Re: crack traces in /var ?

To: debian-user <debian-user@lists.debian.org>
Subject: Re: crack traces in /var ?
From: Andreas von Heydwolff <pirmin2@gmx.net>
Date: Fri, 25 Jul 2003 19:49:13 +0200
Message-id: <[🔎] 3F216D99.4010207@gmx.net>
In-reply-to: <[🔎] 20030725160052.GA30978@steelhead.firman.us>
References: <[🔎] 3F1FEB02.9040407@gmx.net> <[🔎] 20030725040811.GJ5514@ursine.ca> <[🔎] 3F20D41E.6040000@gmx.net> <[🔎] 20030725160052.GA30978@steelhead.firman.us>

Andy Firman wrote:

Oh well. Second time this year.

snip

Maybe we can learn from your mistakes.  I would appreciate the information.


(If you want it short, this may not be for you - here goes:)

Andy, thanks for your interest. I consider myself still a newbie, thisis my third Debian year, Corel Linux got me started after anunconvincing try at RedHat5 years earlier. I have no prefessional ITbackground but like 'puters and am reading a lot around in thenewsgroups, Howtos etc.

Policy: I have no services open to the outside, exceptions are mentionedbelow. There are only trusted users inside the network. Besides iptablesI have set nosuid,nodev,noexec flags for my home dir and other storagepartitions. I run tiger and chkrootkit occasionally, i.e. once or twicea week, sometimes not. The firewall box is a small hardened Woody withsecurity updates, the desktop a current SID installation.

As I haven't set up my mail dir to work with Mozilla and haven'tbothered to find out how to make the black background of mutt lighter Iam not reading the reports frequently - reports from programs I amslowly getting familiar with like snort, tiger.

Before the first crack I had ssh (and nothing else) open to the outside.In addition, maintenance of some proprietary custom tailored databaseprogram that I had acquired for another location made it necessary toopen one of the higher ports for a few hours. Fiddeling withfirestarter/iptables until port forwarding worked was when I shut offthe firewall for minutes and once unfortunately a lot longer: I forgotto start iptables via firestarter again a few weeks ago over a period ofa few hours after said situation - maybe this sealed my fate this time.I am paying dearly as even the laptop that for file synchronization Ihook up to the switch now and then currently sports some unknown numericgroup permissions for the home dir as reported by tiger later today.

I detected the first crack when chkrootkit reported a deletion in wted.For this crack (only after which I built the separate firewall box) Ihave the following explanation although I may have been to sloppy aswell with restarting the firewall immediately after stopping it forwhatever reason I had back then: I saw in the log that the time of thewted deletion was almost to the minute the time when I installed afreshly compiled kernel. The machine had locked up then and duringinstalling I had thought that this was due to some module problem(running SID, as I said), and the second try worked so that I did notbother any more. But in retrospect it may have been the crack(er) whocaused the crash.

What I wonder is whether it is potentially dangerous for me to haveiptables starting quite slowly on my 133MHz firewall machine, it takesmaybe 10 seconds to get all the modules loaded while ntp already picksup the time and a net connection has seemingly already been established.I power down my system almost daily to reduce risks and keep my powerbill lower, so there is a certain window almost daily at startup. My IPaddress is a de facto fixed one from the cable provider.

And I now wonder whether a powerful thing like iptables is manageable byan amateur with some half knowledge when even professionals have theirtroubles. Or perhaps I am now in the process of learning the hard waythat the good enough firewall has to be on at *all* times, no matter what.

I also wonder whether a stock Windows98 box is less of a hassle becausea friend who is not so security conscious is customer of the same cableprovider. Despite frequent hits on my firewall from the provider'ssubnet to which he must more or less be subjected too he has neverreported anything problematic. Do Linux boxen attract the more skilledattackers? But perhaps his occasional reinstalls are not so much due tofat havoc after dozens of lockups per month but signs of unrecognizedsecurity compromises... don't get me wrong, I see no alternative for mein this other OS, and I wonder what he'll be reporting after his currentXP honeymoon.

So I guess it's all my fault, understimating what trouble already a fewor no firewall hits per hour when traffic is low can mean without thefirewall.


Andreas

PS will ook at Shrewall too

Reply to:

Follow-Ups:
- Re: crack traces in /var ?
  - From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
- Re: crack traces in /var ?
  - From: David Fokkema <dfokkema@ileos.nl>
- Re: crack traces in /var ?
  - From: Jesse Meyer <meyer@btinet.net>
- Re: crack traces in /var ?
  - From: Paul Johnson <baloo@ursine.ca>

References:
- crack traces in /var ?
  - From: Andreas von Heydwolff <pirmin2@gmx.net>
- Re: crack traces in /var ?
  - From: Paul Johnson <baloo@ursine.ca>
- Re: crack traces in /var ?
  - From: Andreas von Heydwolff <pirmin2@gmx.net>
- Re: crack traces in /var ?
  - From: Andy Firman <list@firman.us>

Prev by Date: Re: Debian/Linux on PW500a
Next by Date: Re: Empty package to facilitate upgrades, can be safely removed. Really?
Previous by thread: Re: crack traces in /var ?
Next by thread: Re: crack traces in /var ?
Index(es):
- Date
- Thread