[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: crack traces in /var ?

Andy Firman wrote:
Oh well. Second time this year.
Maybe we can learn from your mistakes.  I would appreciate the information.

(If you want it short, this may not be for you - here goes:)

Andy, thanks for your interest. I consider myself still a newbie, this is my third Debian year, Corel Linux got me started after an unconvincing try at RedHat5 years earlier. I have no prefessional IT background but like 'puters and am reading a lot around in the newsgroups, Howtos etc.

Policy: I have no services open to the outside, exceptions are mentioned below. There are only trusted users inside the network. Besides iptables I have set nosuid,nodev,noexec flags for my home dir and other storage partitions. I run tiger and chkrootkit occasionally, i.e. once or twice a week, sometimes not. The firewall box is a small hardened Woody with security updates, the desktop a current SID installation.

As I haven't set up my mail dir to work with Mozilla and haven't bothered to find out how to make the black background of mutt lighter I am not reading the reports frequently - reports from programs I am slowly getting familiar with like snort, tiger.

Before the first crack I had ssh (and nothing else) open to the outside. In addition, maintenance of some proprietary custom tailored database program that I had acquired for another location made it necessary to open one of the higher ports for a few hours. Fiddeling with firestarter/iptables until port forwarding worked was when I shut off the firewall for minutes and once unfortunately a lot longer: I forgot to start iptables via firestarter again a few weeks ago over a period of a few hours after said situation - maybe this sealed my fate this time. I am paying dearly as even the laptop that for file synchronization I hook up to the switch now and then currently sports some unknown numeric group permissions for the home dir as reported by tiger later today.

I detected the first crack when chkrootkit reported a deletion in wted. For this crack (only after which I built the separate firewall box) I have the following explanation although I may have been to sloppy as well with restarting the firewall immediately after stopping it for whatever reason I had back then: I saw in the log that the time of the wted deletion was almost to the minute the time when I installed a freshly compiled kernel. The machine had locked up then and during installing I had thought that this was due to some module problem (running SID, as I said), and the second try worked so that I did not bother any more. But in retrospect it may have been the crack(er) who caused the crash.

What I wonder is whether it is potentially dangerous for me to have iptables starting quite slowly on my 133MHz firewall machine, it takes maybe 10 seconds to get all the modules loaded while ntp already picks up the time and a net connection has seemingly already been established. I power down my system almost daily to reduce risks and keep my power bill lower, so there is a certain window almost daily at startup. My IP address is a de facto fixed one from the cable provider.

And I now wonder whether a powerful thing like iptables is manageable by an amateur with some half knowledge when even professionals have their troubles. Or perhaps I am now in the process of learning the hard way that the good enough firewall has to be on at *all* times, no matter what.

I also wonder whether a stock Windows98 box is less of a hassle because a friend who is not so security conscious is customer of the same cable provider. Despite frequent hits on my firewall from the provider's subnet to which he must more or less be subjected too he has never reported anything problematic. Do Linux boxen attract the more skilled attackers? But perhaps his occasional reinstalls are not so much due to fat havoc after dozens of lockups per month but signs of unrecognized security compromises... don't get me wrong, I see no alternative for me in this other OS, and I wonder what he'll be reporting after his current XP honeymoon.

So I guess it's all my fault, understimating what trouble already a few or no firewall hits per hour when traffic is low can mean without the firewall.


PS will ook at Shrewall too

Reply to: