LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-19-2001, 12:49 AM   #1
mikesvx1
LQ Newbie
 
Registered: Dec 2001
Location: USA
Distribution: Slackware
Posts: 4

Rep: Reputation: 0
PortSentry


Hi All, I recently read a post in this forum stating to use Snort and not PortSentry. I was wondering why this was recommended. Recently, I was hacked and I am using portsentry, I am curious if there is any correlation. Thanks.
 
Old 12-19-2001, 01:42 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
I'm 99% sure it's not related if you mean you could be hacked by exploiting Portsentry *itself*.

Both Portsentry and Snort *cannot* defend your box from being hacked *by themselves*, Snort needs 3rd party apps to for instance to add offending IP addresses to ipchains/iptables (some are in the "contrib" dir of the tarball). Portsentry can add the offending IP addy's to ipchains/iptables itself.

The major difference between the two is Portsentry only watches for (only!) incoming connections on a port, where Snort filters the whole in/out traffic to determine if traffic has a known/malicious load based on its ruleset. This would lead to the conclusion that Portsentry can be used to just add IP addresses to the deny table/firewall/else (depending on how you deploy it, ok) by just spoofing the source address, where with Snort you would need to add a payload to packets thats considered bad.
A word of caution, because unlike heuristics used in like virusscanners to detect new/morphed viruses, Snort doesn't have capabilities to warn for new or unknown exploits...
That's why I always try to suggest not only keeping an eye on IDS capabilities like Snort, but also on filesystem integrity with a combination of apps like chkrootkit(scanner), rkscan and Aide(file signature checker), Tripwire or Samhain.
If you want to delve into protection a bit more I could also suggest looking into GRSecurity (patch over kernel-2.4.16) or LIDS. GRS and LIDS are able to lock down a system considerably. (Im using GRS)

You where most definately hacked tru some running networked daemon. Can you tell us how you noted you got hacked? What version of the daemon? Any traces?

Last edited by unSpawn; 12-19-2001 at 01:47 AM.
 
Old 12-19-2001, 11:03 AM   #3
mikesvx1
LQ Newbie
 
Registered: Dec 2001
Location: USA
Distribution: Slackware
Posts: 4

Original Poster
Rep: Reputation: 0
I originally noticed I was hacked when the last login (hostname/date) was not displayed on my login. I then proceded to check the logs in /var/log. I unfortunately was not able to catch the perpetrator in action and the log files were already removed. I have not had a chance to check more into this event, however it appears that some type of virus was installed on the machine that deletes files as I attempt to read them. I immediately took the system offline after I realized it had been breached.
I have been running WUFTPD on Slackware 7.1 with all the patches, as well as, SSH 1.2.30, and the latest Apache WebServer. I also have been running Portsentry. As, I examine the system further I'll try to report more to the message board. Any ideas how to retrieve more information on the perpetrators if the logs have been deleted? Thanks
 
Old 12-19-2001, 05:33 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
About the login, its usually a tool that deletes (u|w)tmp entries. Unfortunately by checking your system (logging in, using file-utils) you updated the access time etc etc on system files, contaminating your boxes data, making it harder to get some info (but ok, you couldn't know that). OTOH I think you did *very well* to immediately pull the box off the 'net.

Looking at the first 2 daemons, Wu has a long line of bugs, glitches and whatnot, and since I don't get the impression it's well audited like for instance Solar Designer did with xinetd, I personally won't touch it. I'm running another ftpd w/o probs for 2 yrs now. Running SSH-1.2.30 is kinda bad since feb of this yr, Ill only mention weak encryption, failure of logging brute force logins and default allowed rootlogins. It's a shame, because the equivalent version of OpenSSH at the time was declared not vulnerable...

Ok, that said undeletion, depending on how much the system has been used in the intermediate period, could still yield some info (as could mem, but thats another story), because normal deletion (vs. secure wiping, or Van Hausers srm) only frees the inode, and not the actual data.

If you don't think this will be that interesting you could still use an easy and fast method screening the system for binaries (strings or checksum) depending on what you got. If your distro offers verifying packages from a read-only source (like install cd) you could verify packages from there. The biggest caveat is ofcourse this won't find you any added stuff.

Then you could try screening the box with chkrootkit, preferably compiled and run from a different trusted clean system or one-floppy-distro, bootable OS cd like trinux or possibly finnix, or install cd with rescue shell, where you would mount the hdd, because libs and file-utils will be compromised as well. You could the load a ramdisk, wget chkrootkit, use chkrootkit from there (script at the bottom), redirect output to the ramdisk, and save the disk (poss. with some finds) to another disk/mail it/netcat it to somewhere else.
If you don't want to take the time compiling etc etc and somehow trust me a bit, you could get the static build chkrootkit-0.34-static from my site.

I could go on and on, but I think you want to invest time in rebuilding your box from scratch, instead of muttering "Vewwy well deduction my deaww Watson" for the next few days running stuff like TCT, Lazarus and other intruder discovery apps...

Code:
#!/bin/sh
#ramdisk script

case "$1" in
make)
	dd if=/dev/zero of=/dev/ram0 bs=1k count=4096
	if   [ ! -d /mnt/ramdisk0 ]; then
		mkdir /mnt/ramdisk0
	fi
	chmod 0755 /mnt/ramdisk0
	mkfs.ext2 /dev/ram0
	mount -t ext2 /dev/ram0 /mnt/ramdisk0
	rm -rf /mnt/ramdisk0/lost+found
	echo "4Mb ramdisk made & mounted on /mnt/ramdisk0"
	;;
save)
	if   [ ! -d /mnt/ramdisk0 ]; then
		echo "Ramdisk not loaded?!"
		exit 1
	else
	echo "Which /path/image.img?"
	read img
	if [ ! -f $img ]; then
		dd if=/mnt/ramdisk0 of="$img" bs=1k count=4096
		echo "Done!"
	else
		echo "Image "$img" already exists"
	fi
	fi
	;;
remove)
	if [ $(mount | grep ramdisk0 | gawk '{print $1}') = "/dev/ram0" ]; then
		umount /mnt/ramdisk0
		rm -rf /mnt/ramdisk0
	else
		echo "Ramdisk not mounted or failure?!"
		exit 1
	fi
	;;
*)
	echo "ramdisk [make|save|remove]"
	exit 1
esac

exit 0
 
Old 12-19-2001, 10:14 PM   #5
mikesvx1
LQ Newbie
 
Registered: Dec 2001
Location: USA
Distribution: Slackware
Posts: 4

Original Poster
Rep: Reputation: 0
Ok, I do remember reading about the problem with SSH, I guess I misread in beliveing that was a secure server to run. I would like to run SSH and FTPd on this system again at some point. What would you recommend I download to compile? Thanks again.
 
Old 12-20-2001, 01:52 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
I recommend running the latest OpenSSH.

As for ftpd's there's a lot of those out there that are designed with some level of security in mind, and for instance will not rely on using external commands. Personally Ive been using Muddleftpd the past 2 yrs w/o probs of the BO kind, but as for your choice of ftpd I think you should investigate how they handle their security context, if they're actively maintained, and what their history is. If you could mention your final choice (hopefully with some motivation) that would be kewl.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
portsentry skoot Linux - Security 18 11-21-2005 06:29 AM
how to change notification email for portsentry and how to test portsentry roorings Linux - Security 1 11-04-2003 10:36 AM
PortSentry Question lub0 Linux - Security 6 10-17-2003 09:54 AM
portsentry Jase Linux - Security 1 07-24-2001 07:49 AM
portsentry Dallam Linux - Security 5 07-12-2001 05:42 AM


All times are GMT -5. The time now is 01:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration