old FC haceked system

Bill Oliver vendor at billoblog.com
Wed Dec 18 19:53:30 UTC 2013

On Wed, 18 Dec 2013, bruce wrote:

> Hi.
> Got an old FC system that was hacked. - I know - my own fault
> (perhaps) should have updated, etc,,,

I can't tell you how to restore because it's impossible to know what the intrusion was, what was done, and how you know what was or was not modified.  All you are really telling me is that you have some corrupt files -- which, by the way, may not be the result of an intrusion.  What is and is not now "corrupt" in the sense of being a trojan or something like that isn't something most folk can help you with unless there's some more information.

That being said, here's my idiot's guide to keeping a relatively clean

1) Backup on a regular basis.  There are lots of philosophies about backing up, whether your should always do full backups, incremental backups, etc.  It's both religious and a function of how much data you have.  It may not be reasonable for Google to do full nightly backups, for instance, but it's certainly reasonable for *me* to do full backups periodically.

So, what I do is do a nightly incremental backup to a machine in a second location.  In addition, I do a full backup every week and keep my last few backups as well as a couple of old ones.  Disks are cheap nowadays.

Remember that if you are really the victim of an intrusion, unless you *know* what you are doing the chances are the intrusion happened well before the bad stuff started happening.  Thus, if you have to retrieve stuff, you may want to go back until before you are pretty confident you had been hit.

2) Do a periodic clean install.  One of the really nice things about Linux is that it's free and it's easy to install.  That means that you can do a clean install on your machine quickly.  One of the things I hate about Windows is that you are pretty much stuck with the same intstall, accumulating crap, for as long as you have that version of Windows.  Doh.   That's asking for trouble.

Going back to the idea of the cheap disks, I usually mirror my disk as soon as I install a new OS and get all the configs right.  Then, every few weeks, I just mirror it back and restore the non-os data.  That way if there's a rootkit on I didn't know about, it will be gone.

Similarly, every few months, I simply install the OS from scratch, usually bouncing between a Ubuntu-like OS such as Mint and a Red Hat like one such as Fedora/CentOS/Mageia.

Since it's all pretty mechanical, most of this is turn-it-on-and-go-to-bed kind of stuff, so it's not like I'm sitting around staring at the screen for hours.

3) Standard network security:

a) I like the old timey concepts of choke and bastion firewalls, with the "crown jewels" way back away from the server, per se.  You may have to compromise on that if you have bandwidth/efficiency problems, but most folk do OK.  Google on "choke bastion DMZ firewall tutorial"

b) If you have choke and bastion firewalls, you probably have a DMZ.  Again, I'm a fan of having a separate box for each service -- an email server, a web server, etc., for the obvious reason that if one gets hit, the others may not.  I break this rule for my home network, but I've always done it when I had a "real" network to run.

c) Don't serve anything you don't have to.

d) Don't listen at ports you don't have to.

e) Don't do stuff open text.  Turn off telnet except when you need to use it to test stuff (and I find netcat works just as well most of the time anyway), etc.

4) Basic intrusion detection and avoidance

a) Read your logs.

b) Read your logs.

c) Read your logs.

d) Keep track of who should be on your machines when.  It may be that a zillion people go to your web site, but only a few would go to your ftp server and only *you* should log in to your email server -- and you know when you do that.

e) Use brute force tripwires for ssh, ftp, etc that look for and stop script kiddies.

f) Everybody tells me to use tripwire, so I'll throw that in, but I have to say that I get so many false positives on it that I pretty much ignore it...

g) Iptables is your friend.  If you know that you only want to talk to certain places, then just block everything else out.  I don't know anybody in China or Taiwan or Korea.  So screw it.  I'll just use iptables to block everything except the US, Canada, and Europe.  That won't stop the assholes in Russia, or the assholes in China that own boxes in France, but it helps.   Yeah, yeah, firewalld is all the cat's meow, but I haven't learned it.  I like iptables.  Sue me.

h) Encrypt stuff as much as you can stand it.  I don't encrypt drives, but I encrypt directories and files.  You know that there are lots of files you only access every once in a blue moon.  Encrypt them.  What the hell.  It's easy, and I've been surprised how much I didn't want certain emails made public that I also didn't need to re-read every freaking day.


More information about the users mailing list