Greetings: Last night my oldest (2.2.13) SuSE Linux box was attacked. Ironically, I was shelled in from another machine working on setting up a firewall script on this machine when the attack occurred. I noticed an un usual amount of network traffic and looked over the log files to discover that scanlogd was reporting repeated port scans from 10-15 foreign IPs. I have seen this sort of thing before and was not terribly concerned until text was printed to my terminal console. I then noticed that /etc/motd had been modified and became very concerned. Although a firewall was not running when the attack occurred, most services (except ssh, http, pop3, smtp and ftp) were disabled, tcp wrappers were configured, hosts.deny and hosts.allow were configured, etc. I have been pretty good about updating packages as security announcements were made. I looked at all recently modified files and ran tripwire but could find very little changes. I believe that a directory was created ("/usr/lol" I think) and /etc/motd was changed. Also, ports were open that I don't recall being open before: 6711 and 31965. I don't know what services use these ports. I am a Linux security novice and would appreciate feedback regarding 1) how this attack may have been accomplished and 2) what I should do to secure this box. I am working on configuring a firewall script but am afraid I might miss some security flaws created by the attackers. Any advice would be appreciated. Thanks. Chris Quinn
I am a Linux security novice and would appreciate feedback regarding 1) how this attack may have been accomplished and 2) what I should do to secure this box. I am working on configuring a firewall script but am afraid I might miss some security flaws created by the attackers.
Any advice would be appreciated.
What kinds of network services did you run when the machine was attacked/ rooted?
Thanks.
Chris Quinn
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Hi people! Maybe this is off-topic, but it's although very much security relates, so I ask this anyway... Does anybody of you have any experiences with the Ethernet Gateway 3C510 from 3Com? It has 4 RJ45 ports, a printer-server (windows) and so on... They say, it has a firewall built-in, and it is easy to configure. Would this be the solution to my problem of wanting to connect 3 pc's (actually 2 desk and 1 lap) to a cable-modem? An important point is, that the modem remembers the MAC-Adress of a network device, it is connected to, so if I wanna change PC, I have to reset the modem :( Any help would be greatly appreciated kind regards Markus __________________________________________________________________________ The dark ages were caused by the Y1K problem.
On Thu, 7 Jun 2001, Markus Kohli wrote:
Hi people!
Maybe this is off-topic, but it's although very much security relates, so I ask this anyway... Does anybody of you have any experiences with the Ethernet Gateway 3C510 from 3Com? It has 4 RJ45 ports, a printer-server (windows) and so on... They say, it has a firewall built-in, and it is easy to configure. Would this be the solution to my problem of wanting to connect 3 pc's (actually 2 desk and 1 lap) to a cable-modem? An important point is, that the modem remembers the MAC-Adress of a network device, it is connected to, so if I wanna change PC, I have to reset the modem :(
Any help would be greatly appreciated
kind regards
Markus I'm not familiar with the 3Com product you mention, but I have successfully used the Linksys "Etherfast Instant Broadband" router/hub on two different cable systems. It supports DHCP or PPPoe on the WAN side, NAT, a DHCP server on the LAN side, and some minimal port forwarding capabilities. (No print server that I'm aware of...) Of the three installations I am aware, it has been rock-solid reliable. I've used the 4-port model, but I understand it's also available in one-port, eight-port, and 802.11b versions.
I've also accomplished the same functionality (and more!) using a surplus 486-66, 16MB of RAM, two NICs, a single floppy drive, and a copy of freesco (www.freesco.org). For my own use, where surplus hardware is available and appearance isn't important, freesco was my choice. For a client who's paying for my time as well as the hardware, the Linksys at $129 was hard to beat. -- Rick Green "I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"
On Friday 08 June 2001 4:45 am, Rick Green wrote:
On Thu, 7 Jun 2001, Markus Kohli wrote:
Does anybody of you have any experiences with the Ethernet Gateway 3C510 from 3Com? It has 4 RJ45 ports, a printer-server (windows) and so on... They say, it has a firewall built-in, and it is easy to configure. Would this be the solution to my problem of wanting to connect 3 pc's (actually 2 desk and 1 lap) to a cable-modem? An important point is, that the modem remembers the MAC-Adress of a network device, it is connected to, so if I wanna change PC, I have to reset the modem :(
For my own use, where surplus hardware is available and appearance isn't important, freesco was my choice. For a client who's paying for my time as well as the hardware, the Linksys at $129 was hard to beat.
