LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-19-2007, 02:00 AM   #1
takkhar
LQ Newbie
 
Registered: Jul 2007
Posts: 2

Rep: Reputation: 0
Linux Beginner


I have small computer installed with Linux in our IT ROOM. Functionally it works as firewall.

Now let me come to the point, We had IT administrator working with us left few months ago and keeping us in situation like no passwords, no users details not even a single piece of paper related to Linux.

Everything was going well for few weeks, until we realized that someone connects to our email server and makes changes without our knowledge. And that was happening through Linux firewall computer, as this guy left few ports open to connect remotely.

I am standing in that situation, that I am just zero in Linux and specially without any access to Linux because I am standing without any password. In current situation I am not even able to replace this computer with some ready made firewall, like Cisco etc. because all the settings are hidden to me.

I appreciate, if anyone could help me to get some information, like how to remove/modify current users with their password and if you could send me some basic commands of Linux to make changes in configuration of firewall, is there is any utility available to access like we do in MS Windows NT, XP 2000 series.

How to control user for downloading from internet
How to block online messengers Ports, ports for music, etc.

Looking forward to your favorable reply.
Takkhar
 
Old 07-19-2007, 05:51 AM   #2
ShellyCat
Member
 
Registered: Jul 2007
Distribution: Slackware 13
Posts: 178

Rep: Reputation: 28
I have a couple questions first:

  1. Do you have a bootable Linux CD (a "live" CD)?
  2. Do you have an account on this machine and the ability to burn a DVD or CD?
  3. Do you have an account on a Windows machine and the ability to burn a DVD or CD there?
If you have or can burn a "live" CD, you can change the system installed on the computer while logged into the "live" system. I recommend this free and cross-platform program to burn CDs and DVDs:

http://www.rocketdivision.com/download_grabandburn.html

Grab & Burn can burn ISOs, and there is no limit on filesize (a lot of "free" programs are just trials where you can't burn anything big enough to be useful without upgrading to the paid version).

Once you get a CD or DVD burned, we can give you instructions to get in there and change the root user's password, so old what's-his-face can't get in there anymore, and you can. (Caveat: disconnect the Linux machine from the Internet while rebooting and changing the password so that jerk isn't in there doing something at the same time you are.)

Then you can hire a good security specialist to find out what he's been doing in there. Then hire a good lawyer to charge him with breaking and entering and sue his pants off.
 
Old 07-19-2007, 09:16 AM   #3
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 469Reputation: 469Reputation: 469Reputation: 469Reputation: 469
I have moved your thread to Linux-General. The LUG forum is purely for Linux User Groups (and the discussion of).

Welcome to LQ
 
Old 07-19-2007, 09:28 AM   #4
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Rep: Reputation: 30
Quote:
Everything was going well for few weeks, until we realized that someone connects to our email server and makes changes without our knowledge. And that was happening through Linux firewall computer, as this guy left few ports open to connect remotely.
If this was true, disconnect the machine from the network now, and effectively cut off all other machnes on that network as well.

Quote:
I am standing in that situation, that I am just zero in Linux and specially without any access to Linux because I am standing without any password. In current situation I am not even able to replace this computer with some ready made firewall, like Cisco etc. because all the settings are hidden to me.
Sure you can, http://www.smoothwall.org/
Very easy to use and configure, especially for those new to administration.

Quote:
I appreciate, if anyone could help me to get some information, like how to remove/modify current users with their password and if you could send me some basic commands of Linux to make changes in configuration of firewall, is there is any utility available to access like we do in MS Windows NT, XP 2000 series.
If changes were being made and the former administrator has left on bad terms etc and you not being able to do good forensics from lack of experience I would count the former machine as non existent and start from scratch.

Good luck.
 
Old 07-19-2007, 09:47 AM   #5
monsm
Member
 
Registered: Feb 2005
Location: London, UK
Distribution: Gentoo
Posts: 568

Rep: Reputation: 37
I'd hurry following ShellyCat's advice.

Here's a link on how to change the root password: http://www.linuxquestions.org/questi...d.php?t=569232

Ones thats done, you might be able to just close off any outside access in through the firewall.

Which distro is that machine running?
 
Old 07-19-2007, 10:11 AM   #6
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Rep: Reputation: 30
If unauthorized access was already taken place, I would hardly trust only changing roots password. But I am paranoid and don't like my machines becoming spam bots maybe others enjoy it.

Last edited by lord-fu; 07-19-2007 at 10:13 AM.
 
Old 07-19-2007, 10:54 AM   #7
ethics
Senior Member
 
Registered: Apr 2005
Location: London
Distribution: Arch - Latest
Posts: 1,522

Rep: Reputation: 45
Quote:
Originally Posted by takkhar
I have small computer installed with Linux in our IT ROOM. Functionally it works as firewall.

Now let me come to the point, We had IT administrator working with us left few months ago and keeping us in situation like no passwords, no users details not even a single piece of paper related to Linux.

Everything was going well for few weeks, until we realized that someone connects to our email server and makes changes without our knowledge. And that was happening through Linux firewall computer, as this guy left few ports open to connect remotely.

Looking forward to your favorable reply.
Takkhar
So this guy leaves and now someone is accessing the machine on the ports HE left open, and quite possibly with HIS passwords? sounds fishy. I'd go take the machine offline immediately, no ifs or buts, just shut it down.

Did he not document ANYTHING on the system? what a crap administrator, good riddance.

As has been indicated by others, your lack of Linux knowledge (this is in no way a derogatory comment), coupled with the fact you have no access to the machine, and have not since it's installation leaves you with absolutely no idea on the current state of play. I would suggest you (or you hire someone to) rebuild the system from the ground up.

A few things to consider (and do some extensive research on if you are to take over the responsibility of this machine)

* iptables (THE Linux firewall, everything else is just an interface)
* Shorewall (Solid system for configuring iptables - heard good things but never used myself)
* The protocols & Services the machine needs to allow/block
* snort
* tripwire
* nmap (you can use this from another mahcine to test which ports the 'possibly comprimised' machine has open

This is a brief list of what i would do, you should also check the security section of these forums for hardening guides and security tips.

This is going to be a massive undertaking if you are to assume control of an important machine on an OS alien to you, it might be best to seek 3rd party help for configuration if machine downtime is not an option.

As for your questions on closing ports, this can be done with iptables but i implor you NOT to just gain root access and modify the firewall rules, you still have no idea of what is lurking on the system.

Best of luck

Last edited by ethics; 07-19-2007 at 10:55 AM.
 
Old 07-19-2007, 12:07 PM   #8
monsm
Member
 
Registered: Feb 2005
Location: London, UK
Distribution: Gentoo
Posts: 568

Rep: Reputation: 37
It depends on how vital it is to have internet connection for the people there.

If it is not that vital, shut it down and rebuild.

If it is vital, I would quickly prevent this guy loging back in from outside. Then maybe get someone else in to setup a new machine to replace this one, or go through the exiting one in detail to check that the machine hasn't been compromised somehow.

If internet connection is vital, you probably haven't got time to learn all this yourself, so getting a reliable consultant in is probably the only option.
 
Old 07-19-2007, 09:40 PM   #9
ShellyCat
Member
 
Registered: Jul 2007
Distribution: Slackware 13
Posts: 178

Rep: Reputation: 28
Disconnect, and keep a copy of the compromised system.

Quote:
Originally Posted by monsm
It depends on how vital it is to have internet connection for the people there.

If it is not that vital, shut it down and rebuild.

If it is vital, I would quickly prevent this guy loging back in from outside. Then maybe get someone else in to setup a new machine to replace this one, or go through the exiting one in detail to check that the machine hasn't been compromised somehow.

If internet connection is vital, you probably haven't got time to learn all this yourself, so getting a reliable consultant in is probably the only option.
Absolutely do not stay connected to the Internet through this machine for long. You cannot really tell for sure what this guy has done, or even if business information hasn't been tampered with.

However, you need to keep the compromised system...either imaged/backed up before you wipe it out, or just keep it as is and re-build your system on a new machine.

You may be investigating this machine for a long time, not only for legal ammunition but to figure out what kind of sensitive information he may have accessed since leaving the business...depending what kind of business you're in, it may be important that you know. There's even the possibility he's in cahoots with a competitor.

You definitely need to hire professionals to do both the computer forensics and the rebuild for you. This will cost you money, at least for the rebuilding, even if you don't think you want to prosecute the guy. If you have enough proof, you should ask a lawyer how to go about getting restitution. It's possible that future damage to the business itself could cost money, too, and you don't want to trash your options. Keep a copy of that system as is, and don't do anything that will cause more changes to be written to the system! (Yet another reason to immediately disconnect it from the Internet.) Keep it locked up, too.

A Linux expert will know how to go about investigating without making changes to the system. (Seems the most obvious method is also the most simple...booting a "live" CD and poking around the system, reading logs, doing "diffs" to compare the business documents to backups dated before he left, etc).

Make sure you do a background check AND get referrences on anyone you consider hiring.

Last edited by ShellyCat; 07-19-2007 at 09:42 PM. Reason: spelling
 
Old 07-20-2007, 02:05 AM   #10
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
there is a grub cheatcode that can let you log in to the computer as root, I forget what it is though
 
Old 07-21-2007, 04:26 AM   #11
takkhar
LQ Newbie
 
Registered: Jul 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by XavierP
I have moved your thread to Linux-General. The LUG forum is purely for Linux User Groups (and the discussion of).

Welcome to LQ
Thanks for posting Thread to Linux-General, Can u help me get some small book, notes on basic commands of Linux, my email is takkhar@gmail.com, it would be great if you have something in your hand to forward to me.

Many thanks for support.
 
Old 07-21-2007, 01:51 PM   #12
AceofSpades19
Senior Member
 
Registered: Feb 2007
Location: Chilliwack,BC.Canada
Distribution: Slackware64 -current
Posts: 2,079

Rep: Reputation: 58
If you go to tldp.org they have lots of information on linux
 
Old 07-26-2007, 03:38 AM   #13
ShellyCat
Member
 
Registered: Jul 2007
Distribution: Slackware 13
Posts: 178

Rep: Reputation: 28
Post

Quote:
Originally Posted by takkhar
Can u help me get some small book, notes on basic commands of Linux, my email is takkhar@gmail.com, it would be great if you have something in your hand to forward to me.

Many thanks for support.
Takkhar, I have some small, "pocket reference" books but I don't think they are too good (except the "Knoppix" book, but that's a task how-to, not a command reference). Individually, they will have inaccuracies, be out-of-date, or be incomplete. Combined, they can help you get through, with some online help.

I have some thicker books I haven't read yet. (Yes, I buy books right now that I won't be able to read for 2 years.) The bigger books look very good by flipping though. They should help you understand how to get things done and how your system is set up, and you really need something like them in a corporate environment.

I would suggest searching on Amazon.com. If you have an account, you can add books to a "Wish List", which is great because then it tailors suggestions for you based on your Wish List and past purchases. This feature works very well.

Here are some quick references:
  • Essential System Administration Pocket Reference [isbn 0-596-00449-4]
  • Linux System Commands [isbn 0-7645-4669-4] (the arrangement of the commands is very odd; some common commands are not there, while it has many helpful commands to actually make your work easier)
  • "Sam's Teach Yourself Linux in 10 Minutes" was recommended to me, but I could only find Sam's Teach Yourself UNIX in 10 Minutes [isbn 0-672-31523-8] (a decent intro book; more command-line focused, which is good...some "beginner" books start with the KDE desktop, which is useless if you can't get X configured first)
  • Knoppix Hacks [isbn 0-596-00787-6] (a how-to; look up a task that you need to do; comes with a "live CD" of Knoppix which is great to run and get used to Linux without installing, plus the book author adds some extra tools to his version of the CD)

Here are some thick-book suggestions:
  • Linux Network Administrator's Guide [isbn 0-596-00548-2]
  • Network Security Assessment [isbn 0-596-0011-X]
  • Building Secure Servers with Linux [isbn 0-596-00217-3]
  • Linux Security Cookbook [isbn 0-596-00391-9]

I hope this helps. If you decide to get these, books, though, don't get the ISBN I gave you, look for newer versions.

Most important, see if the Linux distibution you are using on that computer has an online manual. Sometimes they make them in a couple of downloadable formats. Save to your Windows machine, save to your Linux machine, save to a CD for access from any machine.

Maybe someone else will have some better suggestions on some quick-command-reference type of books.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Beginner bowen1988 Ubuntu 10 05-04-2007 08:08 AM
beginner to linux n_kitchakit LinuxQuestions.org Member Intro 1 04-24-2006 10:25 AM
Linux Beginner rakeshrawatg Linux - Software 1 03-26-2006 08:31 AM
beginner to linux lemmy Linux - Newbie 2 08-12-2005 02:36 PM
linux beginner!!!!!!!!!! Mama Linux - General 8 08-17-2003 12:42 AM


All times are GMT -5. The time now is 05:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration