LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-21-2005, 12:44 AM   #1
Ionexchange
LQ Newbie
 
Registered: Apr 2004
Location: Tampa, Fl
Distribution: Fedora Core 2 and 3
Posts: 21

Rep: Reputation: 15
Need help finding if I have been APR-poisioned


It started when I tried to connect to one of my linux machines, I'll call FOO, using ssh from another linux box I'll call BAR, when I got an error that there was a problem with the key and that there may be a everdropper. I'm sorry I don't remember the exact message, but I wasn't allowed to log in. So, I try again and then I was allowed to log in. That even got me wondering if I didn't have a ARP-spoofing going on since I have a wireless network and my linux box is connected via wireless.

I used echolot on BAR and got a message that FOO had a different mac address. So I used arp -a on FOO. I get a mac address for my wireless router that is correct, however when I type ifconfig, the mac address of the accesspoint is different. Have I been spoofed and how do I know?

Any suggestions, thanks.

Milton
 
Old 09-21-2005, 08:45 AM   #2
Slim_Pikins
LQ Newbie
 
Registered: Jul 2004
Location: Manchester UK
Posts: 21

Rep: Reputation: 15
Hi

ArpStar and xarp are countermeasures to ARP poisoning attacks, hope this helps

Slim Pikins
 
Old 09-21-2005, 09:18 AM   #3
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Rep: Reputation: 30
I would suggest using arpwatch....
The message from ssh doesn't mean that someone uses your real MAC. It appears if you reinstall the OS, if the ip changes etc..
 
Old 09-21-2005, 08:02 PM   #4
Ionexchange
LQ Newbie
 
Registered: Apr 2004
Location: Tampa, Fl
Distribution: Fedora Core 2 and 3
Posts: 21

Original Poster
Rep: Reputation: 15
Thanks for the info. I thought it may have something to do with a change in the IP address, but when I started finding a different mac address with echolot and apr I got concerned.


thanks again,
Milton
 
Old 09-21-2005, 08:03 PM   #5
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
If possible, use static IP addresses so you may use static ARP tables.
Also, block ICMP redirects in all machines so no routing tricks that lead to man-in-the-middle may be done.

Check http://seclists.org/lists/bugtraq/1997/Sep/0057.html
 
Old 09-25-2005, 01:01 PM   #6
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
ssh host keys

As far as the ssh complaints are concerned, if you want to be really secure, transfer or verify any new host keys (due to benign changes) by physical or other secure medium.

These host keys are in /etc/ssh*.pub on the ssh server. You can examine them with:
Code:
awk '{print FILENAME "\t" $1 "\t" $2}' \
     /etc/ssh/*.pub | less -S~#32
The matching files on the client are $HOME/.ssh/known_hosts and /etc/ssh/ssh_known_hosts. You can examine them with:
Code:
awk '{printf "%-32s %-8s %s\n",$1,$2,$3}' \
       $HOME/.ssh/known_hosts | less -S~#40

awk '{printf "%-32s %-8s %s\n",$1,$2,$3}' \
     /etc/ssh/ssh_known_hosts | less -S~#40
At the moment, I only verify changes; but in theory the following man pages:
  • ssh
  • sshd
  • ssh-keygen
contain enough information to figure out how to extract host keys from an ssh server & transfer them to a client.

Last edited by archtoad6; 09-25-2005 at 01:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache - error: external APR GT_Onizuka Linux - Software 0 12-02-2005 04:32 AM
apache 2.x enable APR or not ? adrianmak Linux - Software 0 08-18-2005 07:49 AM
apr-mod apache2 Skaan Debian 2 05-27-2005 05:29 AM
LQ security report - Apr 22th 2004 unSpawn Linux - Security 3 04-22-2004 02:33 PM
rh8.0 apr-get update errors pk21 Linux - Software 3 12-23-2002 07:34 AM


All times are GMT -5. The time now is 01:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration