Slashdot Mirror
How To Secure A Cracked Box
Noel sent us a collection of stories from rootprompt on how to secure your box. The articles include
Denial and truth,
Watching and Waiting,
Hunting the hunter,
The Sniffer, and
Rebuilding the system to recover from the crack. It's an interesting discussion on what it's like (and enough to churn the stomachs of anyone who's ever been there).
Even though Clifford Stol used that method in the infamous Cuckoo's Egg, operating systems seemed to have progressed well beyond that type of jerry-rigging. With the potential for autoarchiving log files, automating their conversion into different formats, and not too mention the cheap availability of older PCs that can serve as independent and secure log servers, a dot matrix seems to be a resolution only for the most paranoid sysadmin. (Of course, dot matrix printouts do still retain their age old hacker appeal.)
uhhh...
/dev/lp0
auth.*
...might be a way to do this without tail -f sucking half your processor 24/7.
man syslog.conf, dude.
If you have a hub between the ADSL modem and the firewall box, instead of cutting wires in a perfectly good network cable, just attach a cheap old pentium machine to the hub. Set its NIC to promiscuous mode and sniff everything that goes by, but set up its own packet filtering to drop EVERYTHING.
Then it's like that box just doesn't exist to the rest of the network, but it sees everything, and can log it any way you want... It's like a shadow of the firewall - it can run any kind of security software, to set off alarms or whatever.
Disclaimer: I am not a security expert. If there are problems with my idea I would like to know about it (because I am using this idea on my own firewall setup).
Another idea I had but have not implemented is to modify the login software on my machines: If anyone logs in, they would have to run a specific "secret" program in 15 seconds or less. If not, a timer expires and shuts off the UPS powering the box.
Heh heh heh. Not suitable for systems that need to keep running, but nice for home machines that you want to keep secure.
A less extreme approach would just use ifconfig to turn off the network card, instead of having the UPS kill the power.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
You know, I agree with that. You really don't need to be running things as powerful as Bind.
Unfortunately, the default installations of many Linux distros seem to be getting more and more top-heavy. Even things like Bind and Sendmail are getting installed by default; I'm not sure if this is a good thing.
One thing I like about OpenBSD is the very sparse, almost Bauhaus-style install. You have to go through manually and set things up if you want to use them.
It seems like a lot of work, and it perhaps is very cumbersome if you've never done it before, but I just feel much more comfortable running an OS that doesn't have a whole bunch of crufty packages installed that I may or may not ever want or need.
The security audit for OpenBSD helps, too, though. ;-)
Free music from Jack Merlot.
The FreeBSD ports tree is a one of the best package systems Ive ever seen ... it has ports for every server under the sun, including qmail and postfix, as well as a lot of DJB's other tools like dnscache and so on. And if you're so inclined, exim/postfix as well :)
:( The number of times I've run into stupid cross-dependencies, and corrupt RPM dbs goes on and on ...
The OpenBSD dudes made a wise choice and picked the FreeBSD system as their base, and they have a rapidly growing collection as well. Although I'm not familiar with it, NetBSD seems to have something similar as well.
If only we could see this under Linux now, without all the RPM crap
It seems that I can't say it enough. Install and use Kerberos. NOW!
SSH is great for connecting to a shell account, but you may still leak passwords once you've established a secure connection to your "trusted" network. Kerberos, properly installed, ensures that your passwords *NEVER* appear *ANYWHERE* in plaintext, and rarely appear in ciphertext. After all, you never know when someone has compromised one of your local tools, e.g., psql.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
You say this jokingly, I presume, but what if such a beast did exist? I would run a client of such a system *if* it contained a Slashdot-like moderation system that allowed people to propose code (e.g. post code they wanted to run to a public forum). When a piece of code gets enough votes, it "goes live" and people start executing it. Would this result in problems? Sure. Do I care? No.
Seems odd, no? Well, I say the Internet was put in place by people who had bigger dreams than a really fat pipe for advertizing. I think the Internet is actually a cool thing, and should be used to its fullest. This would give it that chance, but would also come with risk. Ok, I can do risk....
Anyone up for writing it?
Indeed. I've spent many hours thinking about this...
Suppose you lock down your system really tight. You use Linux capabilities or BSD securelevel to set your binaries and config files (and directories! don't forget the directories and their parents or "mv" followed by "cp" is all it takes to trojan your stuff) read-only and your log files append-only in such a way that not even root can mess with them.
Being a security-concious person you insist upon changing your passwords regularly. This requires /etc/passwd to be writable by root.
Your login shell is specified in /etc/passwd.
Some intruder gains root, discovers he can't trojan the system binaries or wipe his footprints from the logfiles because of all the lock-down you've done. No problem! He changes your login shell in /etc/passwd to point to a little program that chroots you into a special jail directory heirarchy where all of your usual tools and logfiles can be found, in trojan form. Since the intruder hasn't altered the protected stuff in /bin, /var/log, etc. he hasn't done anything your capabilities system can prevent.
Bingo, you are now the clueless luser in the honeypot.
They have a great NT Security book online as well as a bunch of great articles, tools and links.
LiNT
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
Items you will need for this procedure:
1. Superglue
2. Strip of cloth or large bandage
3. Tape, twist tie, or rubber band
First, apply superglue to both sides of crack, and press pieces together. If superglue comes into contact with hands, follow instructions on back of package to remove. Do not attempt to lick off superglue.
Wait. Until you're tired of waiting.
Take strip of cloth or bandage and tie it around box, perpendicular to the axis of the crack. Secure cloth tightly by either tying it in a knot, or by using tape, a twist tie, or a rubber band.
Refrain from dropping or throwing your box out a window to avoid the risk of future cracks.
(sorry, something makes me do this)
It's 10 PM. Do you know if you're un-American?
Well, to be honest, its your fault for using BIND!
BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.
Also, investigate alternative, and far superior servers for services you want to run.
Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.
Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.
Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.
people who are new to *nix need time to learn the ropes, and if they lose all their data and have to reinstall it can be a major turn off
If the box was being used for the same purpose that a windows box can serve, why run bind anyway? The problem is not the OS, you'll be hard pressed to argue that comparing linux running no services and a windows box running no services, that linux is less secure. Or any un*x for that matter. The key is to know the purpose of your box from the start. Are you building this box just as a gateway? Then you shouldnt need any services running. If you are going to use a linux box as a router, then think of it as a router. If you are going to use it as a firewall, then think of it as a firewall. How many firewalls have you seen, PIX and what not, that have DNS or mail servers running on them? None. The problem is not the OS, the problem is education.
If you want an all-in-wonder box that will do your masq'ing and firewalling and mail hosting and web hosting and DNS and wash the dog, then you need to at least research the services you are going to use and be prepared for the attacks. BTW, a do-all box is just a bad idea IMHO. Whats the point of having a secure firewall and then running non-secure public services on it? A little forethought would have saved you a lot of time.
... and the geek shall inherit the earth...
www.linux-skunkworks.com
That in fact seems to be one of the two morals of this bunch of articles (yes, the series isn't over yet): If you're cracked, start from scratch; If you're not, make sure your network is planned from the beginning. It's far too easy to patch it together and have it work "well enough" and discover some bitrot (or worse, someone crawling in your walls like they did).
Of course, the fact that they had it done by volunteer sysadmins didn't help -- they didn't have the time to watch things as well as paid ones might.
Truth decays into beauty, while beauty soon becomes merely charm. Charm ends up as strangeness, and even that doesn't last, but up and down are forever. Quarks, right?
on a machine:
/dev/lp0
*.* @loghost.my.net
on loghost:
auth.*
make sure you give loghost's syslogd a -u on the command line.
Can syslogd be forced to send messages to a serial port? Connect a non-networked machine of some sort to the networked machine(s) and have it listen on the serial port for data.
Either way, you save reams of paper.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I like the idea of certain log files that cannot be erased, so...
Upon installation of SDSL, I will be moving my webhosting services to my home. I have been playing with the idea of hooking up an old dot-matrix printer to print out certain log files, or lines from log files with keywords in them.
Am I hopelessly out of date with this idea? I have seen some mention of systems like this, and I think it will be a good complement to other security. The idea is that if I get a penetration, I will at least have an idea about *when* the initial intrusion was, and be able to work with that.
Anyone else with a similar system care to comment?
