[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked my Linux Box



On Tue, May 02, 2000 at 03:42:51PM +1000, Matthew Dalton wrote:
> 
> "Dzuy M. Nguyen" wrote:
> > 
> > Yeah, I checked the /var/log and they did delete the log files.

Could syslog be set up to forward the logs to a backup machine? Or you
could set up logcheck to ignore nothing and have it email to an account
on a different machine. (logcheck is useful anyway)

> Make sure you are running the absolute minimum of services that you
> require. If a service is not active, security problems with that service
> should not affect you.
> 
> Use secure alternatives to services, for example: install and use ssh
> instead of telnet (disable telnet).

If at all possible, uninstall the insecure service daemons to make it
that much more difficult for someone to mess with them. Especially
telnet. If possible, on a dedicated webserver or similar machine i'd
also remove gcc and all -dev packages, and anything else unnecessary for
the serving of webpages (or whatever service).

portsentry could also be useful for some amount of advance warning if
someone comes around looking for holes.

> Setup your tcpwrappers conf files (hosts.allow and hosts.deny) to
> restrict the use of active services. Use ipchains / ipfwadm / linux-2.4
> equiv (ipnatctl?) to further restrict access.

iptables?

Remember that in hosts.allow/hosts.deny, if you use name-based
restrictions (instead of ip number based) you'll be trusting the DNS
server to give accurate information.

> Make sure you know exactly what services you have installed

lsof -i can help you make sure of what's open. As can a good portscan of
your own machine.

> and follow the security alerts. Linux Weekly News (http://lwn.net/)
> security section once a week is a good place to start. It also has
> links to other security related sites. Debian announces security
> alerts and fixes for Debian GNU/Linux on its web page
> (http://www.debian.org).

You might also want to subscribe to bugtraq. Email "SUBSCRIBE BUGTRAQ
lastname, firstname" to listserv@securityfocus.com.


-- 
  finger for GPG public key.

Attachment: pgpX5ozQAHejT.pgp
Description: PGP signature


Reply to: