[ale] compromised?

Dow Hurst dhurst at kennesaw.edu
Mon Dec 17 11:39:19 EST 2001 

John,
If you didn't have any services advertised on the outside interface then
it isn't very likely you have any problems.  The checksum idea is a good
one since it compares from the original CD to what is currently on the
disk.  If you nmap your machine, what services does it show?  SSH and
ICMP?  Or did you have telnet available?  This info helps alot since
telnetd has issues while your version of SSH might not.  If you only had
iptables evaluating packets, SSH v2, and ICMP as contactable ports
running services then I wouldn't worry too much, but would still do the
check.  If you have other services such as FTP or TELNET then I would
possibly just reload the box from scratch following this philosophy:

Only allow an SSHD daemon to run as your LAN/Internet access into the
box, limit ICMP to what is necessary, and pass to the inner network only
what is absolutely necessary.  In otherwords, deny all by default, allow
only what's required.

I suggest this only since reloading is sometimes easier the second time
around since you know exactly what you want at this point.  I usually
pick the minimum install selections during a SuSE install, and then add
a couple of security rpms that weren't in that selection.  After I get
the install done, I will configure all network services except sshd to
off.  Load your iptable rules from a floppy where you saved them out
before you blew away the first go around.  Get them installed and
running.  Reboot the box to force the reconfig to show you everything
you could have forgotten to turn off.  Nmap the box to see exactly what
a cracker would see.  Now, update the box from SuSE, Redhat, Debian, or
wherever using the normal methods.  You'll probably already have gotten
ftp client rules in your iptables at this point so your update should
work.  If not, you'll need to allow an outgoing ftp connection to your
preferred server.  You can be specific on the IP of the server in your
rules.

(Comment: How much would it cost the ALE group to sponsor a SSH based
rpm repository?  I've never had to donate money to ALE but that would be
a neat project.  What if twoguys.org was reinstated as the first SSH
based rpm repository.  ALE could look at modifying the rpm source to use
scp instead of ftp for retrievals.)

Review the install log for changes.  Reboot again and re-nmap.  If you
only see exactly what you planned then hook it up to the DSL modem,
connect to your ISP, and get an ALE'R to check it again for you with
nmap.  After all of this, I would think you are done.  Any comments?
Dow


John Wells wrote:
> 
> I've been cutting my teeth on iptables rules on a
> linux router I'm creating for my DSL connection.  I'm
> finally to the point where I feel at least a bit
> confident that the script is sorta good, but in the
> meantime I've been running iptables wide open with
> just masquerading enabled.
> 
> My question is, now that I'm at the point where I'm
> going to lock the box down fairly well, is there a
> need to wipe it clean and reinstall linux?  I remember
> hearing in Bob Toxen's ale presentation that a default
> box can be compromised with minutes after being
> brought up live on the net.
> 
> What's the probability that my router's been hit, and
> with Masquerading wide open, what's the possibility
> that someone could have left something behind that
> won't play nice in the future?  Will locking down the
> box be enough?
> 
> Thanks for your input.
> 
> John
> 
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list