MandrivaThis Forum is for the discussion of Mandriva (Mandrake) Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mandriva 2007.0 on x86_64.
I recently recovered from a rootkit attack (at least I think that's
what it was), and I'm now completely paranoid about securing my computer. Quite frankly, I'm not even sure that I've actually
recovered from that. I reinstalled the OS, and reformatted all
partitions except the /home partition. I've been trying to
determine if I made a mistake by not formatting that as well.
I was looking at the System Services menu in Configure your
Computer. I have the services iptables, snortd, and shorewall
all checked to startup at boot. Only shorewall is shown to
be running in the System Services menu.
However, when I look at running processes (ps aux and Systen Guard)
snort is running, but there is nothing that looks like a
shorewall process. I'm very concerned about this. How else
can I determine if it is actually running? Is it running?
Thanks.
Ferrel
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.
So it sounds like it would arrange for the setup of the firewall rules (probably at boot time), but there would be no ongoing process for you to observe with ps. The firewall is part of the kernel. You can use iptables to see what firewall rules are in place (and make sure they are there!):
The above commands need to be run as root. Unless you are doing something fancy, the tables for the last two rules will probably be empty; the real filtering work is in the tables the first command looks at. You may need to pipe the output into a pager such as less. I have shown the commands the way I usually use them with verbose (-v) and numerical output (-n), which suppresses reverse DNS lookups.
on my firewall, then I searched both for "netf" (netfilter) & "ipt" (iptables) -- nada. So I agree, the easiest way to see what Shorewall has done is to list your rules. If you use less, I would recommend adding the "-S" option to unwrap long lines (the hor. arrow keys then scroll also).
Take a look at your /etc/shorewall/ files and see if all is configured correctly.
I would suggest you double-check your system. The only time I had a break-in was through an enduser's account. The outside bad guy tried to install a rootkit under the enduser's credintials, which really hosed up the system. The files I found were mostly located inside the /home/enduser's directory.
Thanks very much! I ran these commands and the
firewall is running.
I have snort and clamd running, although the clamd
is out of date, apparently. It is when I was trying
to interpret snort output that I became worried if
shorewall was even running or not.
If I install RKHunter now, will it still detect a
root kit if my system is compromised? I'm going
to try it now.
I can see that I've not taken security issues
seriously enough.
Thanks!
Ferrel
I just installed rkhunter and ran a scan!
It was very easy (quite unexpected). There
were No Vulnerabilities reported.
There was one interesting log entry:
[16:24:13] Info: kernel is 2.6
[16:24:13] Info: Found /etc/mandrake-release
[16:24:13] Warning: This operating system is not fully supported!
[16:24:13] All MD5 checks will be skipped!
[16:24:13] Info: Full OS name = Mandriva Linux release 2007.0 (Official) for x86
_64
What is the nature of this entry?
Also, in the scan output, I saw mention of the
word adore but not an actual entry for adore-ng.
Does rkhunter scan for adore-ng?
If I install RKHunter now, will it still detect a
root kit if my system is compromised?
Disclaimer: I have not run RKHunter either. (I am somewhat familiar with chkrootkit)
One thing you should be aware of when using any tool that checks for rootkits is that you cannot trust the standard commands (ls, ps, netstat, etc) on a potentially compromised system because the rootkit may have replaced these commands with something that hides the rootkit's presence. This, of course, makes looking for rootkits quite tricky. That doesn't mean running a rootkit checker on a normal running system is totally pointless -- it still may find something. It just means that you can't trust a report of a clean bill of health. If the system is already down, you can use a live CD to use guaranteed good binaries (although you lose the ability to check running processes). I'll leave it to others more knowledgable to go into details on other ways of handling this. I just wanted to alert you to the problem.
The first command checks that the current version is installed
The second command checks that six databases are up to date.
The third command scans my system and creates a log file which I check regularly. To see what switches are available use
Code:
rkhunter --help
You report the following error:
Quote:
Warning: This operating system is not fully supported!
It means the os.dat file contains no information for your distribution release. You can update os.dat for your system by running the following command as root:
Quote:
hashupd.sh
rkhunter is only one of several layers in your systems security. I also use tripwire (an intrusion detection software). Mandriva comes with msec (a security configuration utility) which allows to configure many security settings by choosing a security level and an interactive firewall. Finally, a good back up routine will go a long way to reduce your losses in the event of tragedy. I keep an initial image set here. I create a new image set monthly, and run an automated daily incremental back up to catch changed files between monthly imaging sessions. Your needs may differ from mine, so arange your back up routine to meet your needs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.