Slashdot Mirror
How To Secure A Cracked Box
Noel sent us a collection of stories from rootprompt on how to secure your box. The articles include
Denial and truth,
Watching and Waiting,
Hunting the hunter,
The Sniffer, and
Rebuilding the system to recover from the crack. It's an interesting discussion on what it's like (and enough to churn the stomachs of anyone who's ever been there).
Even though Clifford Stol used that method in the infamous Cuckoo's Egg, operating systems seemed to have progressed well beyond that type of jerry-rigging. With the potential for autoarchiving log files, automating their conversion into different formats, and not too mention the cheap availability of older PCs that can serve as independent and secure log servers, a dot matrix seems to be a resolution only for the most paranoid sysadmin. (Of course, dot matrix printouts do still retain their age old hacker appeal.)
uhhh...
/dev/lp0
auth.*
...might be a way to do this without tail -f sucking half your processor 24/7.
man syslog.conf, dude.
If you have a hub between the ADSL modem and the firewall box, instead of cutting wires in a perfectly good network cable, just attach a cheap old pentium machine to the hub. Set its NIC to promiscuous mode and sniff everything that goes by, but set up its own packet filtering to drop EVERYTHING.
Then it's like that box just doesn't exist to the rest of the network, but it sees everything, and can log it any way you want... It's like a shadow of the firewall - it can run any kind of security software, to set off alarms or whatever.
Disclaimer: I am not a security expert. If there are problems with my idea I would like to know about it (because I am using this idea on my own firewall setup).
Another idea I had but have not implemented is to modify the login software on my machines: If anyone logs in, they would have to run a specific "secret" program in 15 seconds or less. If not, a timer expires and shuts off the UPS powering the box.
Heh heh heh. Not suitable for systems that need to keep running, but nice for home machines that you want to keep secure.
A less extreme approach would just use ifconfig to turn off the network card, instead of having the UPS kill the power.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Or you could dump syslog to a serial port and have a 386 with 400 megs of HD store it all. Since it's not possible to crack a computer whose only task is to listen to a serial port without reacting to the data flow in any significant way, those logs ought to be safe.
This also kills a lot less trees.
You know, I agree with that. You really don't need to be running things as powerful as Bind.
Unfortunately, the default installations of many Linux distros seem to be getting more and more top-heavy. Even things like Bind and Sendmail are getting installed by default; I'm not sure if this is a good thing.
One thing I like about OpenBSD is the very sparse, almost Bauhaus-style install. You have to go through manually and set things up if you want to use them.
It seems like a lot of work, and it perhaps is very cumbersome if you've never done it before, but I just feel much more comfortable running an OS that doesn't have a whole bunch of crufty packages installed that I may or may not ever want or need.
The security audit for OpenBSD helps, too, though. ;-)
Free music from Jack Merlot.
they are running RS6000's and have an AIX expert on hand, so that is what they used for the 6000's. The alphas run Digital Unix, and again that is what they put back on it. If you take a moment and reread what I said, I never once mentioned the OS that they are running. The OS, relative to this discusion, doesnt matter at all. My point is that this is not something that he designed. He walked into this mess and is now trying to rebuild it. The entire system could have been based on open-net-free-redhat-debian-plan9-linux and it still wouldnt change my point one bit. He didnt create this mess, he just tried to keep it working the best he could. Then it went down, he redesigned the mess, so now it is his job to ensure that he designs a secure network. Had he been given this place as his day job, had he been hired in as the network security guru, then yes this would just be a simple 'know your network' kind of deal and a smack on the wrist would be well deserved. But this is volunteer work, something that he is trying to help out on, a mess he didnt create but is still trying to clean up. I invite you to take on a similar challenge. Having worked on systems like this one, ones that have been put together with duct tape and are holding on by bubble gum, I understand exactlly where Noel is comming from. Some jackas$ thought it would be cute to only put 24 hours into a day, and its awful hard to find the other 10 that you need to get these kind of volunteer jobs done right. What you end up with is something that works and intentions to make it better once you find those extra 10 hours. Mind you, I think it speaks to Noels character that he and his fellow volunteers took time off of their day jobs to come and do this network up right.
(btw, I dont know Noel from Adam, I just admire and can relate to what he is doing)
...and the geek shall inherit the earth...
www.linux-skunkworks.com
Scanning, in and of itself, is not an attack. It is an informational query. I know that I've port scanned machines when I was curious about what OS they are running. Each OS tends to have certain services configured, in addition to its ip fingerprints that only programs can recognize. In short, I find your policy curious. There is nothing illegal about port scanning someone and there is also nothing dangerous.
Granted, port scanning is often a prelude to an attack, but in and of itself it doesn't really constitute much. Also, as people pointed out, if knowledge of your (paranoid) behavior got out, it would be a convenient DOS, especially from public terminals (such as on a university or internet cafe).
They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- C. Sagan
Better yet (although that would be good) can we get some forums started for registered /.ers only.
/. has one very informed userbase when it comes to security, programming etc... I would really like to see /. forums that allow for fellow /.ers to answer my questions.
/. readers. Maybe even have challenge of the day/week that gives a prize to the reader who can answer the question.
Since
or do you already have this and I am just missing them?
anyway - provide another method for us to tap the knowledge base that are
The FreeBSD ports tree is a one of the best package systems Ive ever seen ... it has ports for every server under the sun, including qmail and postfix, as well as a lot of DJB's other tools like dnscache and so on. And if you're so inclined, exim/postfix as well :)
:( The number of times I've run into stupid cross-dependencies, and corrupt RPM dbs goes on and on ...
The OpenBSD dudes made a wise choice and picked the FreeBSD system as their base, and they have a rapidly growing collection as well. Although I'm not familiar with it, NetBSD seems to have something similar as well.
If only we could see this under Linux now, without all the RPM crap
It seems that I can't say it enough. Install and use Kerberos. NOW!
SSH is great for connecting to a shell account, but you may still leak passwords once you've established a secure connection to your "trusted" network. Kerberos, properly installed, ensures that your passwords *NEVER* appear *ANYWHERE* in plaintext, and rarely appear in ciphertext. After all, you never know when someone has compromised one of your local tools, e.g., psql.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
You say this jokingly, I presume, but what if such a beast did exist? I would run a client of such a system *if* it contained a Slashdot-like moderation system that allowed people to propose code (e.g. post code they wanted to run to a public forum). When a piece of code gets enough votes, it "goes live" and people start executing it. Would this result in problems? Sure. Do I care? No.
Seems odd, no? Well, I say the Internet was put in place by people who had bigger dreams than a really fat pipe for advertizing. I think the Internet is actually a cool thing, and should be used to its fullest. This would give it that chance, but would also come with risk. Ok, I can do risk....
Anyone up for writing it?
Indeed. I've spent many hours thinking about this...
Suppose you lock down your system really tight. You use Linux capabilities or BSD securelevel to set your binaries and config files (and directories! don't forget the directories and their parents or "mv" followed by "cp" is all it takes to trojan your stuff) read-only and your log files append-only in such a way that not even root can mess with them.
Being a security-concious person you insist upon changing your passwords regularly. This requires /etc/passwd to be writable by root.
Your login shell is specified in /etc/passwd.
Some intruder gains root, discovers he can't trojan the system binaries or wipe his footprints from the logfiles because of all the lock-down you've done. No problem! He changes your login shell in /etc/passwd to point to a little program that chroots you into a special jail directory heirarchy where all of your usual tools and logfiles can be found, in trojan form. Since the intruder hasn't altered the protected stuff in /bin, /var/log, etc. he hasn't done anything your capabilities system can prevent.
Bingo, you are now the clueless luser in the honeypot.
That must make auditing a real pain in the ass, though. ;-)
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
I didn't say it was the only key to a secure system, however the ability to log on remotely does allow a cracker to to more damage to a system that a single user system. And what the hell does your point about MacOS mean in relation to my comment?
They have a great NT Security book online as well as a bunch of great articles, tools and links.
LiNT
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
Well, I'm running portsentry to block all IPs that do a port scan. The reason I do this is that I'm running quite a few services on my box and I like to block off any crackers at the first opportunity, before they get a chance to try my active services. If you're afraid of false alerts you can set the number of connection attempts portsentry allows to a higher value. I have portsentry e-mail me whenever it blocks an IP listing the blocked IP, the remote hostname and the service that was scanned.
I'm using a cable-modem connection and I'm surprised at the number of probes I get (varies from 1-10 a week). Almost all of them come from the cable provider's network and almost all of them are looking for known vulnurabilities (RPC, SNMP, finger, shell, etc.). I should probably notify my provider but they're not so keen about users running their own servers so I'll just leave it at this.
We already have a thing like this. It's called the slashdot-effect...
That kind of thing can't really happen with windows, yeah you can get back orifice but norton antivirus takes care of that. For someone moving from windows to linux (say like my dad) if he hears that he has to check some web page and subscribe to mailing lists to keep on top of latest exploits that will root his box, it's a good reason to stay with windows.
And the reason for your dad (a workstation) to run bind is? Windows is just as bad if you install unneeded insecure network daemons on it. This is the reason Red Hat and all the other distros shouldn't install apache and all sorts of crap on desktop/workstation machines.
The only reason windows is secure is because it lacks functionallity. Like running windows 95 for a server. Yes it's not that easy to get "root access" but that's because you can't have any type of remote access.
Oh and don't come talking about defaults, NT 4 installs and activates IIS and lots of crap by default.
Tomorrow will be cancelled due to lack of interest
-- Eugene H. Spafford
LiNT
Absolutely! This is why I used the word "can".
On PitBull for example, the web server typically does not run with any privilege. Rather, another daemon runs in a seperate compartment that executes the cgi programs. Communication between the web server and "cgi daemon" is allowed by a small piece of trusted code called a security gate. The security gate essentially sets up a limited pipe between the two processes. This way if the CGI program is exploited, the attacker will not have any special privileges. In fact, it is pretty trivial to set up the cgi programs compartments such that is has no external network access.
This of course depends on what you want to do with CGI. If you want your CGI programs to communicate out to a back-end network (database perhaps) then you would set up your network rules to allow the CGI program to only communicate out the backend on a specific port. This will allow your CGI program to contact the database but do nothing else. It won't be able to modify any files on the system (except the few that may be in its own running compartment).
I completely agree, that sysadmins are absolutely critical in the security process. If you believe your system is totally secure, then you are just sitting around waiting for something bad to happen. Also, admins can be a critical part in the design of a system (particularly if they have relevant security knowledge).
Unfortunately, VVOS is somewhat limited in its configuration abilities. We are giving away our products for free for non-commercial use if you were interested in taking a look at what we do. Obviously I'm biased, but I believe are product is significantly better and more flexible than VVOS.
You can get copies of the software at www.argusrevolution.com and company information is at www.argus-systems.com
Of course, I'd be interested in talking more about your experiences with TOS as its always fun to talk with someone who is actually implementing systems.
Please feel free to drop me a note if you'd like to swap thoughts on trusted os or using them.
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
thompson@argus-systems.com
(no, mine's only up to 17, if you were wondering.)
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Items you will need for this procedure:
1. Superglue
2. Strip of cloth or large bandage
3. Tape, twist tie, or rubber band
First, apply superglue to both sides of crack, and press pieces together. If superglue comes into contact with hands, follow instructions on back of package to remove. Do not attempt to lick off superglue.
Wait. Until you're tired of waiting.
Take strip of cloth or bandage and tie it around box, perpendicular to the axis of the crack. Secure cloth tightly by either tying it in a knot, or by using tape, a twist tie, or a rubber band.
Refrain from dropping or throwing your box out a window to avoid the risk of future cracks.
(sorry, something makes me do this)
It's 10 PM. Do you know if you're un-American?
Well, to be honest, its your fault for using BIND!
BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.
Also, investigate alternative, and far superior servers for services you want to run.
Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.
Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.
Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.
people who are new to *nix need time to learn the ropes, and if they lose all their data and have to reinstall it can be a major turn off
If the box was being used for the same purpose that a windows box can serve, why run bind anyway? The problem is not the OS, you'll be hard pressed to argue that comparing linux running no services and a windows box running no services, that linux is less secure. Or any un*x for that matter. The key is to know the purpose of your box from the start. Are you building this box just as a gateway? Then you shouldnt need any services running. If you are going to use a linux box as a router, then think of it as a router. If you are going to use it as a firewall, then think of it as a firewall. How many firewalls have you seen, PIX and what not, that have DNS or mail servers running on them? None. The problem is not the OS, the problem is education.
If you want an all-in-wonder box that will do your masq'ing and firewalling and mail hosting and web hosting and DNS and wash the dog, then you need to at least research the services you are going to use and be prepared for the attacks. BTW, a do-all box is just a bad idea IMHO. Whats the point of having a secure firewall and then running non-secure public services on it? A little forethought would have saved you a lot of time.
... and the geek shall inherit the earth...
www.linux-skunkworks.com
you have to have certain things running, and you have to know what to do, but it is possible
...much like any Unix operating system.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Who was it that said that the most secure computer is one that is not connected in any way to anything (including power), that has no periferals, and that is burried 8 feet down - and even this level is arguably insufficient....
Wheeeee
That in fact seems to be one of the two morals of this bunch of articles (yes, the series isn't over yet): If you're cracked, start from scratch; If you're not, make sure your network is planned from the beginning. It's far too easy to patch it together and have it work "well enough" and discover some bitrot (or worse, someone crawling in your walls like they did).
Of course, the fact that they had it done by volunteer sysadmins didn't help -- they didn't have the time to watch things as well as paid ones might.
If your box is already cracked, then it won't help. But it will help people keep their daemons up to date. If every linux distro automatically checked for updates, even if only for daemons and setuid programs, think of how many less old copies of Bind there would be out there.
You would be better off with a line printer; That way, if you get a whole shitstorm of traffic, it will have a better chance of keeping up. They tend to be far speedier than a dot matrix.
line printer
...
A printer that prints one entire line at a time. Print quality is low compared with a laser printer. Line printers typically use sprocket feed and wide fanfold paper.
