Re: [SuSE Linux] security breaches... Help!
Wes Morriston wrote:
On a several occasions, somebody has managed to break into my networked SuSE Linux box and do some damage. On two occasions, the damage has made it impossible for me to log in to my own site.
Can anyone advise me about the best method of preventing this sort of thing?
I can't say what they tried to do; BUT I've been reading that most hacks into linux are done by creating a "buffer overflow" in a program to get root access. On www.freshmeat.com they have posted a patch for linux kernels to protect against this. I havn't tried it, all I know is that it is there. The filename is: ecure-linux-06.tar.gz It was freshmeat during the last week, check all days. - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
secure-linux-06.tar.gz
It was freshmeat during the last week, check all days.
This is not a 100 olution and it may cause problems with very badly written software. No problems yet that I have seen. Other features include restricted access to /proc and linking in /tmp <A HREF="http://www.theverge.com"><A HREF="http://www.theverge.com</A">http://www.theverge.com</A</A>> - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
charles verge wrote:
secure-linux-06.tar.gz
It was freshmeat during the last week, check all days.
This is not a 100 olution and it may cause problems with very badly written software. No problems yet that I have seen. Other features include restricted access to /proc and linking in /tmp
<A HREF="http://www.theverge.com"><A HREF="http://www.theverge.com</A">http://www.theverge.com</A</A>>
I also have found some software called Sentry, which watches all unused TCP/IP ports, and immediately drops anyone hacking them into /etc/hosts.deny. It's at <A HREF="http://www.psionic.com/abacus/abacus_sentry.html"><A HREF="http://www.psionic.com/abacus/abacus_sentry.html</A">http://www.psionic.com/abacus/abacus_sentry.html</A</A>> and it works. It's nice because all the offenders are neatly listed in hosts.deny. :-) I would also suggest to look out for the "floppy boot" attack. It's real easy to get into a machine if the console and floppy are available. Many people refuse to believe that anyone would be sneaky enough to try it. But there might be some info they are after. Get a camera on your machine if you suspect this - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
Just watch the configuration of Sentry, at the higher settings it tends to get mad at every connect (such as the lousy common win95 clients) and add YOU (as in your lan) to the hosts.deny as well. :/ It's also not "bulletproof" either, you have to tell Sentry which ports to monitor. But it beats nothing at all...
I also have found some software called Sentry, which watches all unused TCP/IP ports, and immediately drops anyone hacking them into /etc/hosts.deny. It's at
<A HREF="http://www.psionic.com/abacus/abacus_sentry.html"><A HREF="http://www.psionic.com/abacus/abacus_sentry.html</A">http://www.psionic.com/abacus/abacus_sentry.html</A</A>>
and it works. It's nice because all the offenders are neatly listed in hosts.deny. :-)
I would also suggest to look out for the "floppy boot" attack. It's real easy to get into a machine if the console and floppy are available. Many people refuse to believe that anyone would be sneaky enough to try it. But there might be some info they are after.
Or use TCFS, an encrypted file system. If the system is encrypted (the HD data, that is) a floppy boot is a bit of a waste of time as they can't mount a readable partition... This is available from: <A HREF="http://www.bozcom.com/tcfs/"><A HREF="http://www.bozcom.com/tcfs/</A">http://www.bozcom.com/tcfs/</A</A>> .
Get a camera on your machine if you suspect this
Heard of a webcam that caught a pic and sent it to the webpage of a burglar who stole the owner's computer. The police got him quickly, but the computer was long gone... - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
participants (3)
-
charlesiii@theverge.com -
wizard01@impop.bellatlantic.net -
zentara@mindspring.com