-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 2, 2001 11:30 am, elicker@email.com wrote:
I never bothered to look /var/log/messages file until now.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
What is "popper"? AFAIK there is nothing in my box with this name.
popper is for pop3 connections. It is called from inetd. Here is how I handle security. I feel relatively safe with this setup. - - - All mail to root is forwarded to me (very important and useful). Simply place a file called '.forward' in '/root' containing the email address you want messages forwarded to - - - The SuSE security scripts are installed and run every night. They are extremely thorough and will probably catch about 90%+ of all the skript-kiddiez out there someway or another as long as you read and understand the reports. They all assume that Linux == RedHat, hehheh - - - Scanlogd is installed and running. I grep messages for scanlogd every once in a while. - - - SuSEFirewall is running. I only let in ports that are absolutely necessary. Even though I have a mail server, the pop and IMAP ports are firewalled. I have Kmail set up to tunnel mail over SSH (I can explain that in more detail if anyone wishes). Open ports: http, domain (udp), smtp. I set up "trusted hosts" to the time server I use and allow time connections from it (required for ntp to work properly) - - - I am subscribed to the suse-security mailing list and I check every advisory - - - I run the YaST Online Updater at least every week (7.1 only, unfortunately) - - - I have disabled anything I don't use in /etc/inetd.conf - - - Remember that 'passwords' are inappropriately named. You should never use a word for one. Mix letters and numbers and make them such that they cannot be easily guessed by software with a dictionary - - - Only install trusted RPM files and avoid installing programs from tarballs. If your trusted source (SuSE) does not have that package in RPM, create one. This gives you the ability to 'verify' that programs have not been messed with If you suspect that someone has messed with you, you can check a number of things. Here's what I would do, in order: - - - type 'rpm -V psutils' and pray that it outputs nothing. If it spits filenames at you, the box probably has a rootkit installed and you should immediately back up your data and reinstall - - - Verify some other packages the same way as above: bash and nkitb, especially - - - Type 'ps aux | less' and check that every process should be there and verify the package the program is contained in. For example, if you see 'httpd' you can 'rpm -V `which httpd`' or the full path as seen in the ps output - - - If you're really paranoid, verify every single package on your system. I have done this a couple of times and it is a security procedure I recommended where I work when we suspect that something is awry. The scary part is, I'm not the most paranoid one here... - - - Look around my filesystem with 'mc.' Some rootkits modify 'ls' to hide themselves and mc is just faster. Look for any directories that begin with '.' The SuSE security scripts do a good job of reporting strange behaviour but nothing replaces looking around yourself if the scripts turn up something strange. Sounds like a mess of work, doesn't it? Note that if you protect yourself in the beginning you can save yourself from a ton of work in the end. I rarely have to go through the second list these days but I verify psutils from time to time. - - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68FeL+FOexA3koIgRAkeaAJ0RLWYz6CCjgLEsdF8KZoiU9MDvPgCdHHFP DFEybS8G0aqqJKu9GYyYMM8= =dLRy -----END PGP SIGNATURE-----