Source: The Free On-line Dictionary of Computing, © 1993-2000 Denis Howe
Line printers have a solenoid for each character position, and a chain that runs around at fairly psychotic speeds. The solenoid fires when the letter it wants is under it.
Historical Note: People used to capitalize on the nature of of line printers to make them make music, kind of like Apple ][ floppy drives. In fact, it is the use of firing every solenoid at the same time (by printing around half of the characters on the chain on a line) that directly led to the characters on a line printer's chain being out of order -- It tended to blow the capacitors in the power supply to drive all those solenoids simultaneously.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Truth decays into beauty, while beauty soon becomes merely charm. Charm ends up as strangeness, and even that doesn't last, but up and down are forever. Quarks, right?
good point. but we also have 24/7 eyes on our servers - and would be able to rectify the problem in minutes. especially cuz the hosts are multi homed and have alternative ways to access - just in case their is an event that kills the "internet" connection.
that way - even if it isnt an "attack" that knocks it off line - we can still get into it to make sure it is happy.
on a machine:
/dev/lp0
*.* @loghost.my.net
on loghost:
auth.*
make sure you give loghost's syslogd a -u on the command line.
another good point - but they are not there for you to satisfy your curiosity - they are to run our business (and quake servers :P ) so I dont care why you scan or whatever - you get blocked.
basically - they are only for what service they were built for - not a training mech.
2600 for your security advisories? Ha. More like the Kevin Mitnick and "Whatever trouble we can get into with registering domain names" updates.
Can you really ever be sure without a full reinstall? Sure there are systems out there that take snapshots and check crucial files but imho, once compromised, start from scratch. It may be painful but it is better than the alternative which is to risk being compromised a second or successive times.
--
you have just proved that sig ads work! Email me for a written quotation.
Emailing security logs unencrypted violates security, hence whats the point of the logs?
Free Porn! or Laugh
Ever need an online dictionary?
It sounds like you were hoping for a Linux-based solution, but might I suggest OpenBSD? It is often regarded as the most secure UNIX out there, no holes in the default install for two years.
:) And hey, 2.7 is coming out real soon now!
Set up the default install, configure NAT for your local network, and you're ready to go!
Of course, from what I've read you probably haven't used it before and are most likely reluctant to learn a whole new operating system and different port forwarding software. But it's not that bad, really
F0 07 C7 C8
Since when do you need to be a commercial/non-profit site to get attacked? I'm on a simple 56k dynamic IP modem. I'm on probably 8-10 hours a day, working from home. I get about 5 attempts a day to get to some service on my machine. Yesterday one started just 4 minutes after connecting.
Anyone can be targetted. And I take this story as a lesson to be learned. Back when I first saw this line of articles (around part 2), I started running tcpdump on my connection all the time. This is how I learn of these attempts. I don't know what they do, scan entire blocks of IP address continually?
Can syslogd be forced to send messages to a serial port? Connect a non-networked machine of some sort to the networked machine(s) and have it listen on the serial port for data.
Either way, you save reams of paper.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Anyone know of a place for Windows NT Security?
So why is a single user OS (Mac OS 8.x, 9.x running WebStar) the most secure OS?
Whether an OS is single or multi user is not the only key to security. The biggest threat to security is an error between the chair and the kb anyway.
Tom
Reality does not happen until you analyze the dots. -Don DeLillo (Underworld)
http://www.microsoft.com/security/def ault.asp
I agree that if we wanted to avoid trouble, we should not be on the internet 24/7, and my fileserver should definitely not double as a firewall :P
I like the idea of certain log files that cannot be erased, so...
Upon installation of SDSL, I will be moving my webhosting services to my home. I have been playing with the idea of hooking up an old dot-matrix printer to print out certain log files, or lines from log files with keywords in them.
Am I hopelessly out of date with this idea? I have seen some mention of systems like this, and I think it will be a good complement to other security. The idea is that if I get a penetration, I will at least have an idea about *when* the initial intrusion was, and be able to work with that.
Anyone else with a similar system care to comment?
Right, so when I buffer overflow your server, I don't have to worry about privlages, I can just happily delete everything on your system.
Wait, your trolling... ha ha ha. Nevermind. Duh.
-- http://thegirlorthecar.com funny dating game for guys
A modest proposal for making life easier for DDoS crackers
I have an idea. I think it's brilliant. When you want to DDoS a big site into the stone age, most of your time is spent infecting hosts to use in the attack. This is annoying and it causes us to behave in antisocial ways. If I wan't to bring down Yahoo, I want to do it NOW!!, not after I finish setting up a subseven network. All the work I have to do makes me pissy. When I get pissy I wipe your hard drive to cover my tracks. Now you're pissy too. Misery loves company.
What I have in mind is a massive voluntary distributed computing effort along the lines of Seti @ Home. I call it kiddie @ home. Basically, those of you with cpu and bandwith to spare should sign up. When you aren't using your computer, I'll use it to launch SYN attacks and settle grudges. Now I don't have to crack anything, and you don't have to bother reading cert advisories. We're both happy.
What do you guys think? Can I sign you up?
--Shoeboy
(former microserf)
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
the time is eternally wrong on my box because of that, but i can deal with it
yea thats the problem with linux, if you get too complicated -- get too much stuff, you lose track of what you have and you can't keep everything secure. The fact that a simple program runs on your computer, can have an exploit that will give someone total access because it is root suid, is rediculous. That is why we should try a credibility system like the one in eros os. unfortunately, its not ready for real use yet. maybe we could avoid problems that made 2.2.16 release early.
Why did they try to track him down?
I have to admit that I'm not through with the story yet.
.. and while they are there they can ask to examine the Brits' wonderful bill of rights. I think it is somewhere between Brigadoon and the Loch Ness monster.
If you are tired of people like Helms and Armey, tell their idiot constituents to quit voting for them. Sheesh, you think those numbnuts would no better and quit reelecting those guys for so many years in a row!
it does it all, and i know it has a million vulnerabilities, but copying /home to an i-drive every week is easier than reinstalling, i don't have the time.
Now, This Root Prompt article is the best read I've had since I can remember. Yes, it was mentioned above, but, re-iterating the link does no disservice to anyone who truly cares about security.
Take 10 and go read it.
Linux rocks!!! www.dedserius.com
www.dedserius.com
VB != VisualBasic
It's better for a non-server machine to be running as few services as possible - at most, only ssh should be neccessary. Get your Dad to pick a Linux distro that doesn't install lots of cruft by default. (I've heard that Red Hat is bad at this but I wouldn't know).
BTW is it possible to run BIND ok in a BSD jail? (jail is chroot's big brother)
perl -e 'fork||print for split//,"hahahaha"'
You know what's really funny? We've run links to, I think, all of the installments of the Cracked! series individually, and every time another one comes out, somebody bitches about how "if we wanted to read this, we'd be reading rootprompt already". Just goes to show, you can't please everyone. :-)
--
There is no K5 cabal.
I am not the real rusty.
I thought that it was much more likely that the cracker was just
using tools he had gotten from other places, and that he had not
written any of them. That he was just a script kiddie.
Odd how the term script kiddie wasn't coined till late last year
I logged into the Sun box and started poking around. I had begun
to suspect that what I had found was a sniffer that the cracker
was running to capture logins and passwords on our system and on
other systems that our users connected to. Running a utility to
check the network card showed that it was in promiscuous mode.
The ifconfig utility reported that it was not and this told me
that he had replaced the system ifconfig command with a rootkit
version that lied to us about the promiscuous status of our
network interface. So he was running a sniffer on our system.
Odd how Solaris machines even up until now have no definitive
way of determining whether or not a device is in promiscous
mode...
We then posted a system message that said that the hard drive
on the Sun had crashed
Security Through Obscurity... tsk tsk
. The rest of us started working installing the latest Digital Unix on the alphas.
DigUnix... got root?
I hope this was a pretend story because if it isn't then these
half wits deserve to have their machine rooted by some luzer
script kiddiot
Thanks for the memories
i agree, i wish they didn't enable everything by default..
This story illustrates that running a system is a task which needs focus and attention. Making it only half hartedly also puts other people at risk (being spamed, cracked, Dosd).
It seems like he afterwards sought "revenge" for loosing one of his entry points and managed to take down their new setup. However I think that this is a very unusual behaviour and most cracker would simply try finding a new easier exploitable viktim. Hopefully they or the FBI could identify him at the end.
Another clever exploit is to store a piece of the attack bot bootstrap sequence on the network card itself. Most modern network cards have 64 bytes (or more) of EEPROM that are used to store the 6 byte hardware MAC address, leaving the majority of the space unused. More sophisticated server network cards even have more space for downloadable firmware. The mostly unused network card EEPROM is typically loaded by OS drivers in its entirety - usually to a fixed address static buffer.
A small segment of code could be programmed into the card and executed from this buffer by an exploit. The advantages to storing a portion of the attack code in the NIC is that it makes tracing the activity of the exploit difficult for someone trying to reverse engineer the code, and more importantly, a short program installed here will survive a disk formatting and OS re-install. This kind of exploit will lead to a lot of head scratching and questions about "How the hell do they keep getting back in after a disk wipe?" at the target.
He's refering to Sealand, a "soverign nation" off the coast of the UK. Go to Havenco to learn more.
It's ignorance itself to think you know all the answers. -Miles Comer
If you run debian, you can just run apt-get upgrade and get the newest packages whenever youd like. If one was so inclined a cron job could run it every nite,or once a week, and as long as debian keeps up with the newest vuln. you'll be ok.
Perhaps if qmail's author would allow reasonable packaging, it would already be there. Have you tried to build RPMs for qmail? It's not pretty. You have to install the qmail userids prior to doing the build. The build! For the life of me, I really don't know why.
Dog is my co-pilot.
Additionally, I think there is something else at work. Or actually a compination of three things. One is the concept of the "application" as a semi-monolithic structure (even under the "unix ideology). The second is the total lack of distinction between user activities. rm -rf *, ls -l, and /bin/newfs /dev/sd1a are equal in the eyes of the operating system, requiring no higher level of authentication or extra levels of protection for actions that are clearly of more import and heavier consequences. The third is the lack of a clear understanding for what has ultimate control over "the system". You almost always see a competition between software and operating systems as to which one is the master. A comfortable level of security will not be reached until an OS design finally lays down the law for the programs and the users and brings some intelligent design to system security.
I agree that this type of thing happens with every OS, and the more services a machine runs the more vulnerable it is.
I guess me real beef is that all that trash that most people won't need comes enabled by default.
IFF your tripwire is statically linked AND launched from a read-only medium (CD, locked floppy...): you might have more of a chance.
Anyone have further illumination to offer? tripwire still needs to call system functions (e.g., to open files), even if it's statically linked. So, a call to open the changed/hacked files might result in forged data being sent.
But this would be a much messier hack...if, for example, the legit sysadmin makes a change to / (the directory), the hacked kernel would need to know to send the current info back via tripwire, instead of the info from when the kernel was hacked. It seems to me like hacking around tripwire would be its own project! (Anyone done it yet? Anyone?)
Old Slashdot article
The benefit of keeping logs in electronic form is you can search through them a heckofa lot quicker... ever try to find an event in a 2000-page stack of printouts?
"Freedom means freedom for everybody" -- Dick Cheney
If you read the series, you will find that the system in question is not his fulltime job. In fact, its volunteer work that he has tried to assist on. The systems, like so many other non-profits, where smacked together enough just to make them work. I rather applaud the author for having the juevos to post the articles and detail his steps. On one hand, someone that is paid to keep a network secure shouldnt have any excuse, but this was volunteer work man. Read the series.
... and the geek shall inherit the earth...
www.linux-skunkworks.com
Ummmm.... Part five was just posted today. I've been following the others, and I figured that /. wouldn't want to post it five times, so they waited for the final installment... makes sense.
;-)
I think we should have moderation for the stories, but it should be limited to the lowest X number of userids... where X is > my_userid
I've still never seen the image or text here that says 'Today's News for Nerds. New Stuff that Matters.'
"It's tough to be bilingual when you get hit in the head."
It's true if you box can't stay up or do what you need it to do, then I guess it's secure right?
I would never use backorifice: norton does have a clue about it. How about vnc? Or PC-anyware? heh Norton's PC-Anywere thats the ticket.
Are you suggesting not to run DNS services?
I have been running one version of bind or another on *nix for 5 years, never been rooted yet.
Maybe your right windows is the answer, I allways said the most secure box is the one turned off and unplugged from the net.
"think of it as evolution in action"
Many notable *nix sysadmins dont do a reinstall or are not able (read: Company President says no) because it's not practical. You should always be aware of the ways into the machine and be able to delve into the C if necessary. It's true that a simple dist wont do it but the whole OS doesnt get screwed up when you are cracked. Just get a logging daemon that dual logs to a strange place with wierd log filenames and start tracking the cracker at the point of entry.
If he logged in, he started at the passwd, then....
Often wrong but never in doubt.
I am Jack9.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
Try securing your systems BEFORE they get cracked. A good few places to start:
Insecure.org, especially this top 50 security tools page.
SecurityFocus the disseminators of the BUGTRAQ list among others.
Attrition.org, especially their security page.
And of course 2600, the l0pht, and Phrack for the latest tasty street info....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
I'm still nervous and want to do a reinstall, but I don't know why he rebooted both Linux machines.
Looking for a computer support specialist for your small business? Check out
20 minutes after the post and already the server is slashdotted =)
when the rain comes, they run and hide their heads. they might as well be dead.
So what we need is a way to easily configure a machine as secured workstation with practically all services off... don't the Linux distro's have something like this already? Al.
Well the obvious thing is that the potential attacker could stop the CD burning process, by killing it.
The way that I understand the logging to the printer option it uses a kernel module to log, so it cannot be disabled by the user without a reboot (Assuming the rmmod is unimplemented).
Steve
---
It is back up now. :)
Wanna bet?