A modest proposal for making life easier for DDoS crackers
I have an idea. I think it's brilliant. When you want to DDoS a big site into the stone age, most of your time is spent infecting hosts to use in the attack. This is annoying and it causes us to behave in antisocial ways. If I wan't to bring down Yahoo, I want to do it NOW!!, not after I finish setting up a subseven network. All the work I have to do makes me pissy. When I get pissy I wipe your hard drive to cover my tracks. Now you're pissy too. Misery loves company.
What I have in mind is a massive voluntary distributed computing effort along the lines of Seti @ Home. I call it kiddie @ home. Basically, those of you with cpu and bandwith to spare should sign up. When you aren't using your computer, I'll use it to launch SYN attacks and settle grudges. Now I don't have to crack anything, and you don't have to bother reading cert advisories. We're both happy.
What do you guys think? Can I sign you up?
--Shoeboy
(former microserf)
It's better for a non-server machine to be running as few services as possible - at most, only ssh should be neccessary. Get your Dad to pick a Linux distro that doesn't install lots of cruft by default. (I've heard that Red Hat is bad at this but I wouldn't know).
BTW is it possible to run BIND ok in a BSD jail? (jail is chroot's big brother)
perl -e 'fork||print for split//,"hahahaha"'
You know what's really funny? We've run links to, I think, all of the installments of the Cracked! series individually, and every time another one comes out, somebody bitches about how "if we wanted to read this, we'd be reading rootprompt already". Just goes to show, you can't please everyone. :-)
--
There is no K5 cabal.
I am not the real rusty.
IFF your tripwire is statically linked AND launched from a read-only medium (CD, locked floppy...): you might have more of a chance.
Anyone have further illumination to offer? tripwire still needs to call system functions (e.g., to open files), even if it's statically linked. So, a call to open the changed/hacked files might result in forged data being sent.
But this would be a much messier hack...if, for example, the legit sysadmin makes a change to / (the directory), the hacked kernel would need to know to send the current info back via tripwire, instead of the info from when the kernel was hacked. It seems to me like hacking around tripwire would be its own project! (Anyone done it yet? Anyone?)
The benefit of keeping logs in electronic form is you can search through them a heckofa lot quicker... ever try to find an event in a 2000-page stack of printouts?
"Freedom means freedom for everybody" -- Dick Cheney
Try securing your systems BEFORE they get cracked. A good few places to start:
Insecure.org, especially this top 50 security tools page.
SecurityFocus the disseminators of the BUGTRAQ list among others.
Attrition.org, especially their security page.
And of course 2600, the l0pht, and Phrack for the latest tasty street info....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
It is back up now. :)
Wanna bet?
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Apt-get will install an updated package, but (unless you --force it) won't reinstall a currently installed version. This means cracked applications stay cracked.
... will be enough to stop a knowledgeable intruder who already has root access on your system.)
(And don't make me laugh by suggesting that a cron job running apt-get install --force
Running apt-get religiously is a good start, but you also need a well-configured tripwire, log host, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
There's just too many of us!! ;)
-- @rjamestaylor on Ello
Noel
RootPrompt.org -- Nothing but Unix
kayaking
No NT Admin should ever be without NT Bugtraq.
Subscribe to the mailing list and sit back and watch your inbox. Dig through the archives if you're a new user. You'll be amazed at the sheer volume of security issues that floats through on a daily basis.
Over the last few months I have taken to running tcpdump on my connection just to see how many folks try and get in. Understand I am in a cable modem/DSL deprived area, so I dial up with my mighty 56k modem. My ISP uses two C class blocks for the dynamic IP dialup sessions. So I guess crackers are just making attempts at any/all of these class C networks.
I'd say I get about 4-6 attempts per day to do something on my box. Mostly it is folks looking for something good on Windows SMB ports. I'm sure there are millions of 2 PC households that share their C drive wide open so they can copy to and fro. I've gone through the logs keeping a list, and banning the entire class C network of offending IPs. You can see some of that on my site under Security.
All those attempts got me to thinking. I should set up a much simpler firewall/masquerade box that doesn't run too much. Holes could be poked in the wall for necessary services (web, mail, etc) and forwarded to an internal machine. Perhaps something like the Linux Router Project would work. But what I'm looking into is that, with good crack monitors, syslogging things to another box, checking for portscans, running snort or tcpdump. Are there any? If not I may have to start one.
