LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-17-2004, 11:53 PM   #31
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69

Quote:
Originally posted by neo77777
wouldn't swear by Cisco Pix - it has its own flaws - implement a statefull firewall solution on your border, Astaro's asl, Smoothwall (linux flavours), you might want to research it farther and get a commercial solution I wouldn't go far to recommend CheckPoint because its best is not for SOHO environment - overkill. Good luck.
What the heck are you talking about? PIX is a stateful firewall. Why would you go from a $15,000 valued (at least, depending on the license and possible hardware cards) commercial product and downgrade to Astaro or Smoothwall? That just doesn't make sense.
 
Old 02-18-2004, 07:42 AM   #32
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
It's a PIX 501 with 3DES VPN and a 50 user license. Still overkill, but very effective. Not quite $15,000, but a few thousand if I remember correctly. We used it at work for 2 years without a single problem. We would still be using it at work, but when SBC restored our DSL connection, their installer insisted on installing their Cayman. I was like "whatever" and took the 501 home to "test". I'm still "testing". Maybe I'll buy it if the price it right.

I used to use a Smoothwall Express gateway, but the Pix is small, dead quiet and emits no heat! The Smoothwall was the exact opposite, large and very loud, heating up the closet in about 10 minutes.
 
Old 02-18-2004, 10:33 AM   #33
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Wow, I knew SBC is dumb but that takes the cake... "no, you can't use a proven security device, here use our no-name one instead". WTF kind of service is that?

On the bright side, at least you get to "test" a PIX at home. Most people don't have that luxury
 
Old 02-18-2004, 10:46 AM   #34
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
How dumb can SBC be? I guess you didn't read my other post about them accidentally cutting-off our DSL service for 10 days! Then instead of using a change order which would send someone out and reroute our line in our wiring closet to turn our old service back on, they put in a new order. Thus the 10 day delay! Then they sent out some rookie installer that had no idea what our situation was and wouldn't work on a PIX. He could only install the Cayman. I even had to put in the port forwarding data because he wasn't allowed too! That is how dumb they can be.
 
Old 02-18-2004, 06:28 PM   #35
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 56
Quote:
Originally posted by chort
What the heck are you talking about? PIX is a stateful firewall. Why would you go from a $15,000 valued (at least, depending on the license and possible hardware cards) commercial product and downgrade to Astaro or Smoothwall? That just doesn't make sense.
I guess I misunderstood your position/company size, your admin activities/powers, etc - of course if you (company you work for) can afford 15 grand for a firewall solution Astaro and Smoothwall fall off the hook. I got an impression your situation reflected SOHO environment, and a PIX was "given" away to you - my point was that if you don't posess license for the Cisco device all you would have a firewall w/o future upgrades, etc, and at some point you would be urged to upgrade it.
 
Old 02-19-2004, 12:27 AM   #36
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
BTW CheckPoint has plenty of problems, too. Lately I've been seeing very good things about Netscreen, but now we're waaaaay off topic.
 
Old 10-13-2004, 11:19 AM   #37
varkeys
LQ Newbie
 
Registered: Oct 2004
Location: India
Posts: 3

Rep: Reputation: 0
Hi,

What is the conclusion of this incident? Is it Slammer virus or an attack / Hacker event

Regards,

Sunil
 
Old 10-13-2004, 11:31 AM   #38
varkeys
LQ Newbie
 
Registered: Oct 2004
Location: India
Posts: 3

Rep: Reputation: 0
Hi,

What is the conclusion? Is it a Slammer Virus attack or is it a Hacker?

Appreciate your detail comment on this

Regards,

Sunil
 
Old 10-13-2004, 11:36 AM   #39
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
No conclusion. I also have yet to see a similar post on this or any other forum I frequent. It was a silly XP box so I just reloaded the OS and hardened my network. I didn't persue it any further.

The PIX still works great by the way.
 
Old 10-13-2004, 11:43 AM   #40
varkeys
LQ Newbie
 
Registered: Oct 2004
Location: India
Posts: 3

Rep: Reputation: 0
Hi,

I am bit curious few queries:

In the Snort log it is indicating about password change? Was any password was changed?

Was there any entry about this event in the security log of the system?

Checked the property of Slammer but couldnt find any where mentioned about multiple exploits methods in short time? So can it be a virus issue

Sorry for bothering but would appreciate your understanding on this issue

Thanks & Regards,

Sunil
 
Old 10-13-2004, 12:52 PM   #41
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
This was a stange event that was only caught because I was in the process of switching from dial-up service to DSL. The log file I posted was actually the Smoothwall Snort log I had setup to use my as my router and firewall when my DSL service was turned on, not from my XP machine. Smoothwall was not firewalling the dialup connection but the"as yet to be turned on" DSL service.

Being that my DSL service was not yet active I was still using a dial-up connection from my XP machine to download updates. The person that "got in" got into the XP machine through the dialup then used the XP machine to try to hack in to the Smoothwall router. The log file I posted was after the XP machine had already been compromised. XP, to my knowledge, does not have verbose logging like linux so the info that you are requesting was never logged for review. I don't even have an originating IP address. Like I said previously, I have yet to see a similar "signature" anywhere so I can assume it was a cracker and not a virus, but that is only a guess.
 
Old 10-14-2004, 12:32 AM   #42
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
XP does have an Event Log IIRC; it's just turned off by default. Control Panel -> Administrative Tools should have an option to turn on the Event Log.
 
Old 10-14-2004, 01:27 AM   #43
carrie
Member
 
Registered: Sep 2004
Location: liliput - Guinea
Distribution: RH-3
Posts: 68

Rep: Reputation: 15
i just guess why you just donīt download the drivers for your modem an forget 2 use xp for ANY web connection? or a new modem just 10dlls?
 
Old 10-14-2004, 07:47 AM   #44
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by chort
XP does have an Event Log IIRC; it's just turned off by default. Control Panel -> Administrative Tools should have an option to turn on the Event Log.
Chort, thanks for the reply. My comment about verbose logging was regarding the actual content of the log, the "verbosity". In my experience, the logs just weren't that useful, however, I just checked the event logs for my XP machine here at work and it appears that the content of the logs has greatly improved since I last bothered to look at one. I'm running Service Pack 2. Was that changed in the last SP or have I just not been paying close enough attention?

 
Old 10-15-2004, 12:48 AM   #45
m_shroom
Member
 
Registered: Oct 2004
Location: Queen Charlotte B. C. Canada
Distribution: openSUSE 11.1
Posts: 42

Rep: Reputation: 15
Re: **HACKED** Snort log posted

Quote:
Originally posted by ghight
[B]<snip> Proof that Windows should never directly touch the Internet. <snip>
I case you all missed these important words from his first post, the man has it right.
As most of the world still uses windows people that develope web pages need them to check their work and to see how it looks for most users. I have 2 safely hidden behind a Suse firewall.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
log system hacked? mikechao Linux - Security 3 09-14-2005 10:46 PM
Snort don't want log to mysql lcat Slackware 1 03-07-2005 07:20 AM
I can't get snort to log anything abefroman Linux - Security 2 09-07-2004 09:09 AM
SNort&log JuBeC Linux - Security 1 05-04-2004 09:33 PM
Snort is not log chamkila Linux - Security 19 06-18-2003 02:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration