Almost all hacking attempts are done by script kiddies, ppl without any knowledge who've just downloaded something from the Net and hey lookee here, it works on this box. If you follow the guidelines below you won't have to worry about those people. They're too dumb to invent something themselves, they just download something and try it. Sadly I must admit both times I was nailed by those script kiddies.
The real "professionals" are a much bigger threat but their numbers are relatively small and most sites just aren't interesting enough for them. Most boxes are safe enough for those people just because they're too anonymous.
Those scripts are running everywhere and always. I have total logging on my firewall and you wouldn't believe the amount of (port)scans my servers get each day. There are a few guidelines which keeps a system (at least I'm hackfree for over 3 years now) pretty safe:
- DON'T think you're safe because you're anonymous. Most scripts attack a whole range of IP addresses. Changes are very high you will get an attack (or already had unsuccessful ones)
- KNOW your system. Observe how it behaves and watch irregularities. If you see them, make sure you can explain them or at least rule out hacking. The sudden appearance of a process unknown to you is very suspicious. Also sudden "open" ports are highly suspicious. (netstat -tuan to check)
- Stay up2date. Both hacks on my system were done by exploiting a vulnerability on which a patch was already available. RedHat (and pretty much all other OS vendors/distributors) more often than not plug leaks faster than hackers can write/use exploits on your box.
- Get or build a good, strict firewall. No comment on that needed. Block all protocols and TCP/UDP ports except those you you REALLY need. If possible, block traceroute and ping requests.
- Get rid of messages stating the version of the software you are using. If they know the version of some package it's easier for them to find an exploit for it. Edit /etc/issue and /etc/issue.net (and /etc/rc.d/rc.local), they tell the hacker which kernel and computer you have. Get rid of the wu-ftp greeting stating the version. Get rid of the version in the sendmail greetings. Apache too.
- Disable all services you don't need. A good example is the portmapper and all portmapper-related services. They are by design very vulnerable and I can still see no valid reason for running portmapper services on a bastion (firewall, first line of defense) machine. If you see a service running you don't know, chances are you don't need it ;-) Remove all packages you don't need. Don't run SAMBA or NFS on your firewall machine.
Other candidates to get rid of: date, echo, chargen (all services with port numbers lower than 20) telnet (use ssh instead), anonymous ftp, POP
- Monitor often and thorough. Espcially the log files. Sudden disappearance of those is a sure sign of a successful compromise (or a typo in a rm command) In case your system is compromised you may catch them in the act and have at least the IP addresses they're working from. Download or purchase a virus scanner. Put it on write-protected media and scan often. Yes, there ARE virus scanners for Linux available. McAfee has one.
- Make backups. When compromised you might still have a backup of a good system. Saves a lot of pain. Also very handy if you have a HD crash ;-)
- Don't keep important data on your firewall machine. If possible, make a backup of a freshly installed working firewall system on CD or tape. That will make sure you'll be up and running soon again after a compromise. (of course try to figure out the leak and plug it)
- If once compromised, format and reinstall from scratch. The only way to be sure no backdoors are left open. Don't keep a single file. Don't restore backups of which you're not 100% sure they're made from an uncompromised system.
- browsing around on hacker sites (use a http proxy ;) ) might give you an idea about what's hot in the hacker world.
- if you didn't understand any of the stuff I mention in this e-mail, make sure to learn and understand it :)
If you need to protect a bigger (i.e. corporate) network, work with multiple defenses. Make it hard for them. Then we're getting into the realm of DMZ's and other stuff which is too costly (and a bit overdone) for a home LAN. If you are a corporate network administrator, knowing all about hacking, whacking and protection is a must. Also, in corporate environments, the threat more often comes from within than from the outside.
Following these guidelines (I'm sure others can add some more good ones to this list) will not keep you 100% safe, but at least make it so hard that they rather target the neighbor :) 100% safety is never ever guaranteed but try to get as close as possible.
OK, it's a bit more than you asked for, but I hope others will read this too and by this contribution I hope to lessen the "help, I've been hacked" messages :)
Eric.
Richard wrote:
I wonder looking at that thread if anyone actually saw or did a serious
survey on cracked linux boxes.. etc..
Has there been any serious studies conducted by RH as to the whole
security of their distros, recorded events of boxes that were cracked ?
In fact is there anyone on the list who ever had his box cracked ? Ric
Like usual,thinking is getting me in trouble.. :(