Even if someone finds a hole in the mail server (or whatever), it is on a second machine beind the wall and they cannot (easily) get to it to run that suid shell they just created. If the system is kept down to a floppy or small bit of a CDROM, you can easily mount the entire ramdisk readonly, or just reboot and have the original setup restored. Just having a full Linux desktop setup directly on the 'net worries me when/if I move to a DSL area.
As others have said, you should always reinstall after noticing your boxes have been cracked (you'll also want to check on things to see if you can determine the point of entry and person(s) responsible).
The better solution is to just not be cracked in the first place. The way to do this is to be known-secure. How do you do that? Audited code, such as OpenBSD provides peace of mind. Secure logging (i.e.: logging to another internal machine whose job it is to accept log reports) -- this gives you a nice write-only log target, making it easier to trace intitial probes and attacks.
Next, you'll want to check existing services, and review any services you want to add. I discussed this in Securing the Border, parts 1, 2, 3, and 4.
You might also want to read "Auditing Kuro5hin" where I found a root compromise on Kuro5hin.org when reviewing the system with Rusty, the site owner and creator. It has tips on how to recover cleanly.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
looks like rootPrompt has succumbed to the infamous ./ DDOS attack!
-Jon
this is my sig.
titled: "How I delt with over 48,762 simultaneous http connections refered from /."
Part 1. The onslaught
Part 2. I've never seen a disk so busy
Part 3. Out of swap space
Part 4. Internal Server Error
Part 5. The crowd finally goes away
try { do() || do_not(); } catch (JediException err) { yoda(err); }
:)
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, noeld@pair.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
couldn't spawn child process:
/usr/www/cgi-bin/php-cgiwrap
Noel, please fix! I was about to read the last installment! The suspense is unbearable.
Ceterum censeo Microsoftam esse delendam.
Great, this will really help the first-time users of Linux.
Nothing helps a newbie secure a box quite like someone telling him he should already know how.
Who was it that said that the most secure computer is one that is not connected in any way to anything (including power), that has no periferals, and that is burried 8 feet down - and even this level is arguably insufficient....
I once had a technologically-unaware boss (owner of an ISP [sigh]) who suddenly freaked out and decided that I was hacking every system he owned.
At one point he was telling people that I had edited his autoexec.bat file on a machine in his home that wasn't turned on and had no modem.
I was also supposedly running DNS servers that circumvented Internic, Quake servers for all my friends, and also stomped.com on office machines, all on a 33.6 modem.
Ah, paranoia and ignorance, what a blend of ambrosia you meld.
If you've been hacked, reload.. It's that simple. If you designed your system 'right' from the beginning, this isn't a big deal. Here are some basic steps I've used that anyone can use.
1) Get your *nix (or any os) setup the way you want, with patches, drivers, etc..Don't load application software yet. Create an Image of that machine.(ghost, drive image, etc..)
2.Load your applications.
3.Set your syslog to mirror your logs on another server.
4. If possible, try to move your 'data' directories (from your applications) to another directory for just 'data'. (You'll have to create symbolic links from their original locations.)
5. Backup your DATA Directory/Drive ONLY!
Too many times do I see people backup their entire system whether it be Winblows or *nix. If you get a virus, or comprimised binary, that file/binary will be backed up! If you don't catch the attack, all of your backups could be infected.
A good rule of thumb is too only backup your DATA, not your binaries. After all, you own the software, right ? *grin*
Then, the obvious solution after a hack is to:
1) Reapply your OS image (ghost, drive image, etc)
2) Apply new patches/fixes/close security holes.
3) Reload your Applications
4) Reload your data
5) Point the applications to your data on the other drive.
Yes, it can be a long, drawn out affair initially, but whether it be a hacker or just plain system crash, the restoration process goes rather smoothly.
-Iota
God is Real Unless Declared Integer
reinstall.
seriously, if your machine has been compromised by anyone other than a completely retarded skriptkiddie, chances are there's going to be lots of "new functionality" in some of the bins on your machine. reinstall from read-only media.
I'd probably just copy anything that couldn't be infected by viruses/trojans/etc off to another system, then wipe the machine and start over, perhaps paying more attention to security next time. There are probably a lot of people for whom that wouldn't suffice.
