some attack to fedora machine .
Da Rock
rock_on_the_web at comcen.com.au
Mon Apr 14 00:54:08 UTC 2008
On Sun, 2008-04-13 at 11:48 -0400, max wrote:
> Da Rock wrote:
> > On Sat, 2008-04-12 at 16:46 +0300, Antti J. Huhtala wrote:
> >> la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti:
> >>> On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote:
> >>>> Your tip about not allowing username/password combinations is a good
> >>>> one. Any examples of an implementation of eg. key pairs?
> >>> Yes, that would be good to see.
> >> Mikkel already answered this one in another post.
> >
> > Yeah I noticed that- I'll get back to that shortly.
> >
> >>> May I also ask if any of you guys having
> >>> these attacks are behind a firewall and/or NAT?
> >> At present, no separate router or other firewall, just the one Fedora 8
> >> provides. I've only briefly tried NAT in my LAN but not long enough to
> >> observe whether invasion attempts were extended to the LAN.
> >>> I use ssh but so far I
> >>> don't believe I've had any trouble- I'd like to be a little better
> >>> informed on this though: ie symptoms etc.
> >>>
> >> The problem with describing the various symptoms an intrusion may cause
> >> is that it is difficult to avoid getting a little paranoid watching eg.
> >> unexpected and rather frequent hard disk activity. That's why I had to
> >> remove beagled from my F7 installation. The hard disk light was on all
> >> the time - or so it seemed.
> >> There are plenty of knowledgeable people on this list who could tell you
> >> much more than I can. Anyway, I monitor my system for intrusion attacks
> >> by having the Network Monitor (or whatever the English term is) icon
> >> permanently on my lower panel. Another icon I have there is the System
> >> Status (or whatever..). If either of these shows high activity that I
> >> have not caused myself, I look at top in terminal window to see what's
> >> going on. Usually it is yum-updatesd or makewhatis - sort of household
> >> chores.
> >> It may be worthwhile to occasionally click on Network Monitor icon to
> >> see how many packages have gone in and out the Internet interface. If I
> >> haven't updated or downloaded anything, the input/output ratio is
> >> usually well over 100:1. Most of this traffic is ARP broadcast packets -
> >> but of course the 10-minute-interval e-mail traffic is there also. Some
> >> of it is rejections from my box to whoever is trying to connect, ie,
> >> rejections of potential intruders.
> >> As I said before, an almost sure sign of a compromised box is that
> >> logwatch messages suddenly stop coming. Then it is time to run Wireshark
> >> for some length of time to see what is going *out* of your box. 'Whois'
> >> is another friend you probably need then.
> >
> > Sounds like its not so much an attack on the machine as much as using it
> > as a platform to initiate other attacks- would this be correct?
> >
> > IF this is the case, then a NAT would be a major hindrance to this. If
> > an attacker can't gain direct access to the machine, then ssh would
> > probably not possible- at worst would be a very good deterent as the
> > attacker would look for an easier target because he's not interested in
> > the machine itself.
> >
> > Please, correct me if I'm wrong here. I'd love to see some log entries
> > for this attack too. In some ways I'm a bit green on security, but I
> > have been making some major progress in my education on how the attacks
> > work. But then, with security everybody has something to learn, don't
> > they?
> >
> I doubt any one person knows it all. One of the facts is that most of
> the interesting information isn't owned by root at all but by the users.
> Its very true as most informed people don't run as root, however you
> gotta be root to delete,modify, or even look at the logs. Someone who
> wants to make sure you don't catch on will try to modify the log files,
> after all the longer they can keep you from noticing the longer they
> will have the run of the machine. You can send your logs to a remote
> machine. Now they have two machines to compromise, assuming of course
> your actually checking the logs regularly. As I have pointed out you
> have to be root to look at the logs. So protect root at all costs
> because yes the user information might be interesting but if they own
> root your gonna have to go to extremes to feel secure again. Keep the
> list of installed programs to a minimum. If you don't use it on a semi
> regular basis uninstall it. If your not programming then why do you need
> a compiler? If you use samba once a month then you may want to leave it
> installed but you might as well close the ports on the firewall and open
> them manually when you need them. Same thing for the services. In the
> end it all depends on how paranoid you want to get. How important is the
> information your protecting? Most of the things I have said are easy to
> do if your root and the local user but if your System Admin for even a
> medium sized network it can get to be a pain to go around making sure
> these things are done and of course even if your users only use Samba
> once or twice a month you probably aren't going to turn it off till they
> ask or whine about why it doesn't work in the first place. Now your
> talking something like directory services and a root user that
> potentially can access everyone's files in the directory and modify
> their settings as well. Now root is more important than the user again.
> The more I learn about security the greener I feel. Often I have noticed
> that it really depends on your perspective, user vs. sys admin. A sys
> admin will have to make trade offs to ensure people can get their work
> done but a saavy user can often get around things because its a trade
> off, instead of outright denial. The sys admin is also often at the
> mercy of a computer illiterate boss who only cares that he can get
> things done when he feels like it and doesn't realize the potential
> dangers of what he's asking for and even after its explained to him, he
> still doesn't care and forces the sys admin into a bad spot because he's
> signing the paycheck. Ultimately the user has to be responsible for
> his/her own security. The sys admin has bigger fish to fry than any one
> user's concerns. Of course this is only a tiny portion of a much bigger
> picture. Someday system security will get solved but until then....let's
> hope as the studies suggest that you or one of your coworkers won't sell
> their password for a frozen Snickers bar. Frozen Snickers
> mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmaggggggggggghhhhhhhhhh. Whoa easy
> Homer!! New Castle.......you guessed it , I just gave up my password.
>
> Max
>
But then, thats why you don't give root access to a run of the mill
user- or anyone unless you REALLY trust them. I don't trust anybody, so
I have a real problem...
More information about the users
mailing list