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
The thing I love are all these spiffy articles how cool ways that people break into systems. I am constantly SHOCKED by just how poor security is on most UNIX systems. UNIX has the ability to be so completely and blatently secure that not even a micron could get through. The problem is most sysadmins don't implement security very well. First off, if you're not behind a firewall you just made it 10,000 times easier to get into the system. If you have more than 10 computers, I think a firewall is almost a necessity. Second, my point really, is that you can NEVER, read N-E-V-E-R, use telnet or ftp. Anyone with an account on your system (or connected to your network or other ways if they're clever) can sniff any plain-text username and password in under 10 minutes. Use ssh, scp, whatever; just make sure any text transmitted over a network is encrypted. This is the #1 security hole I see most places making. Just my $2.00 worth. DranoK
That is not dead which can eternal lie, and with strange eons even death may die.
Shh! Nobody knows I'm gay!
www.coyotelinux.com
Good stuff; the pay version is actually almost worth it, for the nice graphical disk creation utility. Basically, the entire IPMasq/firewall setup runs off a floppy. No hard drive needed. What makes this UBER-sweet is that if your firewall gets cracked, you simply figure out the hole, and rebuild the floppy to fix the hole. No permanent data = no permanant compromise. Beautiful.
Tell a man that there are 400 Billion stars and he'll believe you
CompUSA had a simple Linux package for this: A simple GUI installer for a standalone Linux firewall. Install and go, then forget about it. I forget who makes it though.
Eep! I forgot to mention that in Havenco's agreement that you cant launch attacks on other computers from their computers. (Blast, foiled again)
It's ignorance itself to think you know all the answers. -Miles Comer
"-600 Disgusting"
---
Last time I checked you cant stream to a CDR. :-)
it's called burn.
and has to be done all at one time... (I guess if your syslogs fill up at a 1x burn rate you could, but then you either have a huge problem, or will get very tired swapping cd's every 80 minutes.)
granted you can stream to a file and that burns once a month, but then you have 1 month for a cracker to modify that file.
Do not look at laser with remaining good eye.
Try www.linuxrouter.org and download the idiot image for a floppy. It has real easy text setup, runs from a floppy and saves config changes. Once it's running the way you want, save config, write-protect the floppy and let it filter and pass packets. I built a dedicated firewall box from a $30 minitower case, $15 floppy, used AOpen mobo ~$25, used P-166 (can even work on 486) and two used 10Mbps NICs $6 ea. Easy as cake.
--Somewhere there is a village missing an idiot.
Apt-get will install an updated package, but (unless you --force it) won't reinstall a currently installed version. This means cracked applications stay cracked.
... will be enough to stop a knowledgeable intruder who already has root access on your system.)
(And don't make me laugh by suggesting that a cron job running apt-get install --force
Running apt-get religiously is a good start, but you also need a well-configured tripwire, log host, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
That kind of thing can't really happen with windows, yeah you can get back orifice but norton antivirus takes care of that.
If you believe that one antivirus utility will solve all your security problems, go right ahead and keep running that windows box. Any system connected to a public network is vunerable if not properly tweaked and monitored. Just because it has a simplified GUI doesn't mean there aren't any exploits out there. You need to surf some hacking sites, you'll be suprised what's available to crack your windows machine.
if he hears that he has to check some web page and subscribe to mailing lists to keep on top of latest exploits that will root his box, it's a good reason to stay with windows.
That's about as good system administration as sticking your head in the ground and hoping nothing happens. If you're not willing to put forth some effort in preventive maintenance, you're going to end up with a lot of work in the future, whether you run NT or Linux/Unix.
-------
Hecubas
There's just too many of us!! ;)
-- @rjamestaylor on Ello
Now don't get me wrong, I think that article moderation should be debated from time to time, but this case is not a good example of it. This article is dated today on rootprompt itself and is posted at the top of kuro5hin today as well. It seems unlikely that all three sources would be mistaken.
Noel
RootPrompt.org -- Nothing but Unix
kayaking
"How to Recover from a Dose of the Slashdot Effect & Prepare for the Next One"
For the humor impaired, the above is a joke.
Quidquid latine dictum sit, altum viditur.
I only post comments when someone on the internet is wrong.
You gave the answer to your own question. Read the story.
You did not need to read very far to know his reasons. He said their network setup was very complicated. It was also very clear that the cracker had multiple ways into the system. Reinstalling the whole lot did not seem to be an option they could do. They did not even reinstall the one box they took down as they did not have the resources. Anything short of a complete reinstall and not all of the backdoors put in by the cracker may have plugged. The sysadmin was very worried that the cracker would trash the system to remove his tracks if he was discovered.
So he set about finding out as much as he could. That is why, whether they were right or not is for you to decide.
Sorry,, I was meaning the series. Thats what I get for being vague. next thing you know I'll be working for the patent office and approving that "method of inputing a desired action via twice clicking on a pointing device known as a "mouse" in a computing enviroment" patent to Amazon.com
...and the geek shall inherit the earth...
www.linux-skunkworks.com
There are a lot of interesting things being done with Trusted OS today. A number of people are working on commercial TOS for people. Argus Systems Group is doing commercial versions, and Robert Watson is heading up the TrustedBSD port (www.trustedbsd.com)
Trusted OS does not remove security flaws and holes, but it can cause them to give the attacker no real access to the system. Check out the paper I wrote, as it should illustrate this quite nicely.
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
http://www.argusrevolution.com/
ftp://ftp.debian.org should give you all the security you need. :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
- any
hacking sites archive (i recomend attrition.org. Go to the defaced archive, and it'll tell you what operating system the hacked b0x was running. The vast majority of the hacking sites are running nt. Windows NT has security holes --they're just not as well documented. Security through obscurity. [is your friendly neighborhood hackers installed there software as an NT service, you might not have noticed.]contrary to what the Wall St Hype Machine would have you (general public) believe, Unix is not for Joe Public. Distros are generally assembled for people that have a clue. I don't blame the users not having a clue, though. After having had their hands held by Microsoft for the last 10 years, it's no wonder that they expect the same when moving to the Unix world.
-- You see, there would be these conclusions that you could jump to
Pretty good stuff. I got to read the first part before their server got slashdotted...
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, noeld@pair.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
couldn't spawn child process:
/usr/www/cgi-bin/php-cgiwrap
"The further I get from the things that I care about, the less I care about how much further away I get." -Robert Smith
The easiest way to fix a cracked machine is first throw away it's pipe. Next, hide its money. Then, make sure it can never get to it's dealer by any means necessary. Finally, send it to detox.
Just say no to computers on crack....
-----
"The only difference between me and a madman is that I'm not mad." - Salvador Dali (1904-1989)
I was looking around my brother's computer and noticed someone had gotten him to install a couple of trojans on it (actually, more like 3 or 4... "don't download stuff from people!" doesn't seem to get through to some people...). Anyhow, one day a chat window pops up over the screen and the guy starts talking to me... for no reason at all, he says "Oh well, time to reboot..." and down Windows starts to go... of course, being Windows and all, I killed Explorer and the shutdown canceled... *grin* The point is, they'll do it just to piss you off... if you're working on any files and don't have them saved, rebooting will kill them and upset a few people... sometimes crackers install services that don't actually get run until you reboot... maybe they patched the kernel... who knows. I'd do a complete re-install to be safe.
Let me guess, you reinstalled from the same media as you used the first time, thereby reinstalling the same security holes and sure enough you got r00ted again.
If you were running a windows machine in the masqing role using winroute or the like and someone got you by installing backorifice on your unprotected C drive share would you say thats a reason not to use windows?
Getting r00ted is not about a good/bad OS! its possible on any architecture, any OS. Its all about YOU taking responsibility to secure YOUR system. If some script kiddie out there cracks my box its my fault for not keeping updated on my patches and properly securing a networked machine. Of course all bets are off if its a zero-day exploit (which are rarely in the hands of the casual script-kiddie) or a real expert trying to take my system down. In the latter case I may as well kiss my ass goodbye because I know my own limitations but those guys need a reason to put in the effort to crack even a lightly-armoured box. Script kiddies dont need any other reason than having a new place to brag about running an eggdrop from but keeping them out is a bit easier.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
No NT Admin should ever be without NT Bugtraq.
Subscribe to the mailing list and sit back and watch your inbox. Dig through the archives if you're a new user. You'll be amazed at the sheer volume of security issues that floats through on a daily basis.
Not true - you can do packet writing to CD-R's. not sure under linux (never tried), but windows works.
Over the last few months I have taken to running tcpdump on my connection just to see how many folks try and get in. Understand I am in a cable modem/DSL deprived area, so I dial up with my mighty 56k modem. My ISP uses two C class blocks for the dynamic IP dialup sessions. So I guess crackers are just making attempts at any/all of these class C networks.
I'd say I get about 4-6 attempts per day to do something on my box. Mostly it is folks looking for something good on Windows SMB ports. I'm sure there are millions of 2 PC households that share their C drive wide open so they can copy to and fro. I've gone through the logs keeping a list, and banning the entire class C network of offending IPs. You can see some of that on my site under Security.
All those attempts got me to thinking. I should set up a much simpler firewall/masquerade box that doesn't run too much. Holes could be poked in the wall for necessary services (web, mail, etc) and forwarded to an internal machine. Perhaps something like the Linux Router Project would work. But what I'm looking into is that, with good crack monitors, syslogging things to another box, checking for portscans, running snort or tcpdump. Are there any? If not I may have to start one.
Even if someone finds a hole in the mail server (or whatever), it is on a second machine beind the wall and they cannot (easily) get to it to run that suid shell they just created. If the system is kept down to a floppy or small bit of a CDROM, you can easily mount the entire ramdisk readonly, or just reboot and have the original setup restored. Just having a full Linux desktop setup directly on the 'net worries me when/if I move to a DSL area.
This also is used by the script kiddies to make it difficult for the owners of the cracked box to remove the kiddies' tools. Took me a couple hours to figure out what was happening the first time it happened to me.
My biggest concern is that the system still has to keep flowing. Time must be a huge weighting to insure that the latest news is always on top. The problem is, the newest stuff hasn't been properly moderated yet which means I can have my news fast xor good. Perhaps if the stories were segregated by day it would aliviate that somewhat.
Still, it is more complicated and more critical that comment moderation so I can see why the staff hasn't implemented it yet (never mind the fact that it would make /. almost run itself).
Even better - use an old Amiga or Atari. Just as capable of performing such a task but less likely (even than the original, almost untouchable machine) to be cracked due to their rarity. Plus, you can pick up some of them - say, an A600 - for almost nothing, it's very small and you can run it through a TV for even lower cost and footprint.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
The only way the first point could be true is if no Redhat box had ever been cracked.
Solaris appears to have more exploits than any other proprietary OS primarily because Sun has traditionally been more open than other vendors about its security problems, and because of Sun's long dominance of the US education market.
It appears that openssh comes with suse6.4, tho I don't know if it's installed by default.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
CD-Rs? You can do it for CD-RWs, but I haven't seen that for CD-Rs...
"It's tough to be bilingual when you get hit in the head."
I tried this for a while, but my printer was a little weird dealing with log files, so I eventually got rid of it. When I did tho, I deleted /dev/lp1 and then remade it with the device numbers for tty9, and left the syslog configuration files alone. Some time later, someone did try to get in, but they saw a bunch of stuff logging to "/dev/lp1" and left. So even if you don't have a printer, if you can make it look like you do, you'll scare off a few that way.
/dev/lp1 then they GOT IN. That's the point, they already were in too far and your machine was compromised. Bad, bad sysadmin!!! No scooby-snack for you :-(
if they "got in" enough to see logging to
port sentry will permanently block any IP that scans us
From all the research I did on the topic, plus a good discussion on firewall-wizards, this isn't generally considered to be a good idea.
What if someone forges the scan packets to be coming from your machine's gateway? They can hose your server relatively easily.
Granted Mr. Rowland(portsentry author) says in practice this doesn't happen(noone has reported people DOS'ng them when using portsentry in this manner), but I think the best policy is to respond to scanning by blocking only on less secure test boxen and workstations.
For live production servers(especially a large portal website) responding to scans/attacks like that it is a DOS risk, albeit slight, and also could prevent some of your potential clients from accessing the site(attack through AOL proxy?). I just block everything except the minimal services my servers provide (e.g. ssh and apache) and concentrate on securing those apps. Then I can pretty much ignore portscans.
--
As others have said, you should always reinstall after noticing your boxes have been cracked (you'll also want to check on things to see if you can determine the point of entry and person(s) responsible).
The better solution is to just not be cracked in the first place. The way to do this is to be known-secure. How do you do that? Audited code, such as OpenBSD provides peace of mind. Secure logging (i.e.: logging to another internal machine whose job it is to accept log reports) -- this gives you a nice write-only log target, making it easier to trace intitial probes and attacks.
Next, you'll want to check existing services, and review any services you want to add. I discussed this in Securing the Border, parts 1, 2, 3, and 4.
You might also want to read "Auditing Kuro5hin" where I found a root compromise on Kuro5hin.org when reviewing the system with Rusty, the site owner and creator. It has tips on how to recover cleanly.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
I have seen many boxes compromised. But there are two configurations I've never seen hacked:
1.Redhat w/ latest updates.
2.OpenBSD.
I can believe #2 but #1 is a stretch, RedHat isn't exactly the cream of Linux distros.
There's _always_ another hole someplace that didn't get noticed yet.
Take a look at the errata page for RH_4.2_,
theres been 4 updates so far this year and this release has been around about 4 years!
That kind of thing can't really happen with windows, yeah you can get back orifice but norton antivirus takes care of that. For someone moving from windows to linux (say like my dad) if he hears that he has to check some web page and subscribe to mailing lists to keep on top of latest exploits that will root his box, it's a good reason to stay with windows.
What you are really giving are reasons not to run BIND when you have no use for it. I had some friends get cracked due to an old version of imap they had running (and they were not even running a mail server).
Linux distributors tend to like all services running by default, boosting ease of setup at the expense of security (even slack is this way). When you initially set up a network server, turn off all services that you arent sure that you need.
For desktop *nix boxes, one should even be more restrictive. do you need ftp running? Is anyone going to telnet into your box? Is there any reason for X to host apps over IP? I would suggest turning nearly everything off, so that crackers are faced with something as simplistic as a win98 box. Lets face it, win98 is nearly uncrackable because from a network perspective, it does not do anything (except run malicious vbs). Run your *nix desktop box the same way.
Furthermore, for every service you have running, make sure you have the newest version. This applies for every operating system. The best road to security has more to do with reading bugtraq than choosing an OS.
No, it seems as if I am mistake. My apologies.
looks like rootPrompt has succumbed to the infamous ./ DDOS attack!
-Jon
this is my sig.
titled: "How I delt with over 48,762 simultaneous http connections refered from /."
Part 1. The onslaught
Part 2. I've never seen a disk so busy
Part 3. Out of swap space
Part 4. Internal Server Error
Part 5. The crowd finally goes away
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Root
Prompt
Slash
Dotted
Where are the mirrors?
Know what I like about atheists? I've yet to meet one that believes God is on their side.
:)
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, noeld@pair.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
couldn't spawn child process:
/usr/www/cgi-bin/php-cgiwrap
Noel, please fix! I was about to read the last installment! The suspense is unbearable.
Ceterum censeo Microsoftam esse delendam.
Set a cron job to run every 24 hours:
ntpdate -s time.apple.com
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Great, this will really help the first-time users of Linux.
Nothing helps a newbie secure a box quite like someone telling him he should already know how.
I didn't even know what bind was at the time, and i still don't fully understand all the trash i see running when you do ps aux, after all that i just disabled everything that i didn't know exactly what it was
You shouldn't be running stuff that you don't fully understand. You should have a full understanding of the Unix environment before running something as powerful as BIND. You don't have to learn everything yesterday. Experience and knowledge comes with time.
-- You see, there would be these conclusions that you could jump to
Nah, they probably patched your kernel and had just reinstalled lilo.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
If you've been hacked, reload.. It's that simple. If you designed your system 'right' from the beginning, this isn't a big deal. Here are some basic steps I've used that anyone can use.
1) Get your *nix (or any os) setup the way you want, with patches, drivers, etc..Don't load application software yet. Create an Image of that machine.(ghost, drive image, etc..)
2.Load your applications.
3.Set your syslog to mirror your logs on another server.
4. If possible, try to move your 'data' directories (from your applications) to another directory for just 'data'. (You'll have to create symbolic links from their original locations.)
5. Backup your DATA Directory/Drive ONLY!
Too many times do I see people backup their entire system whether it be Winblows or *nix. If you get a virus, or comprimised binary, that file/binary will be backed up! If you don't catch the attack, all of your backups could be infected.
A good rule of thumb is too only backup your DATA, not your binaries. After all, you own the software, right ? *grin*
Then, the obvious solution after a hack is to:
1) Reapply your OS image (ghost, drive image, etc)
2) Apply new patches/fixes/close security holes.
3) Reload your Applications
4) Reload your data
5) Point the applications to your data on the other drive.
Yes, it can be a long, drawn out affair initially, but whether it be a hacker or just plain system crash, the restoration process goes rather smoothly.
-Iota
God is Real Unless Declared Integer
"credibility system"
Umm how about
"A system that uses capability's"
"think of it as evolution in action"
This has come up in discussion before, and I'm still curious as hell to see it in action.
/. moderation would be an improvement.
As we currently get moderator previlege every once in a while, we should also get story moderation abilities. 5 points (personally I think there should be point fractions, more moderators and higher thresholds, in both post and story moderation but that's just me) to apply to the stories in the currently pending submission queue - those stories with the highest rating float to the top, and there are decided upon by the 'staff' - since some filtration MUST be done to avoid slander, blatant fraud and anything else that might pass by moderators (though with enough moderators, I doubt this would be an issue).
This would reduce the number of stories that the staffers have to wade through, and would more directly tailor the content of the site to what the 'public' wants to see. There is, of course, the risk of content degradation into only those subjects which people feel strongly about - rather than items of intellectual value or those neat little burried jewels that show up now and again - but the solution to this is developing a conservative method of granting story moderation points.
Similar rules could be applied as in posting moderation and in the selection of Interview questions - you MUST post a reason for or against a story you vote for or against, to give the staffers justification. You should also specify if a submission is worthy of a story, or should it be Quickie-fodder. Kuro5hin works this way - it seems a bit messy, since EVERYONE (logged in) gets to vote, so maybe only giving it to a few people at a time, like
Maybe story-moderation should only be available to posters who qualify for the +2 default score, or maybe only those with a Karma past some threshold. I know, there's a lot of pro and con Karma arguments already, but high Karma is a result of taking an active, positive part in the slashdot community, and who else better to help thresh the submission queue than the people who care about the content of the site?
Yeah, there's the whole Karma-whore issue, but I doubt it would result in abusive story moderation, since Karma whores value their Karma, and a Karmic penalty could be imposed against those who vote FOR stories that are decisively voted against by others (a bunch of Karma whores colluding together into a story brothel is unlikely) - besides, it would cost a point (or two) to get a story posted, so...
I propose Dogma points! Modelled after Karma, Dogma points are awarded when someone votes FOR a story you submit. They are revoked when your submission is moderated down or out of the queue. When your stories rating hits a certain level, the staff gives it the nod and the story gets posted.
Queued stories have a finite life-span. If they are not moderated up enough, or down enough, they fall into the bit-bucket - a story limbo where they can be vieved (a'al archive) but not posted to.
As you accumulate Dogma points, you get to moderate stories with increased frequency - or maybe with more points. And perhaps, with enough points, you could even resurrect stories from Limbo - at a significant cost in Dogma points. If your points drop below a certain floor (0 is a good floor) then you can no longer vote for stories.
Perhaps a conversion of Karma to Dogma and vice versa should be explored? A 10 to 1 ratio seems fair.
Anyway - just a few thoughts.
-- What you do today will cost you a day of your life.
umm... I don't know about you but I actually do a significant amount of "work" on my machine. This amounts to several years worth of code that I occasionally even use. I am not going to throw all that away, even if last week's backup of my work may have included some clever trojan.
Of course, I probably shouldn't worry, since nobody cares enough to bother. These days, they just set up their root kit, trin00 or what have you, and don't bother with anything else. If they were more polite I might let them use my machine anyway.
reinstall.
seriously, if your machine has been compromised by anyone other than a completely retarded skriptkiddie, chances are there's going to be lots of "new functionality" in some of the bins on your machine. reinstall from read-only media.
I'd probably just copy anything that couldn't be infected by viruses/trojans/etc off to another system, then wipe the machine and start over, perhaps paying more attention to security next time. There are probably a lot of people for whom that wouldn't suffice.
-- $SIGNATURE
Sounds like you need a UPS...
Even with just minor power flucuations (dimming lights from vaccuum/fridge/AC starting up), it's a pretty good investment...especially if you are seeing reboots. My UPS actually made my NT box more stable (the linux box has far more power supply than it needs, the NT box is a little spindle heavy, so it tends to be a little more sensitive about those sorts of things)...
Of course, maybe your VCR was cracked... they've got those power-line networks now... soon your toaster and microwave will be cracked, too - you'll be standing there, cold bread all over your face while the rest of your body gets heated into oblivion (muhahahaha)...
or not...