-- $SIGNATURE
the next time was bind again, but the guy rebooted the box for some reason and then i found him on irc (was using the same nick as the account that he added, and IPs matched), and i asked him how he did it and he said bind.
i dont run bind anymore ...
i reinstalled after the first time, but not the second.
That kind of thing can't really happen with windows, yeah you can get back orifice but norton antivirus takes care of that. For someone moving from windows to linux (say like my dad) if he hears that he has to check some web page and subscribe to mailing lists to keep on top of latest exploits that will root his box, it's a good reason to stay with windows.
Internal Server Error
/usr/www/cgi-bin/php-cgiwrap
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, noeld@pair.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
couldn't spawn child process:
Even on their main page. Damn. Just as I was getting to part 5.
This begs for a follow-up series on rootprompt.org: How To Secure A Slashdotted Box
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Well, rootprompt got
OK, some kiddie has cracked your box, played around with files, executables, logs, etc. So you start from scratch: boot off a CD, fdisk the partitions to hell, reinstall. Great. Everything's clean.
Now: what if you have flash BIOS?
At the very least he could zero out your BIOS and make your machine unbootable. If your version of Un*x uses the BIOS for anything but booting, it might be possible to leave a back door, too.
Thoughts?
------
------
You are in a twisty little maze of open source licenses, all different.
How about using OpenBSD? You won't have to check bugtraq every few hours. Two years without a root exploit is a pretty good track record.
Only the State obtains its revenue by coercion. - Murray Rothbard
C'mon guys... I know you love your uptime. But if you download the Redhat (or Debian, or whatever) updates once a week, install them and reboot, you'll save yourself a world of trouble. Depending on the updates, you don't even need to reboot -- but it's usually the easiest way to make sure all the daemons have been restarted. Plus it cleans up your memory pool.
I have seen many boxes compromised. But there are two configurations I've never seen hacked:
- Redhat w/ latest updates.
- OpenBSD.
Note that closed source OS's seriously suffer in this area. Running Solaris (second only to Linux in the number of exploits), your best bet is to replace--
-- Slashdot sucks.
Only rebuild. The only possible ways of fully recovering a cracked system are:
1. reload the entire system from a known-good backup
2. reinstall the entire system
However, #1 isn't always possible. First of all, if you don't keep backups of your system, you are SOL. Even if you do, if you don't keep backups around for long periods of time, it is possible you don't have a backup from before the initial intrusion.
If anything, you CANNOT trust ANY data/programs/etc from the cracked system. ANYTHING and EVERYTHING could have been modified by the cracker. Trying to plug the hole after its already been used is pointless, as you have no way of knowing what they've changed. If you just update whatever program was the problem and move along your merry way, you're just asking for a repeat of the initial breakin.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Anyone know of a place for Windows NT Security?
Betty Ford Clinic.
Sheldon
Yes, I know there is OpenBSD and other more-or-less secure OSes. But it is still very easy to create security holes, and it is a lot of work to keep a system secure. The millions of ordinary users soon to come on cable modem and ADSL won't appreciate doing this sort of work.
So what is really the problem?
Although no dates are given, the way the artical reads I suspect the attack took place several years ago. In 1995 there were remotly exploitable root cracks in openBSD. (Which if I remember right was just coming into being and still was mostly netBSD+ and not really worthy of its own name yet - maybe it didn't even exist at that time)
Work with the best tools avaiable. But sometimes the best tools are not very good.
PS, I could be wrong on the date, but this is my impression. It seems the author has learned a lot since then.
If administrators kept on point checking out advisories as well as following forums such as securityfocus, etc. This wouldn't be a problem.
When someone has to go as far as detailing a document on recovering a cracked box you have to stop and wonder about the level of security this person knows about since their machine was "rooted" in the first place.
Sure you could moan and bitch about script kiddiots/crackers/e-vandals but a secure box isn't as far fetched as a clean install of OpenBSD or even running Titan on your clean install of Solaris.
Sorry to say but slackness is to blame when dealing with situations like this. Never... Wait no... NEVER have I had to worry about recovering a "cracked" box since it'd been secure from the get.
Someone root me so I can have fun creating my own docs...
sil@deficiency.org www.deficiency.org
sil@antioffline.com www.antioffline.com
Thanks for the memories