Attack Detection tools, was: RE: [TriLUG] attack

Tue Feb 22 22:47:43 EST 2005

This makes me stop and think...

Although I've noticed absolutely no strange behavior from my server, heaven
knows it's probably a wonderful candidate for being rooted..  It's running a
pretty old version of Linux, and I know that the ipchains are at least
partially broken (hopefully broken-safe rather than broken-wide-open, but
exactly---"hopefully"), and hasn't been updated in ages..  And it's directly
connected to the Internet (it IS the firewall).

So with that in mind, what are people's favorite tools to use to detect
intrusion?  I've heard of "rootkit detection tools" but know shamefully
little about them, so I'm very interested in folks' suggestions.

As I already mentioned, I've no particular reason to believe I HAVE been
hacked..  but no particular reason to feel secure that I HAVEN'T, either...

Cheers,
~Brian

-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
Behalf Of Joseph Tate
Sent: Tuesday, February 22, 2005 10:12 PM
To: Triangle Linux Users Group discussion list
Subject: Re: [TriLUG] attack

When you're hacked, the best thing to do is wipe the disks and restore
from backups.

Now, if you have a system that's not patched, that system can be
hacked in moments.  When bringing a server up for the first time, or
after an extended disconnection, it's best to update all the packages
before connecting to the wild.  The other best thing to do is shutdown
all but the necessary services.  Make sure that all passwords are
"good", and that all default passwords have been changed.  Use
Iptables/Ipchains religiously for both incoming and outgoing
connections.

A server that hasn't been connected in a year most likely has a
distribution on it that is no longer being updated.  If you're going
to be using a system infrequently, or over a long period of time, pick
a distribution that is likely to stick around for a while, like
Debian, or CentOS, or one of the commercial distros, like RHEL or
SuSE.  They have slower release cycles and longer maintenance windows
than other popular distributions.

On Tue, 22 Feb 2005 21:43:20 EST, cate serino
<cms2945 at garnet.acns.fsu.edu> wrote:
> Hi,
>
> After only having my server up for a few hours and to a state that I
> thought was fairly secure, I got hacked with what I think is a man in the
> middle attack.  Other than turning off ports (telnet, ect.), changing
> root passwords, and editing the hosts.allow and hosts.deny files, what
> can I do to secure my server.  I noticed that he/she was able to run
> ipchains and filter through his/her ip.  In addition, the he/she was able
> to mount a filesystem on my machine. I have flushed the ipchains and
> unmounted the filesystem.  Am I missing anything?  I have not had my
> server up for a year.  Has the Internet become that bad in one year?
>
> Many thanks,
>
> Cate Serino
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

--
Joseph Tate
Personal e-mail: jtate AT dragonstrider DOT com
Web: http://www.dragonstrider.com
--
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc