Re: linux newbie: how to stop port scan abuse?
From: Kevin Christopher (notGiven@nowhere.com)Date: 11/10/02
- Next message: eric_the_brave: "Re: how do I get wireless encryption working on RH Linux 8.0?"
- Previous message: Whoever: "Re: linux newbie: how to stop port scan abuse?"
- In reply to: Dan Bozinov: "linux newbie: how to stop port scan abuse?"
- Next in thread: Timothy Murphy: "Re: linux newbie: how to stop port scan abuse?"
- Reply: Timothy Murphy: "Re: linux newbie: how to stop port scan abuse?"
- Reply: Dan Bozinov: "Re: linux newbie: how to stop port scan abuse?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Kevin Christopher <notGiven@nowhere.com> Date: Sun, 10 Nov 2002 00:54:04 -0800
Having gone through EXACTLY the same process about a month ago... (yes,
a usually-windows person installing a redhat 7.3 webserver, which
subsequently got hacked and earned me an e-mail about port-scanning...
sent from Slovenia!)
First: I would bet that what actually happened is someone got a worm
onto your system, then used that to portscan. The reason I suggest this
is it happened to me (Slapper/.cinik worm - comes through
OpenSSL-apache, and RH7.3's version of OpenSSL is vunerable).
Portscanning technically isn't illegal (I say this at risk of starting a
flame war...), but is definitely not good etiquette. Do make sure that
once you figure out what's going on, you reply to the e-mails
apologizing and informing them what the problem was, and how you fixed it.
So, the first thing I would do is head over to
http://www.chkrootkit.org/ and download the latest version of chkrootkit
(0.37). Run that on your server - it'll tell you what has
"mysteriously" shown up on your machine - and it includes some of the
latest worms. The problem, though, is if it finds any, you're likely to
have to do a complete re-install to clean everything out of your system.
If it's just a worm and not a root compromise, you might be OK, but
unless you know what the difference is, assume the worst. Think of it
as a lesson in securing your installation - you probably won't forget
again if you ever have to reinstall! chkrootkit is a fairly thorough
tool - not perfect, but complete enough to be a major help to someone
who's not quite sure what to do.
For your own knowledge, I'd also suggest searching on the internet for
information about any worms/viruses/rootkits/etc. you do find on your
system - that way, you'll learn about a hole and how to fix it. Knowing
exploitable holes is the first step in closing them.
(Someone else posting suggested that someone else might be port-scanning
and spoofing your IP, but I don't think this is likely - as you are a
new linux user, I think a worm is more probable - and would produce
exactly what you've described).
OK, once you have a clean system, you need to secure it (and quickly!).
This is a very brief overview, don't consider it complete - read this
newsgroup and look elsewhere on the web, but this should give you some
basic ideas. These are in (very) rough order of importance - and before
someone argues, I think that this is the right order _for a newbie_.
1) Disable non-essential services.
Do you really know what's running on your machine? The 7.3 default
install has ~20 ports open, and you almost certainly don't need them.
My machine right now has ~10 ports: HTTP, HTTPS, SSH, and ~6 for my
university's authentication / filesharing system. Figure out what ports
are open and what services are running on the ports, and stop anything
you aren't sure you need (if this is a web server and you aren't
remotely connecting, you probably only need HTTP). Useful commands:
"netstat" can tell you what ports are open on your machine. "chkconfig"
is a tool that changes the startup scripts (run on boot-up) so that you
can stop some things from loading - but be careful here, some of the
things loaded at startup are actually important. "service" will help
you start, stop, or restart a currently-running server/daemon (think W2K
Services). To figure out how any of these commands work, either use
Google or run "man (command)" - though the man information is a bit
techincal. Be careful, because the commands are more powerful than
typical Windows commands.
The base Linux installs are pretty secure, but the services that run by
default, and that a newbie doesn't know enough to secure, are the most
dangerous. I wish Linux didn't enable any of them by default, but I
don't run the companies.
One note: if possible, figure out this step OFFLINE! Because while your
system is online, it can get broken into. Did I mention it took less
than 24 hours for my box to be cracked? I woke up and found that the
intruder had been working for two hours... Everything I've described in
1) can be done w/o an internet connection on the Linux machine. Man
pages (the help files on Linux) are stored locally, and you can search
the internet from another, more secure computer (until you know what you
are doing, Windows).
2) Update your system
Many will probably tell you this is the #1 priority - and it is, when
you know what your system is running. Even "secure" programs like
apache have holes every now and then - keeping them up-to-date is very
important. Example: the Slapper worm that infected me came from a bug
that was published in mid-July. The worm first appeared in mid-August;
my system was infected at the end of August. The RH7.3 install only
came out in May or June. This is a very fast turnaround... you really
ought to try to update your system for security patches at least once a
week. A useful tool (for RedHat): "up2date". With current patches, a
default-install system is pretty secure - good enough for a newbie, or
anyone who doesn't need to learn to administer their own system.
One thing I think Windows users don't quite get about Linux is
restarting. On Windows, you seem to have to restart on every patch or
install - and this can't hurt on Linux, so I'd suggest restarting anyway
(as root, issue "reboot" at the prompt). But you probably don't have to
do a full restart. Just realize that anything you patch must be
restarted. For example, if you patch the web server, run "/sbin/service
httpd restart" to make apache restart for the changes to take effect.
(This bit me - even though I patched the night before I was hacked, I
didn't know enough to restart - which would have saved me the trouble,
but lost me a learning experience.)
3) Firewall
A firewall probably isn't essential for a complete newbie - but
beyond the two steps above, it's the next step for securing your system.
Iptables is the Linux firewall - read up on it on the internet, and
I'm sure a lot of the people responding to your post will tell you
where. I won't get into it because it is very technical - but it's a
great way to both secure your system and moniter attacks against it.
After 1) and 2) above, you'll probably spend more time with a firewall
than with any other security measure. And a good firewall is really the
only proactive security measure available to someone who isn't really,
really good with their system.
I've written quite a bit here, so take some time to digest it. Having
your machine cracked is a bad thing, but I'd wager that it's either
happened at some time to most of the people in this newsgroup, or
they've at least seen it up close and personal. Treat this as a
learning experience - and do what you can to prevent it from happening
again. I've actually found that the more I learn about securing a Linux
system, the better I understand the strenghths and weaknesses of Windows
- security is a good thing to know.
-Kevin
- Next message: eric_the_brave: "Re: how do I get wireless encryption working on RH Linux 8.0?"
- Previous message: Whoever: "Re: linux newbie: how to stop port scan abuse?"
- In reply to: Dan Bozinov: "linux newbie: how to stop port scan abuse?"
- Next in thread: Timothy Murphy: "Re: linux newbie: how to stop port scan abuse?"
- Reply: Timothy Murphy: "Re: linux newbie: how to stop port scan abuse?"
- Reply: Dan Bozinov: "Re: linux newbie: how to stop port scan abuse?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
