Slashdot Mirror
Honeynet Project: Blackhat Attack Stats
edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper
, Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...)
We demonstrate just how aggressive the blackhat community is.""
Ok, that's good. Using the scientific method.
A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.
BULLSHIT. The Redhat server gets tested default install, out of the box. For the Win98 PC, they perform a default install and then, "oh, let's turn on file sharing, because that's what every newbie user does when they set up Win98". NOT. File sharing is NOT enabled out of the box on Win98. You might as well say "Well, let's take this FreeBSD default install, and we'll set the root password to 'password', and then we'll change the prompt info for all the daemons to say enter 'root' for username and 'password' for password you l33t h4XX0r!! yes, let's do that and see how long the box survives."
This is what we call a double standard. However, they can't say that the NT box was 0wn3d, and they didn't even try Win2k's grip (it's a bad mother fucker).
I was under the impression that you distinguished between Blackhats and Script-kiddies, but the white paper seem to assume that all attacks are from blackhats. The attack without OS-ID seems kiddish to me, as does scanning for specific vulnerabilities.
Enlighten me, s'il-vous-plait...
Uh, I think we all added /etc/hosts long ago.
127.0.0.1 goatse.cx
to our
Thanks for inquiring about open source. Keep it up!
So, basically what you're saying is that you don't want to put in the effort to learn enough to put your boxes on the Internet and not be compromised.
I look forward to receiving sunrpc scans from your machines.
The fastest time ever for a system to be compromised was 15 minutes.
/. stories are compromised within 21 seconds of being posted.
So what? Nearly all
Result: 0 breakins for a huge number of attempts. NetBIOS, rpc, dns, and a LOT of ftp attempts.
Not surprisingly I'm AC'ing this post to preserve a) bandwidth b) sanity and c) track record.
I'm VERY grateful to Theo DeRaadt and his crew and the contributors for doing such an amazingly good job. More power to them.
Naw, they just painted them red!
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
When I was a kid, we had to bite on aluminum foil to generate electricity to power the motherboard. The motherboard was tied to my chest with my chest hair because we couldn't afford anything else. We couldn't afford network cable so I would lick my fingers and use my arms as thicknet cables. When my brother was born they put a vampire tap on my left arm to extend the network.
-Paul Komarek
All of our apache servers were hit about 29-35 times with the recent IIS bug (the .ida one). Several times from the same client.
Our NT IIS servers where hit 0-2 times.
Duh!
The only difference for most of us is that the giver is first, and it loads much faster.
I think if I were paranoid about being hacked before being able to download the updates, I'd think seriously about booting the machine in single-user mode and then doing my downloads. Much less risk that way. But unfortunately, this method isn't of much use to those who aren't very familiar with Unix administration.
--
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
My FreeSCO system is an old Packard Bell 486DX2/66 with 20MB of RAM just sitting on a cardboard shelf I made inside a bookcase I use as my system rack. This system has only one ISA slot that holds my NIC and COM1 has an external US Robotics 56K baud modem. No monitor, mouse, or keyboard required. I just turn it on first and turn it off last. It work great!
zenray
I get scanned a few times every time I'm logged into my dialup service. Of course this has increased a lot since my local isp was sucked into Earthlink. :-(
For RH 6.2, before you even connect it to a network, I reccomend you have a copy of Bastille Linux (Which is actually a script, not a distrobution) on hand. This is great for newbies.
/etc/inetd.conf file (which only appears in a server install).
/. post, but the above is a good start for Red Hat 6.2.
As a general rule:
run the "ntsysv" tool, and disable portmap, httpd, bind... hell disable EVERYTHING, and begin turning on things as you need them. (If you don't know what it does, turn it off, if something stops working, you know what that was and can turn it back on.)
Comment out everything in the
Have nmap on hand, and scan 127.0.0.1 (yourself) with it, to make certain your ports are closed. Nmap should only find port 113 (and 22 if you install SSH). Sure, you can have more open ports after that - but that is providing you know what they do.
There is no way I can give you enough advice on how to secure a machine on a simple
Try to hack my 31337 firewall!
Wow. If that's true, this is just crazy.
It is true. I witnessed the very same happen to a Red Hat 6.2 machine in 10 min. The next fastest I saw was 4 hours. I have 20 Rh machines now, and when I first started with them I did not know how to secure them properly.
I found out just how fast someone could "own" them.
I agree, the services should be OFF by default, just like Open BSD. Maybe the powers that be will listen one day.
For now, I install on a non-networked machine, install the patches off CD, and secure the machine before attaching a network cable.
Try to hack my 31337 firewall!
The SDMI consortium? No, wait, that was something else...
Remember: it's a "Microsoft virus", not an "email virus",
Your right to not believe: Americans United for Separation of Church and
Not an "emacsitor". Not a "viitor". Those aren't even words!
Remember: it's a "Microsoft virus", not an "email virus",
Your right to not believe: Americans United for Separation of Church and
Some ideas:
The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.
Remember: it's a "Microsoft virus", not an "email virus",
Your right to not believe: Americans United for Separation of Church and
A simple analysis I would like to see would be to correlate the probes and attacks over the time of the week when they occurred, with granularity measured to the hour, possibly with a 3-hour moving averages. This is likely to provide significant results.
I once analysed the spam I received over the course of a month, and even this very limited data set revealed clearly that more spam is sent on weekends, with Sunday recording twice as much spam as Thursday. Probes and attacks are likely to follow a similar statistical pattern, in part because spammers and blackhats are an overlapping community.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
You're missing 4 things ;)
.|` Clouds cross the black moonlight,
a) stay uptodate - apply patches like there's no yesterday
b) use an IDS like snort
c) run logchecker and AIDE
d) use libsafe around net-listening daemons.
Then you'll be in the right league; whenever you get emails off these you're expected to *read* them, too.
Me, I'm getting portmapper, FTP and DNS in approximately that order; I've also had quite a few telnet scans following the recent vulnerability in telnetd as well.
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
So here's a hint, learn how to use your OS before you put it on the Internet. If you're a linux fan, figure out IPTables and implement it. If you're into BSD or Solaris, use IPF and really learn it. Download the security updates for your system and apply them before you put it on the Internet. Air gap security is the best time. When you're done with your box, you should only be running a late version of (Open)SSH and whatever services you explicitly want people to connect to. Inetd should be turned off, for the most part. Unfortunately, system security is not easy. This is why it pays to be a script kiddie. They don't have to know how something works, they just need to use a script against as many boxes as possible until they find a weak one.
Yes, I bought a bumper sticker at Defcon that reads "My other computer is your linux box."
What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.
While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.
The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".
-Restil
Play with my webcams and lights here
I don't think a firewall is good enough a reason not to care about the security of the backend network.
0x or or snor perron?!
please, someone encourage me to hack the RSA challenge! I need the money.
mefus
In Open Society, GPL Software frees YOU!
Are there any distros with security tools installed by default?
Mandrake now ships with Bastille.
Bastille is a way to beef up your system security. I believe it was actually developed for Red Hat, but RH doesn't include it. It is a script, and I think it probably has a GUI front end by now.
If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?
This is explained in the main paper:
http://project.honeynet.org/papers/honeynet/
To sum it up: they don't let spoofed packets out of their network, and limit a machine to 5 outbound connections (over some time period, I suppose, although it doesn't really say), after which the system is marked as compromised and can then be reloaded, or whatever...
--- Where's my X.400 protocol decoder?
My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
Mandrake 8.0 ships like that. It even warns you before installing about what services are running.
And, I've found the firewall to be tighter than gnat-booty.
HI Mom!
Linux - Because Mommy taught me to Share.
Let me get this straight. They put a box on the Net and it gets cracked. They don't expect that when they re-install and bring it back up that the SAME person wasn't going to hack it again? Or tell his friends about it?
They say they don't try to determine unique attackers but that is just because they can't, not because they shouldn't.
John
I love this kind of response.
Look, the statistics are for a default install of Red Hat 6.2, which is about 1.5 years old now, but is still pretty secure if you perform the "desktop" install and then apply all of the updates.
If you install 7.1, and then all of the (many fewer than 6.2) updates, it's even more secure owing to: 1) Red Hat 7.1 ships with an ipchains configuration 2) xinetd allows finer grain control over many of the less secure services, should you wish to turn them on.
Red Hat is not the world's most secure OS, but let's be fair and admit that they do an excellent job of staying on top of what's out there, and providing updates to their customers. It's relatively easy to be an OpenBSD and say "our OS is secure as long as you don't install a web server", but companies like Red Hat are actually trying to solve the hard problem of general-purpose, secure operating systems and server software. If, after over a year of everyone beating on it, exploits are found in the default, unpatched version of their OS, I can live with that, as long as they have addressed the problems.
--
Aaron Sherman (ajs@ajs.com)
And hey, if you ever have to move, you won't need to pack that machine up at least. Just write, "Fragile: Computer" on the outside.
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Use OpenBSD.
OK - I admit I only scanned this article - but in their explanation of the honeypot, they seem to indicate that there was no form of a firewall set up in front of the machines in the honeypot.
I currently run FreeSco on my homebrew firewall, which is a simple NAT affair. It seems to run well, but sometimes I tend to wonder if it (and associated connected systems) might get rooted.
I check the logs on occasion - but I am not a grand admin - so while I can tell from the logs when a portscan for 138/139 is occurring (SMB) - other possible probes would elude me.
Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?
If not, what would the statistics have looked like if it was?
Worldcom - Generation Duh!
Reason is the Path to God - Anon
The article most likely could have been summed up as:
"If you run a system without a firewall and it is hooked up to the internet, be prepared to be cracked at some point, sooner rather than later."
All I have to say about this is "Duh!".
Actually, learning the techniques and tools used could be helpful - I will give it that much.
Worldcom - Generation Duh!
Reason is the Path to God - Anon
Are there any distros with security tools installed by default?
:)
Actually, RedHat 7.1 has some pretty good firewall options available at install time. Even when installing a server, its a good idea to set the firewall security to 'high' to buy some time while customizing it and downloading updates. Then to erase the install-time IPChains rules when you feel safe, enter
ipchains -F
service ipchains save
One thing I *love* about the RH7.1 workstation install is that sendmail is installed, BUT the sendmail.cf is actually missing a line to bind the sendmail listener to the public interface. It only includes a line to bind a listener to the loopback interface. Perfect for pointing Netscape Communicator, pine, or mutt to localhost, and even to support fetchmail without hanging sendmail out on a public interface.
It made me a little nervous when I had to research and explain the situation to my RHCE instructor when none of us in class could route mail to each other.
Finally, I swear by PMFirewall at www.pointman.org. Even for single interface hosts. That's been my firewall-building script for a couple of years. It configures masquerading as needed, and even knows about NTP's needs. Awesome script.
--
Steve Jackson
Intelligent Life on Earth
o There doesn't really exist a distro in the Linux realm that has a high focus on security. There are things like Bastille Linux which is a good overall Q&A tool that will really help you, but I eventually ended up learning ipchains from the command line.
o Snort appears to be the defacto Intrusion Detector right now. There are a couple of different snort rulesets that you can use out there. You won't have much luck interpreting them unless you find a TCP/IP book to read them.
o No. I don't know of an easy way. I think it's pretty hard.
o What's the point?
The point was that the HoneyNet leaves holes in their firewalls and their boxes. They turn on sharing in the Win98 box so they can monitor and detect the traffic and the new techniques. A default RedHat 6.2 box not firewalled is pointless. A RedHat 6.2 box with the latest security updates and with a firewall or with some nifty IPchains rules is still pretty good.
The point is that if you use 6.2, you need to lock it down before you go letting it serve your email, or your webpage, or your dns domain. Heck, and it's not just 6.2. Both 7.0 and 7.1 do have security flaws in them.
a statistician(is that a word?) waded through a pool of water that was on average 10 inch deep. He drowned.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
hallo 192.168.1.1, how 'bout a nice juicy apple?
--
I have no fin
no wing no stinger
no claw no camouflage
I have no more to say...
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
Gives pizza-box a whole new meaning...
I just got around to "installing" MonMotha's iptables firewall. I'm really quite pleased with it considering I had it configured and running within 5 minutes. It's really just a configurable script to apply iptables rules, and I hardly had to make any changes. For example, I need NFS and FTP within my LAN, but I don't want the outside world to be able to see it. Easily done with this script. Plus it has other features, like protection from ping flooding. It's not the last word in security, but for someone on a little dialup system with a few computers connected, it's a hell of a lot better than nothing at all.
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
Even though they made "no attempt to publicize" it, they also made no attempt to hide it.
But that was the point of their experiment. I'll be you dollars to dimes that the number of computer users who throw out-of-the-box machines up on a network far outnumber the users who secure their boxes before putting them in public reach.
It's true that having all these machines on the same network can cause inflation of their numbers. If I were a script kiddie and discovered a variety of machines with a default installation on a network, you can bet I'd have a post-it note on my computer with that network's address. The Honeynet Project looks far from being truly scientific, but it provides a view of the worst-case scenario.
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
You've obviously not tried RedHat 7.1 then (I forget if it was in 7.0 or not). Very slick installer, and on the way it asks you what kind of firewall you want "secure, medium, none", and has an option for specifying rules by hand if you know what you're doing. Exactly what you want. :)
Of course, that's not the only thing that needs doing, and RedHat has come under fire in the past about services running by default etc. IME they take this very seriously and continue to improve all the time. Part of the problem is newbies who get RedHat, cos that's what they've heard of, do a full install (which yes, does install everything - including all those daemons), don't bother keeping up to date with patches (which is now very easy to do with RedHat's up2date agent), and then get rooted. Hopefully with the way things are going this won't be so much of a problem.
Is the cat dead or alive?
________________________
I don't want free as in beer. I just want free beer.
If the most common way to patch a Red Hat system is by downloading patches through the Internet, how can someone get a RH system up and running without it being compromised in the process?
The shareholder is always right.
You have to remember, these people knew WHERE to look to attack this thing. Comparing the attack to your fire dept or something similar isn't fair, just because they don't know where exactly the emergency is going to break out. I guess in the same vein, they are pretty sure they are not going to get called for a fire on the opposite coast or something.
Food for thought.
- Sometimes you're the pidgeon, sometimes you're the statue.
"My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service."
Trustix does this. Or at least with very few (and securely configured) services by default.
An easy to install IDS?
o rt-users). Also Dragos Ruiu has written a FAQ located at: http://www.snort.org/FAQ.html
I would suggest using Snort (http://www.snort.org). It is not very hard to setup and the footprint on the box is pretty light weight. Also the user community around Snort is very responsive, there is a mailing list that is heavy traffic but good answers to questions can be found there (http://lists.sourceforge.net/mailman/listinfo/sn
As for a distro that has security built in? There is always OpenBSD (http://www.openbsd.com). Also Linux-Mandrake contains Bastille (http://www.bastille-linux.org/) which is a Linux hardening script.
A better project would be one that had a lot of machines from various volunteers all over the internet set up and collecting statistics. That way, no one could tell just by looking at the IP address whether a machine was part of the project or not. A more random sampling like that would give a much more accurate picture of how often the average machine-on-net can expect to be attacked.
Free Hans!
Bastille is a set of Perl scripts that walk you through the process of securing/'hardening' your system. Very much like a wizard, it asks you if you want to do 'A' with an quick explanation of why you should an when you shouldn't do so.
http://www.bastille-linux.org/
Mandrake 8.0 does include a GUI front end for it, however it does have a text mode 'menu-ish' system if you don't want the Graphics.
But Slashdot is mainstream media ... oh, sorry ... you must have meant MSNBC.
Or if you are really concerned about security install OpenBSD.
It seems though Black Hats are described as "aggressive", they aren't particularly damaging; if you are a nobody, then you will be attacked and exploited quickly. However, lots of nobodies live without noticing this (?). Certainly it's unsettling, but something wierd is going on if all these "malicious" people have lots of power and don't use it. Makes me more friendly towards protocols that depend on goodwill for success. There's lots of stuff that is easier to do insecurely than securely, and sometimes this straddles feasible and infeasible.
To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).
-Renard
I think Linux is already bankrupt. I'm not sure why it hasn't filed yet... :-)
Someone set us up the bomb, so shine we are!
Aw heck. Why not just go run OpenBSD which is secure by default? There are still root comprimises for local attackers but a few patches later that's taken care of. All in all... it's easy when you use a superior tool
You're right. Since RedHat 6.2 you can choose between server and workstation setups. Perhaps they should make more categories (I mean, if RH is to turn finger ON, which use are they aiming at?). Reading the article, I really don't get the feeling that connecting is very safe. I even read stories on dial-up-dynamic-ip-adress attacks, I mean, it -is- the wild west out there.
--
Bizar technology?
answer this:
why is it that the program/application cannot open the port when it is ran and then close the port when i kill the program???
TIME is the Aether...
Small improvement: Install, disconnect net, disable services, set up Ipchains (or iptables) to allow only connection to your vendors update site, connect, download upgrades, open your iptables where public access is really needed. Such Iptables scripts should be part of every distribution!
In Murphy We Turst
Are services up during an install ? Maybe one should ALWAYS have a firewall for the initial install and patch period.
This is not a signature.
Set the machine up behind NAT. Or, install it and turn off all of the services (use lsof -i to check) and then download the patches.
Vintage computer games and RPG books available. Email me if you're interested.
You're a damn fool if you install an OS on a box live on the network. Install the OS off the network, secure it, then put it on the network.
You're also a damn fool if you run public services that aren't nice and cozy between two firewalls in a DMZ. You can't stop all attacks, but you don't have to spread your legs and beg for one either.
Derek
I can pack down a RedHat box as tight as any other distro. If you expect ANY OS to be default secure and don't make an effort to lock it down, you deserve to be cracked.
Derek
The problem with secure Linuces is they are pretty boring for most people. With Red Hat, you get so many bells and whistles with the basic install. In case you haven't noticed, features sell software, not security.
In fact, the best, most secure OS's have hardly any features at all other than basic command line programs.
While you are no doubt correct about 'the most secure OS's', the point is, why does RedHat insist on running services that no one even uses anymore (finger, the r-services), unless they're on a closed unconnected network??
There's a middle ground between fort knox and the most insecure default installation around. Sorry, I've been around these computer things for a long long time, and I'd have to say that most Linux distros start off by being the most insecure OS's on the market. Yes, a default RedHat Linux installation is less secure than Windoze.
Granted, the power and flexibility is there to change that quickly (which Windoze often lacks), but the default should be a compromise between not boring and completely open to attack.
-- If at first you do succeed, try to hide your astonishment. -- Harry F. Banks
...representing an increase of over 890%. This increase may be affected by modifications to the Snort IDS configuration file...
;)
I have a little trouble believing the statistical analysis made by someone who would even print such a statement without recognizing how it weakens the credibility of the entire article.
That being said, there are a couple people involved with the project that have put out good information in the past, and maybe I just had to 'bitch slap' someone for such a ridiculous comment
-- If at first you do succeed, try to hide your astonishment. -- Harry F. Banks
Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
Shameless plug: Check out my Firestarter GNOME firewall/monitoring software. The first step in breaking in is always surveying the ports of the machine, Firestarter lights up like a christmas tree when someone sweeps over your ports. Integration with the GNOME panel makes the program as easy to ignore as an ICQ client in normal operation, but still allows the program to alert you when necessary. Sort of like ZoneAlarm or BlackIce for That Other OS.
It works on both Linux 2.4 and 2.2 systems. I would say that the scripts the wizard generates for 2.4 are better than the 2.2 ones.
The Honeynet project was set up to demonstrate the threat of hacker attacks. I noticed throughout the report a certain amount of rile-'em-up sensationalism. In other words, although the data collected and their analyses are certainly important and extremely valuable, they should be taken with a grain of salt.
:)
Although I'm probably going to clean my unprotected RedHat 6.2 box before I connect it to the 'net again.
I would like to see a corelation study of this information against postings to BugTraq. Information can be a two edge sword.
Of course a resonable admin can turn of those unnecesary services himself/herself. A newbie OTOH is not likely to install OpenBSD.
Monkey sense
In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.
Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.
Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.
As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.