Personally I would prefer to directly connect the cable modem, using a cross over UTP cable, and have a gateway with 2 NICs, plus a simple non-managed hub or switch, that you know and understand, which can give no nasty surprises. Then your internal net can be firewalled at the gateway, via SuSE, OpenBSD or a dedicated product like www.smoothwall.org (2.2) based, or Freesco (2.0) (another that might be interesting and has free download is 'astaro' which boasts 2.4 with iptables, and support for chroot-ed server daemons). The dedicated distributions tend to offer simple web based configuration and a small footprint. They are intended for use by the less technically interested. It is debatable that you would really increase overall security, by adding another distro/OS, that you know and understand less well. It is hard work keeping on top of updates, and following security lists, so the less homogenous your network, the greater the chance of misconfiguration, or failing to patch known holes. A firewall does not allow you to become complacent and lazy about internal network security. A general distribution will be more flexible, but that means more configuration understanding needed, though your machines could benefit from DHCP, web proxy, DNS, and a basic firewall (more correctly packet filtering) configuration is very simple and easy in SuSE. As they are larger, there tends to be more security related updates, though the default configuration is far more secure now, than was customary even one year ago (try netstat -l). It is important to record the MAC addresses of both Cable Modem, and NIC it expects to connect to, so that you can set the address of your NIC, should you need to use a different card one day, or remind the Cable company of what _should_ be in their records. ;) These 'intelligent' devices are fine if they work, but 'printer-server (windows)' would worry me, it must be aimed at the Win market. You could find they support only some Windows based GUI configuration program, or worse have to download a boot image (unlikely). Good luck Rob
I'm actually very well aware of the fact, that I could put up a linux-box as firewall/gateway/whatever. But I neither have the place for another machine nor the money (I know, I don't need a P4 for a firewall, but anyway). So the thing with the "gateway-device" looks good to me. Lots of people are happy with that thing, and that printserver thing doesn't bother me too much, cause this is not the reason for me to buy that thing. which brings me to my main question: does anybody know per incidence, where to get such a device at a low price? Price in US is 149$, as I already mentioned. But I don't know if I wanna order oversea, and I didn't see any trace of that thing in europe yet... tia markus
-----Original Message----- From: Markus Kohli [mailto:kohli@dplanet.ch] Sent: 2001 m. birželio 7 d. 22:35 To: suse-security@suse.com Subject: [suse-security] Ethernet Gateway from 3Com Hi people! Maybe this is off-topic, but it's although very much security relates, so I ask this anyway... Does anybody of you have any experiences with the Ethernet Gateway 3C510 from 3Com? It has 4 RJ45 ports, a printer-server (windows) and so on... They say, it has a firewall built-in, and it is easy to configure. Would this be the solution to my problem of wanting to connect 3 pc's (actually 2 desk and 1 lap) to a cable-modem? An important point is, that the modem remembers the MAC-Adress of a network device, it is connected to, so if I wanna change PC, I have to reset the modem :( Any help would be greatly appreciated _______________________________________ Hello Markus, Yes, this kind of products is very simple to manage and what's most important - they are very quite! Of course Linux or FreeBSD box gives some extra features (DNS cache and other...), but... As of MAC Address, I think that some boxes (i.e.., SMC Barricade) has feature to copy your MAC address from your current network device to WAN port. So, I think you do not need reset modem ;-) Audrius Verseckas
Try http://www.susesecurity.com/faq/#incident_reporting
with thanks to Boris Lorenz
Greetings:
Last night my oldest (2.2.13) SuSE Linux box was attacked. Ironically, I was shelled in from another machine working on setting up a firewall script on this machine when the attack occurred. I noticed an un usual amount of network traffic and looked over the log files to discover that scanlogd was reporting repeated port scans from 10-15 foreign IPs. I have seen this sort of thing before and was not terribly concerned until text was printed to my terminal console. I then noticed that /etc/motd had been modified and became very concerned. Although a firewall was not running when the attack occurred, most services (except ssh, http, pop3, smtp and ftp) were disabled, tcp wrappers were configured, hosts.deny and hosts.allow were configured, etc. I have been pretty good about updating packages as security announcements were made.
I looked at all recently modified files and ran tripwire but could find very little changes. I believe that a directory was created ("/usr/lol" I think) and /etc/motd was changed. Also, ports were open that I don't recall being open before: 6711 and 31965. I don't know what services use these ports.
I am a Linux security novice and would appreciate feedback regarding 1) how this attack may have been accomplished and 2) what I should do to secure this box. I am working on configuring a firewall script but am afraid I might miss some security flaws created by the attackers.
Any advice would be appreciated.
Thanks.
Chris Quinn
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
I looked at all recently modified files and ran tripwire but could find very little changes. I believe that a directory was created ("/usr/lol" I think) and /etc/motd was changed. Also, ports were open that I don't recall being open before: 6711 and 31965. I don't know what services use these ports.
It's very common for a box that's been broken into to run some service on a non-standard port, to allow login to the intruder, preferably without showing up in records used by w(1) and last(1), or logging via syslog. The other obvious reason for ports being open is if connections have been made to other machines. A client of a service, will connect to the well known port eg) ftp, ftp-data, ssh, smtp etc, but the source port is chosen by the client OS. They are also likely to use your machine as a login redirector, to attack somewhere else, and have it look like it is coming from your network. Another fun one, is to set up a DoS attack against some other site, where your machine is used with an army of others to swamp machines and internet connections of the victim.
I am a Linux security novice and would appreciate feedback regarding 1) how this attack may have been accomplished and
This depends on what packages and what versions you run on your machine. There have been a number of security patches to the linux-kernel, 2.2.16 and 2.2.19 fixed issues for example.
2) what I should do to secure this box. I am working on configuring a firewall script but am afraid I might miss some security flaws created by the attackers.
You need to take it off line, preferably do a clean room OS install, you could verify rpm's against original installation from CD-ROM, and packages from download, search for setuid scripts etc. You'll probably find programs like /bin/login have been tampered with. However now your network has been penetrated, I'm afraid you cannot make the assumption that only this machine has been 'rooted'. You really need to make an emergency damage assessment and recovery plan, involving disconnection from the net, and installing clean version of OS with all security patches (use SuSE 7.1 or 7.2 if you can get your hands on it). Good luck Rob
participants (7)
-
AV
-
Chris Quinn
-
Markus Kohli
-
Peter Nixon
-
Rick Green
-
Robert Davies
-
Roman Drahtmueller