Re: crack traces in /var ?
Andy Firman wrote:
Oh well. Second time this year.
Maybe we can learn from your mistakes. I would appreciate the information.
(If you want it short, this may not be for you - here goes:)
Andy, thanks for your interest. I consider myself still a newbie, this
is my third Debian year, Corel Linux got me started after an
unconvincing try at RedHat5 years earlier. I have no prefessional IT
background but like 'puters and am reading a lot around in the
newsgroups, Howtos etc.
Policy: I have no services open to the outside, exceptions are mentioned
below. There are only trusted users inside the network. Besides iptables
I have set nosuid,nodev,noexec flags for my home dir and other storage
partitions. I run tiger and chkrootkit occasionally, i.e. once or twice
a week, sometimes not. The firewall box is a small hardened Woody with
security updates, the desktop a current SID installation.
As I haven't set up my mail dir to work with Mozilla and haven't
bothered to find out how to make the black background of mutt lighter I
am not reading the reports frequently - reports from programs I am
slowly getting familiar with like snort, tiger.
Before the first crack I had ssh (and nothing else) open to the outside.
In addition, maintenance of some proprietary custom tailored database
program that I had acquired for another location made it necessary to
open one of the higher ports for a few hours. Fiddeling with
firestarter/iptables until port forwarding worked was when I shut off
the firewall for minutes and once unfortunately a lot longer: I forgot
to start iptables via firestarter again a few weeks ago over a period of
a few hours after said situation - maybe this sealed my fate this time.
I am paying dearly as even the laptop that for file synchronization I
hook up to the switch now and then currently sports some unknown numeric
group permissions for the home dir as reported by tiger later today.
I detected the first crack when chkrootkit reported a deletion in wted.
For this crack (only after which I built the separate firewall box) I
have the following explanation although I may have been to sloppy as
well with restarting the firewall immediately after stopping it for
whatever reason I had back then: I saw in the log that the time of the
wted deletion was almost to the minute the time when I installed a
freshly compiled kernel. The machine had locked up then and during
installing I had thought that this was due to some module problem
(running SID, as I said), and the second try worked so that I did not
bother any more. But in retrospect it may have been the crack(er) who
caused the crash.
What I wonder is whether it is potentially dangerous for me to have
iptables starting quite slowly on my 133MHz firewall machine, it takes
maybe 10 seconds to get all the modules loaded while ntp already picks
up the time and a net connection has seemingly already been established.
I power down my system almost daily to reduce risks and keep my power
bill lower, so there is a certain window almost daily at startup. My IP
address is a de facto fixed one from the cable provider.
And I now wonder whether a powerful thing like iptables is manageable by
an amateur with some half knowledge when even professionals have their
troubles. Or perhaps I am now in the process of learning the hard way
that the good enough firewall has to be on at *all* times, no matter what.
I also wonder whether a stock Windows98 box is less of a hassle because
a friend who is not so security conscious is customer of the same cable
provider. Despite frequent hits on my firewall from the provider's
subnet to which he must more or less be subjected too he has never
reported anything problematic. Do Linux boxen attract the more skilled
attackers? But perhaps his occasional reinstalls are not so much due to
fat havoc after dozens of lockups per month but signs of unrecognized
security compromises... don't get me wrong, I see no alternative for me
in this other OS, and I wonder what he'll be reporting after his current
So I guess it's all my fault, understimating what trouble already a few
or no firewall hits per hour when traffic is low can mean without the
PS will ook at Shrewall too