No, Thursday's out. How about never - is never good for you?
OK, it's not that difficult. Yes, the information here is very interesting, but not that surprising to anyone who looks through their firewall logs every so often. I see several attempted netbios attacks every single day, not to mention attempts at named, mail servers, IIS, etc etc etc. Similarly, my server is only used for personal use and to post the odd photo for friends/family...ie it's not advertised at all. Don't plug in the network cable until you have ipchains (or iptables now) running with the default policy on the input and forward chains set to deny. Or am I missing something here?
Seriousy though the predicatbility of attack given certain scanning pattersn should be usable... (except i suppose the buggers would change their patterns, maybe weekly updates would be in order)
'There is a Light that never goes out.'
It's too bad we can't get people that dedicated to their work on customer support staffs
you can, just look at any GNU software based company.
Wow, so a Unix-like operating system without any services running is free of security holes?? Amazing.
I heard the other day that no powered-down Windows NT system has ever been remotely compromised. That's almost as impressive.
Conformity is the jailer of freedom and enemy of growth. -JFK
Of course, it is not Linux, but there is always OpenBSD. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.
That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.
Educational, if nothing else.
"It is a greater offense to steal men's labor, than their clothes"
Unless things've radically changed since when I installed RH 6.1, the answer is no. You're running off a barebones system that has the software required to do the install and very little else.
If you're paranoid (with that 15 minute figure implies that you should be), you can force the first boot session of the new Redhat system to be at a runlevel that doesn't start up networking. Then you can leisurely edit config files so that no services get started. Kick the machine into a regular runlevel, download the patches, apply them, and then carefully reenable services that you really, really need.
I will admit that it's not the easiest solution, but it should work (barring a remotely exploitable networking bug in the kernel or client software), and it doesn't require a firewall.
If it's anything like what happens where I work (we're a manufacturing company in a non-tech related company), even the machines without DNS entries get scanned regularly. Most of the time, it looks like they're just scanning a single port on a range IP addresses in order (our firewall has a pair of sequential addresses assigned to it, so both attempts show up right next to each other in the log file). My guess is that they aren't even bothering with DNS -- they're just scanning anything and everything that might have a security hole in it.
All their studies are done on default installations! /tmp, a non_exec stack, suid bits removed on all but the essential binaries, and a semi-decent firewall (4 EASY fixes that people are too lazy to do) and see how long that lasts.
Of course these things are going to get cracked within days!
I'd like to see them put up a honeypot with a secured
It seems like 99% of all exploits nowadays are buffer overflows or symlink, and its really not that hard to stop a large majority of those (it'll stop the script kiddies dead in their tracks at least)
These tests against "default" installations don't really show the state of security of the net so much as they show the immediate blackhat/scriptkiddie response to the laziness and ignorance of the admins of a majority of the machines out there based on the security-lax nature of default installations (with exception to systems like BSD, where such a thing is actually considered).
Magius_AR
Some of the talks at this year's Defcon 9 were worthwhile, including Thomas Munn's talk on AIR IDS, his method of designing an intrusion detection system. Use a bit of creativity and cover all your bases, and you should have a great IDS that will really work.
If you just want easy to use, then get something like LIDS (Linux IDS), and Tripwire. The free version of tripwire still helps a little, but the best way is to make your own IDS. I'd advise contacting Thomas Munn to see if he has a product that's available to the public.
Best of luck to you :)
Justin Cheung
Linux Summer, by Justin Cheung
I'll post some more info about Linux security over at http://www.ocamd.com/articles
NAT has _never_ been a security measure : you need either _no_ connection or a real firewall.
And btw, netstat -anp is something usefull also...
I'm currently beeing massively port-scanned by some imbecile that probably believes that nmap is an intrusion system...
[Pruneau
From a professional experience, I tend to agree with the conclusions of the article.
Even if their main point is more:
"how to use statistics methods to predict intrusion attempt"
than
let's demonstrate the aggressivity of our beloved blasthat community.
But to get back to my experience, we sat up a firewall between our intranet and some inter-universities research network. The outcome was pretty scary.
The box was first connected to the external research net (and internet through it). We did not set up the DNS configuration before three week
It took about only two days to reach "cruising scan speed". In fact, having a dns existence did not change the things very much. Right now, our probe rate is about 5000/7000 DENY packets per week. And yes, our box is responding to icmp echo, but not forward...
My 3.14 cents.
[Pruneau
RedHat 7.1 ships with very few services on with the "workstation" install. Xinetd is not even part of the install AFAIK.
-
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Well I meant to get a proper case, but when I got to Auntie Wainwright's, the cardboard box was all I could afford...
STOP . AMERICA . NOW
I'm a fairly proficient Unix/Linux admin, and I was fighting script kiddies left and right on my home machine for several years (I got rooted twice over three years). I was running my main Linux box with masquerading and filtering for a couple of other PCs and my laptop, at first on ISDN and then on cable. The only reason I didn't install a dedicated firewall at home all that time was because it felt cumbersome, like it would take up extra space and electricity and just be overkill for the small "home" network sitting behind it.
But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.
I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.
It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.
STOP . AMERICA . NOW
Actually, a lot of OEM setups I've seen have file-sharing set up by default.
There are a lot of packages that you can get for Win9x that turn on file sharing, too. IIRC, doing a DUN upgrade often turns it on.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
One of the problems with computer security is that it is a huge job to keep track of potential vulnerabilities on your systems. A vigilant sysadmin will normally manage this. Your average user will not. It would be good if a system could be developed which would automatically check that the versions of the product that you are using is secure (and perhaps send an e-mail to root if they are not). This could easily be done with things like rpm, it almost seems strange that no one has done it yet.
...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.
A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...
I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...
I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...
I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...
I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.
- Jman
NGWave - Fast Sound Editor for Windows
I always keep my ADSL modem where I can see the modem LEDs out the corner of my eye. If I see traffic that I can't account for, I start poking around to see where it's coming from. (I use ZoneAlarm, so if it was inbound, I'd probably get a warning.)
Sure it's a low tech and isn't exactly 7/24, but it's hard to beat it!
One line blog. I hear that they're called Twitters now.
--CTH
--Got Lists? | Top 95 Star Wars Line
Trolls throughout history:
Trolls throughout history:
Jonathan Swift
this is why I run my firewall on HP's MPE-XL... script kiddies scratch their heads for hours wondering why 'rm -rf' doesnt work....
"Pussy: You spend 9 months trying to get out of it, and the rest of your life trying to get back in..."
I lost my concept of community when my community lost all concept of me.
Holy Shit! Who painted the big red 'Crack me' sign on those servers?
Red Hat did. Who else?
Really there isn't, I always keep a good old ax right next to the cat5 going to the router, and if theres ever hacking going on, BAM chop dat sucka into peices and the bitch never knows what happened
How to set up your own honeypot
This is another interesting article on building your own honeypot.
Or paste: http://www.rootprompt.org/article.php3?article=21
>>No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested
>>how well they hide them - that is is the domain name of the network something which would attract their attention ?
>>Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder
>>are we scare mongering here ?
My home machine uses an ADSL connection to a local ISP. I am typically logged onto the net for 10-12 hours a day from that machine. As a firewall, I use ZoneAlarm - which throws up a dialog box when someone hits your machine. During a typical day, I get hit 4-8 times. Mostly due to random port scanners, I suspect. So, to answer your question, I don't believe that we are scare mongering here - I believe that there is a real issue with all of these script kiddies who have automated tools for finding vulnerable servers.
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
"You know, the golf course is the only place he isn't handicapped."
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
espo
--
espo
I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!
If all this should have a reason, we would be the last to know.
Holy Shit! Who painted the big red 'Crack me' sign on those servers?
"The results were scary"
LIDS.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
I had no idea the Black Hat, "community," was so damn efficient and quick. Honeynet said that one of their systems was hooked up to the net for 15 minutes and then attacked. That response time is better than the police and fire departments where I live. It's too bad we can't get people that dedicated to their work on customer support staffs.
"A witty saying proves nothing." - Voltaire
I think what we need for the home user is 'service aware' applications. For instance, when you launch an ftp client it enables the service, then, when you quit the app the service is disabled. This would limit your exposure to only the time necessary to do what you have to do.
Do a google search before posting.
Im wondering how accurate this data really is -- if someone sent these IPs over IRC to script kiddies then their stats are going to be way off charts. Once people know about these honeypot wouldn't they purposely attack them? What actions are they taking against these intruders? Sure the project is informative, but I'm more curious what the average person needs to know and should expect. Just imagine how boring their papers would be if no one hacked into their servers. *big yawn*
A cardbox box? What extravaganza! In my day we were lucky to find a grocery bag to throw the parts in.
A grocery bag? What luxury! When I was a kid, we were lucky if we had a nail to bolt the motherboard to the wall.
Nail and board? When I was a kid, we had to make our own transistors, write an assembler, nick a car battery, and if we were lucky, we'd find a piece of string to hold the bits together.
-- Another senseless waste of fine bytes.
Anthony Staines
-- Anthony Staines
I have been connecting to the net using my DSL on my Windows 98. I was thinking of getting a Linux but I guess the blue screen of death is better than all the crap that could happen if I were to run Linux. I would like to switch to Linux but even though I am in tech industry , I realy dont know OS and networking stuff that well and dont have the time to browse and sift through all those mailing lists and FAQs . If I dont know whats under the hood of my car, why would I care about whats under the application I am running ?
It seems to me that Microsft and AOL get it and Linux folks don't: consumers like me like to treat our computers as a tool not as a quest!
Bell Labs/At&t have been doing this for several years now. The only difference is that they dont publish the data they collect.
"The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet."
Wow. If that's true, this is just crazy.
My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
I wouldn't even go this far. It's quite likely that the IP addresses for the honey machines just got passed along as good places to hit. The intense growth curve they saw looks to me like their names just getting passed around the community, so that eventually every little script kiddie knew about it. Thus, the '15 minutes until first attack' may be completely false... I'd be intersted to know how their numbers change when they suddenly change all their IP addresses and domain names.
That non preparation and non attention to security leaves you with a vulnerable and insecure network.
No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ? Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder are we scare mongering here ?
If they have gone out and setup a honeypot domain that looks very attractive to the script kiddies then im not surprised that they are attracting attention - having said that my organisation is about the most boring thing on the planet and we have a large amount of intrusion attempts (christ knows if they managed to get in we would get sued for boring hackers to death).
I still cant help but wonder if this stuff is simple setup to attract publicity and attention ?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Now, now, you must remember that Asimov wrote that psychohistory would only be effective at predicting the future of an entire galactic empire. For individuals, it would be much harder.
Don't worry. They probably have Code Red running on their machines, and their staff sending out SirCam's who bear away information on what they *really* use Echelon for (you didn't think it was used to spy on crooks or private citizens, now did you?)
Pardon my ignorance - is Bastille an app a distro?Hopefully a wizard-like thing?
I was thinking of switching to Mandrake anyway, as they seem to offer better support for KDE.
I actually considered using OpenBSD, but I felt more comfortable wrestling with getting two old NIC cards in the box under Linux than BSD - especially as OpenBSD has only vi as a default editor (and by design), and I have anger management problems with vi.
I also like to follow the strategy of learning packet filtering and ipchains by using a GUI and then figuring out what it did, and that seems easier under Linux. OpenBSD is a longer term goal.
Good idea tho. Thanx.
While informative, the paper was a little above the level of reading for those of us who are uhhh "budding" security experts. I've found this problem when trying to install an intrusion detection system on my RH6.2 486 box.
Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
Are there any distros with security tools installed by default?
Anyone know of an easy way to image a system setup I like, boot it off a CDROM then mount in disks for data?
Besides, if these boxen were compromised in hours, what's the point?
Everybody knows that the majority of people on the internet are not technically inclined (I once spent nearly half and hour explaining FTP to someone.) This is at least partially true for hackers.
Your typical blackhat is just a script-kiddie who enjoys the thrill of the forbidden fruit (anybody ever sneak out of their parent's house late at night?) Breaking and entering into an even marginally secure machine is not worth their time or else is beyond their ability.
The true threats are professional hackers. Competant, motivated, and very careful. Fortunately, they are relatively sparse in the blackhat community.