Slashdot Mirror
How To Secure A Cracked Box
Noel sent us a collection of stories from rootprompt on how to secure your box. The articles include
Denial and truth,
Watching and Waiting,
Hunting the hunter,
The Sniffer, and
Rebuilding the system to recover from the crack. It's an interesting discussion on what it's like (and enough to churn the stomachs of anyone who's ever been there).
Even though Clifford Stol used that method in the infamous Cuckoo's Egg, operating systems seemed to have progressed well beyond that type of jerry-rigging. With the potential for autoarchiving log files, automating their conversion into different formats, and not too mention the cheap availability of older PCs that can serve as independent and secure log servers, a dot matrix seems to be a resolution only for the most paranoid sysadmin. (Of course, dot matrix printouts do still retain their age old hacker appeal.)
uhhh...
/dev/lp0
auth.*
...might be a way to do this without tail -f sucking half your processor 24/7.
man syslog.conf, dude.
It seems that I can't say it enough. Install and use Kerberos. NOW!
SSH is great for connecting to a shell account, but you may still leak passwords once you've established a secure connection to your "trusted" network. Kerberos, properly installed, ensures that your passwords *NEVER* appear *ANYWHERE* in plaintext, and rarely appear in ciphertext. After all, you never know when someone has compromised one of your local tools, e.g., psql.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
You say this jokingly, I presume, but what if such a beast did exist? I would run a client of such a system *if* it contained a Slashdot-like moderation system that allowed people to propose code (e.g. post code they wanted to run to a public forum). When a piece of code gets enough votes, it "goes live" and people start executing it. Would this result in problems? Sure. Do I care? No.
Seems odd, no? Well, I say the Internet was put in place by people who had bigger dreams than a really fat pipe for advertizing. I think the Internet is actually a cool thing, and should be used to its fullest. This would give it that chance, but would also come with risk. Ok, I can do risk....
Anyone up for writing it?
Indeed. I've spent many hours thinking about this...
Suppose you lock down your system really tight. You use Linux capabilities or BSD securelevel to set your binaries and config files (and directories! don't forget the directories and their parents or "mv" followed by "cp" is all it takes to trojan your stuff) read-only and your log files append-only in such a way that not even root can mess with them.
Being a security-concious person you insist upon changing your passwords regularly. This requires /etc/passwd to be writable by root.
Your login shell is specified in /etc/passwd.
Some intruder gains root, discovers he can't trojan the system binaries or wipe his footprints from the logfiles because of all the lock-down you've done. No problem! He changes your login shell in /etc/passwd to point to a little program that chroots you into a special jail directory heirarchy where all of your usual tools and logfiles can be found, in trojan form. Since the intruder hasn't altered the protected stuff in /bin, /var/log, etc. he hasn't done anything your capabilities system can prevent.
Bingo, you are now the clueless luser in the honeypot.
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
Items you will need for this procedure:
1. Superglue
2. Strip of cloth or large bandage
3. Tape, twist tie, or rubber band
First, apply superglue to both sides of crack, and press pieces together. If superglue comes into contact with hands, follow instructions on back of package to remove. Do not attempt to lick off superglue.
Wait. Until you're tired of waiting.
Take strip of cloth or bandage and tie it around box, perpendicular to the axis of the crack. Secure cloth tightly by either tying it in a knot, or by using tape, a twist tie, or a rubber band.
Refrain from dropping or throwing your box out a window to avoid the risk of future cracks.
(sorry, something makes me do this)
It's 10 PM. Do you know if you're un-American?
Well, to be honest, its your fault for using BIND!
BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.
Also, investigate alternative, and far superior servers for services you want to run.
Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.
Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.
Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.
If the box was being used for the same purpose that a windows box can serve, why run bind anyway? The problem is not the OS, you'll be hard pressed to argue that comparing linux running no services and a windows box running no services, that linux is less secure. Or any un*x for that matter. The key is to know the purpose of your box from the start. Are you building this box just as a gateway? Then you shouldnt need any services running. If you are going to use a linux box as a router, then think of it as a router. If you are going to use it as a firewall, then think of it as a firewall. How many firewalls have you seen, PIX and what not, that have DNS or mail servers running on them? None. The problem is not the OS, the problem is education.
If you want an all-in-wonder box that will do your masq'ing and firewalling and mail hosting and web hosting and DNS and wash the dog, then you need to at least research the services you are going to use and be prepared for the attacks. BTW, a do-all box is just a bad idea IMHO. Whats the point of having a secure firewall and then running non-secure public services on it? A little forethought would have saved you a lot of time.
... and the geek shall inherit the earth...
www.linux-skunkworks.com
I like the idea of certain log files that cannot be erased, so...
Upon installation of SDSL, I will be moving my webhosting services to my home. I have been playing with the idea of hooking up an old dot-matrix printer to print out certain log files, or lines from log files with keywords in them.
Am I hopelessly out of date with this idea? I have seen some mention of systems like this, and I think it will be a good complement to other security. The idea is that if I get a penetration, I will at least have an idea about *when* the initial intrusion was, and be able to work with that.
Anyone else with a similar system care to comment?
A modest proposal for making life easier for DDoS crackers
I have an idea. I think it's brilliant. When you want to DDoS a big site into the stone age, most of your time is spent infecting hosts to use in the attack. This is annoying and it causes us to behave in antisocial ways. If I wan't to bring down Yahoo, I want to do it NOW!!, not after I finish setting up a subseven network. All the work I have to do makes me pissy. When I get pissy I wipe your hard drive to cover my tracks. Now you're pissy too. Misery loves company.
What I have in mind is a massive voluntary distributed computing effort along the lines of Seti @ Home. I call it kiddie @ home. Basically, those of you with cpu and bandwith to spare should sign up. When you aren't using your computer, I'll use it to launch SYN attacks and settle grudges. Now I don't have to crack anything, and you don't have to bother reading cert advisories. We're both happy.
What do you guys think? Can I sign you up?
--Shoeboy
(former microserf)
Try securing your systems BEFORE they get cracked. A good few places to start:
Insecure.org, especially this top 50 security tools page.
SecurityFocus the disseminators of the BUGTRAQ list among others.
Attrition.org, especially their security page.
And of course 2600, the l0pht, and Phrack for the latest tasty street info....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
No NT Admin should ever be without NT Bugtraq.
Subscribe to the mailing list and sit back and watch your inbox. Dig through the archives if you're a new user. You'll be amazed at the sheer volume of security issues that floats through on a daily basis.
As others have said, you should always reinstall after noticing your boxes have been cracked (you'll also want to check on things to see if you can determine the point of entry and person(s) responsible).
The better solution is to just not be cracked in the first place. The way to do this is to be known-secure. How do you do that? Audited code, such as OpenBSD provides peace of mind. Secure logging (i.e.: logging to another internal machine whose job it is to accept log reports) -- this gives you a nice write-only log target, making it easier to trace intitial probes and attacks.
Next, you'll want to check existing services, and review any services you want to add. I discussed this in Securing the Border, parts 1, 2, 3, and 4.
You might also want to read "Auditing Kuro5hin" where I found a root compromise on Kuro5hin.org when reviewing the system with Rusty, the site owner and creator. It has tips on how to recover cleanly.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
titled: "How I delt with over 48,762 simultaneous http connections refered from /."
Part 1. The onslaught
Part 2. I've never seen a disk so busy
Part 3. Out of swap space
Part 4. Internal Server Error
Part 5. The crowd finally goes away
try { do() || do_not(); } catch (JediException err) { yoda(err); }
If you've been hacked, reload.. It's that simple. If you designed your system 'right' from the beginning, this isn't a big deal. Here are some basic steps I've used that anyone can use.
1) Get your *nix (or any os) setup the way you want, with patches, drivers, etc..Don't load application software yet. Create an Image of that machine.(ghost, drive image, etc..)
2.Load your applications.
3.Set your syslog to mirror your logs on another server.
4. If possible, try to move your 'data' directories (from your applications) to another directory for just 'data'. (You'll have to create symbolic links from their original locations.)
5. Backup your DATA Directory/Drive ONLY!
Too many times do I see people backup their entire system whether it be Winblows or *nix. If you get a virus, or comprimised binary, that file/binary will be backed up! If you don't catch the attack, all of your backups could be infected.
A good rule of thumb is too only backup your DATA, not your binaries. After all, you own the software, right ? *grin*
Then, the obvious solution after a hack is to:
1) Reapply your OS image (ghost, drive image, etc)
2) Apply new patches/fixes/close security holes.
3) Reload your Applications
4) Reload your data
5) Point the applications to your data on the other drive.
Yes, it can be a long, drawn out affair initially, but whether it be a hacker or just plain system crash, the restoration process goes rather smoothly.
-Iota
God is Real Unless Declared Integer
reinstall.
seriously, if your machine has been compromised by anyone other than a completely retarded skriptkiddie, chances are there's going to be lots of "new functionality" in some of the bins on your machine. reinstall from read-only media.
the next time was bind again, but the guy rebooted the box for some reason and then i found him on irc (was using the same nick as the account that he added, and IPs matched), and i asked him how he did it and he said bind.
i dont run bind anymore ...
i reinstalled after the first time, but not the second.
That kind of thing can't really happen with windows, yeah you can get back orifice but norton antivirus takes care of that. For someone moving from windows to linux (say like my dad) if he hears that he has to check some web page and subscribe to mailing lists to keep on top of latest exploits that will root his box, it's a good reason to stay with windows.
C'mon guys... I know you love your uptime. But if you download the Redhat (or Debian, or whatever) updates once a week, install them and reboot, you'll save yourself a world of trouble. Depending on the updates, you don't even need to reboot -- but it's usually the easiest way to make sure all the daemons have been restarted. Plus it cleans up your memory pool.
I have seen many boxes compromised. But there are two configurations I've never seen hacked:
- Redhat w/ latest updates.
- OpenBSD.
Note that closed source OS's seriously suffer in this area. Running Solaris (second only to Linux in the number of exploits), your best bet is to replace--
-- Slashdot sucks.
Only rebuild. The only possible ways of fully recovering a cracked system are:
1. reload the entire system from a known-good backup
2. reinstall the entire system
However, #1 isn't always possible. First of all, if you don't keep backups of your system, you are SOL. Even if you do, if you don't keep backups around for long periods of time, it is possible you don't have a backup from before the initial intrusion.
If anything, you CANNOT trust ANY data/programs/etc from the cracked system. ANYTHING and EVERYTHING could have been modified by the cracker. Trying to plug the hole after its already been used is pointless, as you have no way of knowing what they've changed. If you just update whatever program was the problem and move along your merry way, you're just asking for a repeat of the initial breakin.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Anyone know of a place for Windows NT Security?
Betty Ford Clinic.
Sheldon