one on my itty-bitty LAN at home.
I find it fascinating, and fun ;-)

I run an intrusion detection system which logs to a mysql database.  It is a 
good way to track trends in probes.  Back when they released the news about the 
ssh v1 vulnerabilities there was a spike in syn-fyn probes on port 22.  Most 
came from Korea and China.  That's all fine and dandy, but it is reactive, not 
proactive.

The current trend in research is going towards predicting attacks ahead of time,
based on IDS data collected.  That is one of the goals of the HoneyPot project.  Those
guys did some statistical analysis on the data they have collected, and were able 
to find a correlation between the level of scanning/probing and subsequent attacks.

-- 

Cheers!

Randy

================================================================
Randy Arabie
GnuPG Key Info -- 

 Fingerprint: 7E25 DFA2 EF72 9551 9C6C  8AA6 6E8C A0F5 7E33 D981
 Key ID: 7C603AEF
 http://www.arabie.org/keys/rrarabie.gnupg
================================================================

More information about the clue-tech mailing list