Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Secure A Cracked Box

Posted by CmdrTaco on from the learning-things-the-hard-way dept.

Noel sent us a collection of stories from rootprompt on how to secure your box. The articles include Denial and truth, Watching and Waiting, Hunting the hunter, The Sniffer, and Rebuilding the system to recover from the crack. It's an interesting discussion on what it's like (and enough to churn the stomachs of anyone who's ever been there).

9 of 210 comments (clear)

  1. Re:Dot Matrix Printers and security? by vyesue · · Score: 5

    uhhh...

    auth.* /dev/lp0

    ...might be a way to do this without tail -f sucking half your processor 24/7.

    man syslog.conf, dude.

  2. How to secure a cracked box by Hard_Code · · Score: 5

    Items you will need for this procedure:

    1. Superglue
    2. Strip of cloth or large bandage
    3. Tape, twist tie, or rubber band

    First, apply superglue to both sides of crack, and press pieces together. If superglue comes into contact with hands, follow instructions on back of package to remove. Do not attempt to lick off superglue.

    Wait. Until you're tired of waiting.

    Take strip of cloth or bandage and tie it around box, perpendicular to the axis of the crack. Secure cloth tightly by either tying it in a knot, or by using tape, a twist tie, or a rubber band.

    Refrain from dropping or throwing your box out a window to avoid the risk of future cracks.

    (sorry, something makes me do this)

    --

    It's 10 PM. Do you know if you're un-American?
  3. Re:a good reason not to use *nix by stab · · Score: 5

    Well, to be honest, its your fault for using BIND!

    BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.

    Also, investigate alternative, and far superior servers for services you want to run.

    Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.

    Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.

    Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.

  4. Dot Matrix Printers and security? by billh · · Score: 5

    I like the idea of certain log files that cannot be erased, so...

    Upon installation of SDSL, I will be moving my webhosting services to my home. I have been playing with the idea of hooking up an old dot-matrix printer to print out certain log files, or lines from log files with keywords in them.

    Am I hopelessly out of date with this idea? I have seen some mention of systems like this, and I think it will be a good complement to other security. The idea is that if I get a penetration, I will at least have an idea about *when* the initial intrusion was, and be able to work with that.

    Anyone else with a similar system care to comment?

    1. Re:Dot Matrix Printers and security? by synaptic-impulse · · Score: 5

      here is the way I do it:

      we have many systems in house and collocated that get scanned and attacked regularly. we use syslog to pipe ALL logs back to a central server. this server then runs LOGCHECK against the logs, and emails and prints all signatures found.

      Logs are reviewed as the come in via email - and daily the printed logs are reviewed by several ppl to ensure that "many eyes" look for anomolies.
      This way - we never miss anything that looks strange.

      We ran this system with no filters for about a month and a half to determine what items would be ok to ignore (standard system events, cipe key syncs etc)

      In addition we run port sentry, and lids. port sentry will permanently block any IP that scans us (we get scanned at least 3 times a week) and lids is setup to make all log files (and others) to be APPEND ONLY - even by root.

      Unless our systems get compromised AND the hacker can unlock lids - he really doesnt even have root access.

      Last - any scan that comes in gets investigated.
      1. permently block that IP
      2. trace the IP (ping,nslookup,whois etc)
      3. contact that site/isp/etc. via email with the log excerpts that show the attack.
      4. archive for eventual turn in to FBI

      here is something that you will really find interesting: this is the response from one scan that came through:

      We sincerely regret any inconvenience/consternation the probing from 216.181.81.11 may have caused you and/or your organization. The machines that have had the name excaliber.barnhard.net have been the subject of a number of attacks which have been investigated by the FBI and in some case may still be under investigation. Based on the prior investigations we agreed to make a reasonable effort to collect data concerning any subsequent attacks, and in particular any attacks which may have some relationship to prior events. Whereas it is possible that three different random hackers have figured out independently that the machines bearing that name are used for testing/training on our network and have used an exploit suitable for whatever variant of Linux happened to be installed at the time. I think as the number of times it gets hit increases it is increasingly unlikely. Regardless, the boys/girls responsible for this are likely unaware that once an attack is confirmed we activate an upstream monitoring process that records all of the incoming packets, which we will forward to the FBI. Our poor abused testing machine then gets backed up to tape, wiped, and then reincarnated when needed again. It is interesting, but it is also getting old fast. As such, we have made the decision that our future test machines will be locked down boxes like our production equipment. If anyone is interested in the construction of suitable blackhole boxes that could assist the FBI in tracing these folks, instead of having to leave hacked machines live I think it would be a good thing. I am sure they would be interested. If we could lay a cracker trap that would only cost a modest amount of bandwidth and CPU cycles that could gather the necessary evidence on the cracker without enabling them to carry out real attacks, I know I would be interested.

      Once again, thanks for letting us know you were scanned, We sorry to have darkened your doorstep in these regards. The machine has been taken down and subsequently replaced.

      If you have any questions related to this matter I can be contacted at the address/email/phone shown below. Our contact with the FBI is Special Agent Kevin M. Walsh who can be reached at kwalsh@leo.gov.

  5. Why can't we all just get along by Shoeboy · · Score: 5

    A modest proposal for making life easier for DDoS crackers

    I have an idea. I think it's brilliant. When you want to DDoS a big site into the stone age, most of your time is spent infecting hosts to use in the attack. This is annoying and it causes us to behave in antisocial ways. If I wan't to bring down Yahoo, I want to do it NOW!!, not after I finish setting up a subseven network. All the work I have to do makes me pissy. When I get pissy I wipe your hard drive to cover my tracks. Now you're pissy too. Misery loves company.

    What I have in mind is a massive voluntary distributed computing effort along the lines of Seti @ Home. I call it kiddie @ home. Basically, those of you with cpu and bandwith to spare should sign up. When you aren't using your computer, I'll use it to launch SYN attacks and settle grudges. Now I don't have to crack anything, and you don't have to bother reading cert advisories. We're both happy.

    What do you guys think? Can I sign you up?

    --Shoeboy
    (former microserf)

  6. A gram of prevention is worth a Kg of cure.... by fluffhead · · Score: 5

    Try securing your systems BEFORE they get cracked. A good few places to start:

    Insecure.org, especially this top 50 security tools page.
    SecurityFocus the disseminators of the BUGTRAQ list among others.
    Attrition.org, especially their security page.
    And of course 2600, the l0pht, and Phrack for the latest tasty street info....

    #include "disclaim.h"
    "All the best people in life seem to like LINUX." - Steve Wozniak

    --

    #include "disclaim.h"
    "All the best people in life seem to like LINUX." - Steve Wozniak
  7. how to secure a cracked box: by vyesue · · Score: 5


    reinstall.

    seriously, if your machine has been compromised by anyone other than a completely retarded skriptkiddie, chances are there's going to be lots of "new functionality" in some of the bins on your machine. reinstall from read-only media.

  8. Re:Interesting... is there such a thing for Win NT by stokessd · · Score: 5

    Anyone know of a place for Windows NT Security?

    Betty Ford Clinic.

    Sheldon