some attack to fedora machine .

[max]

Da Rock wrote:
> On Sat, 2008-04-12 at 16:46 +0300, Antti J. Huhtala wrote:
>> la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti:
>>> On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote:
>>>> Your tip about not allowing username/password combinations is a good
>>>> one. Any examples of an implementation of eg. key pairs?
>>> Yes, that would be good to see. 
>> Mikkel already answered this one in another post.
> 
> Yeah I noticed that- I'll get back to that shortly.
> 
>>> May I also ask if any of you guys having
>>> these attacks are behind a firewall and/or NAT? 
>> At present, no separate router or other firewall, just the one Fedora 8
>> provides. I've only briefly tried NAT in my LAN but not long enough to
>> observe whether invasion attempts were extended to the LAN.
>>> I use ssh but so far I
>>> don't believe I've had any trouble- I'd like to be a little better
>>> informed on this though: ie symptoms etc.
>>>
>> The problem with describing the various symptoms an intrusion may cause
>> is that it is difficult to avoid getting a little paranoid watching eg.
>> unexpected and rather frequent hard disk activity. That's why I had to
>> remove beagled from my F7 installation. The hard disk light was on all
>> the time - or so it seemed.
>> There are plenty of knowledgeable people on this list who could tell you
>> much more than I can. Anyway, I monitor my system for intrusion attacks
>> by having the Network Monitor (or whatever the English term is) icon
>> permanently on my lower panel. Another icon I have there is the System
>> Status (or whatever..). If either of these shows high activity that I
>> have not caused myself, I look at top in terminal window to see what's
>> going on. Usually it is yum-updatesd or makewhatis - sort of household
>> chores.
>> It may be worthwhile to occasionally click on Network Monitor icon to
>> see how many packages have gone in and out the Internet interface. If I
>> haven't updated or downloaded anything, the input/output ratio is
>> usually well over 100:1. Most of this traffic is ARP broadcast packets -
>> but of course the 10-minute-interval e-mail traffic is there also. Some
>> of it is rejections from my box to whoever is trying to connect, ie,
>> rejections of potential intruders.
>> As I said before, an almost sure sign of a compromised box is that
>> logwatch messages suddenly stop coming. Then it is time to run Wireshark
>> for some length of time to see what is going *out* of your box. 'Whois'
>> is another friend you probably need then.
> 
> Sounds like its not so much an attack on the machine as much as using it
> as a platform to initiate other attacks- would this be correct?
> 
> IF this is the case, then a NAT would be a major hindrance to this. If
> an attacker can't gain direct access to the machine, then ssh would
> probably not possible- at worst would be a very good deterent as the
> attacker would look for an easier target because he's not interested in
> the machine itself.
> 
> Please, correct me if I'm wrong here. I'd love to see some log entries
> for this attack too. In some ways I'm a bit green on security, but I
> have been making some major progress in my education on how the attacks
> work. But then, with security everybody has something to learn, don't
> they?
> 
I doubt any one person knows it all. One of the  facts is that most of 
the interesting information isn't owned by root at all but by the users. 
Its very true as most informed people don't run as root, however you 
gotta be root to delete,modify, or even look at the logs. Someone who 
wants to make sure you don't catch on will try to modify the log files, 
after all the longer they can keep you from noticing the longer they 
will have the run of the machine. You can send your logs to a remote 
machine. Now they have two machines to compromise, assuming of course 
your actually checking the logs regularly. As I have pointed out you 
have to be root to look at the logs. So protect root at all costs 
because yes the user information might be interesting but if they own 
root your gonna have to go to extremes to feel secure again. Keep the 
list of installed programs to a minimum. If you don't use it on a semi 
regular basis uninstall it. If your not programming then why do you need 
a compiler? If you use samba once a month then you may want to leave it 
installed but you might as well close the ports on the firewall and open 
them manually when you need them. Same thing for the services. In the 
end it all depends on how paranoid you want to get. How important is the 
information your protecting? Most of the things I have said are easy to 
do if your root and the local user but if your System Admin for even a 
medium sized network it can get to be a pain to go around making sure 
these things are done and of course even if your users only use Samba 
once or twice a month you probably aren't going to turn it off till they 
ask or whine about why it doesn't work in the first place. Now your 
talking something like directory services and a root user that 
potentially can access everyone's files in the directory and modify 
their settings as well. Now root is more important than the user again. 
The more I learn about security the greener I feel. Often I have noticed 
that it really depends on your perspective, user vs. sys admin. A sys 
admin will have to make trade offs to ensure people can get their work 
done but a saavy user can often get around things because its a trade 
off, instead of outright denial. The sys admin is also often at the 
mercy of a computer illiterate boss who only cares that he can get 
things done when he feels like it and doesn't realize the potential 
dangers of what he's asking for and even after its explained to him, he 
still doesn't care and forces the sys admin into a bad spot because he's 
signing the paycheck. Ultimately the user has to be responsible for 
his/her own security. The sys admin has bigger fish to fry than any one 
user's concerns. Of course this is only a tiny portion of a much bigger 
picture. Someday system security will get solved but until then....let's 
hope as the studies suggest that you or one of your coworkers won't sell 
their password for a frozen Snickers bar. Frozen Snickers 
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmaggggggggggghhhhhhhhhh. Whoa easy 
Homer!! New Castle.......you guessed it , I just gave up my password.

Max