"It's tough to be bilingual when you get hit in the head."
the next time was bind again, but the guy rebooted the box for some reason and then i found him on irc (was using the same nick as the account that he added, and IPs matched), and i asked him how he did it and he said bind.
i dont run bind anymore ...
i reinstalled after the first time, but not the second.
That kind of thing can't really happen with windows, yeah you can get back orifice but norton antivirus takes care of that. For someone moving from windows to linux (say like my dad) if he hears that he has to check some web page and subscribe to mailing lists to keep on top of latest exploits that will root his box, it's a good reason to stay with windows.
As Im sure someone else is going to point out, this has been on www.kuro5hin.org for weeks and weeks now. What Im wondering, is that since /. has grown so fast and now has so many articles submitted that the staff is having a hard time keeping up, is their some way we can have a system implemented that instead of relying on a few full time or part time staffers, community people can accept and post the articles. Similar to the moderation system, but for the actual articles posted. Then /. can go back to getting news in a prompt manor and not be as overloaded as they are now. This is a great series BTW, well worth the reading.
...and the geek shall inherit the earth...
www.linux-skunkworks.com
Don't portray your ignorance as reasoning not to use UNIX. Your inability to keep up-to-date with patches was the problem. You can't put a box in the public domain and not expect people not to try to jerk with it. You'd probably give a baby a knife to teeth on. Fool you once, shame on me. Fool you twice, shame on you.
Internal Server Error
/usr/www/cgi-bin/php-cgiwrap
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, noeld@pair.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
couldn't spawn child process:
Even on their main page. Damn. Just as I was getting to part 5.
This begs for a follow-up series on rootprompt.org: How To Secure A Slashdotted Box
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Yup. Same place they get military intelligence.
Weapons of Mass Analysis
While I've been going through altavista and various security sites, do any VERY BASIC packages exist for people who would like to turn a P100 into a Linux firewall that also does masquerading or whatever it is that MS Windows Proxy 2.0 does so poorly?
Something suitably on the level of "Firewalls For Dummies Who Were Also Unfortunately Struck In The Head With An Anvil," with cutesy lists like, "You want IRC? Open up port 113 for identd and ports 6665-7000 for ircservers."
Maybe where the rules can be edited in a text file, something comprehensible by people who don't regularly hack the kernel?
Thanks to anyone who has any good suggestions.
As stated, why not go with OpenBSD which is a "FREE" system since their a non profit organization which should not be an excuse since even non-profits have some sort of funding and I'm sure it'd be a write off.
I've found tons of tools all free and better than commercially available ones so I don't understand your point.
Thanks for the memories
Well, rootprompt got
OK, some kiddie has cracked your box, played around with files, executables, logs, etc. So you start from scratch: boot off a CD, fdisk the partitions to hell, reinstall. Great. Everything's clean.
Now: what if you have flash BIOS?
At the very least he could zero out your BIOS and make your machine unbootable. If your version of Un*x uses the BIOS for anything but booting, it might be possible to leave a back door, too.
Thoughts?
------
------
You are in a twisty little maze of open source licenses, all different.
How about using OpenBSD? You won't have to check bugtraq every few hours. Two years without a root exploit is a pretty good track record.
Only the State obtains its revenue by coercion. - Murray Rothbard
C'mon guys... I know you love your uptime. But if you download the Redhat (or Debian, or whatever) updates once a week, install them and reboot, you'll save yourself a world of trouble. Depending on the updates, you don't even need to reboot -- but it's usually the easiest way to make sure all the daemons have been restarted. Plus it cleans up your memory pool.
I have seen many boxes compromised. But there are two configurations I've never seen hacked:
- Redhat w/ latest updates.
- OpenBSD.
Note that closed source OS's seriously suffer in this area. Running Solaris (second only to Linux in the number of exploits), your best bet is to replace--
-- Slashdot sucks.
First off this has nothing to do with Linux and if it did then why would someone be moronic enough to think they know enough about Linux to throw a commercial or even non-profit site running something out of their comprehension?
If you took time to notice my post you would see the reference to OpenBSD which is secure as hell on a clean install.
So again I post: If someone took a quick second to "Get A Clue" we wouldn't have this issue here would we?
Join our clueless clan
Thanks for the memories
Physical security is of the utmost importance. After all, it's only cardboard and wax paper.
Ooooh...I thought you said "How to secure a cracker box"...
--
Compaq dropping MAILWorks?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Only rebuild. The only possible ways of fully recovering a cracked system are:
1. reload the entire system from a known-good backup
2. reinstall the entire system
However, #1 isn't always possible. First of all, if you don't keep backups of your system, you are SOL. Even if you do, if you don't keep backups around for long periods of time, it is possible you don't have a backup from before the initial intrusion.
If anything, you CANNOT trust ANY data/programs/etc from the cracked system. ANYTHING and EVERYTHING could have been modified by the cracker. Trying to plug the hole after its already been used is pointless, as you have no way of knowing what they've changed. If you just update whatever program was the problem and move along your merry way, you're just asking for a repeat of the initial breakin.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Anyone know of a place for Windows NT Security?
Betty Ford Clinic.
Sheldon
Yes, I know there is OpenBSD and other more-or-less secure OSes. But it is still very easy to create security holes, and it is a lot of work to keep a system secure. The millions of ordinary users soon to come on cable modem and ADSL won't appreciate doing this sort of work.
So what is really the problem?
Although no dates are given, the way the artical reads I suspect the attack took place several years ago. In 1995 there were remotly exploitable root cracks in openBSD. (Which if I remember right was just coming into being and still was mostly netBSD+ and not really worthy of its own name yet - maybe it didn't even exist at that time)
Work with the best tools avaiable. But sometimes the best tools are not very good.
PS, I could be wrong on the date, but this is my impression. It seems the author has learned a lot since then.
Although no dates are given, the way the artical reads I suspect the attack took place several years ago. In 1995 there were remotly exploitable root cracks in openBSD. (Which if I remember right was just coming into being and still was mostly netBSD+ and not really worthy of its own name yet - maybe it didn't even exist at that time)
Work with the best tools avaiable. But sometimes the best tools are not very good.
PS, I could be wrong on the date, but this is my impression. It seems the author has learned a lot since then.
It's called Prime Minister's Question Time, and it's once a week (used to be 15 mins. twice a week, but Tony Blair changed it to 30 mins. once a week - I think).
Windows 2000 isn't a multi-user environment (in normal cases) this is why it is harder to crack. If you have a single user linux/unix it would be just as hard if not harder than Windows to break into.
If administrators kept on point checking out advisories as well as following forums such as securityfocus, etc. This wouldn't be a problem.
When someone has to go as far as detailing a document on recovering a cracked box you have to stop and wonder about the level of security this person knows about since their machine was "rooted" in the first place.
Sure you could moan and bitch about script kiddiots/crackers/e-vandals but a secure box isn't as far fetched as a clean install of OpenBSD or even running Titan on your clean install of Solaris.
Sorry to say but slackness is to blame when dealing with situations like this. Never... Wait no... NEVER have I had to worry about recovering a "cracked" box since it'd been secure from the get.
Someone root me so I can have fun creating my own docs...
sil@deficiency.org www.deficiency.org
sil@antioffline.com www.antioffline.com
Thanks for the memories