Damn Rehat 7.0,. I can't believe it. I got hacked again. What a joke Redhat is putting on. Their OS is as secure as a door nail. I had SUSE 7.0 running for more than a year before and I didn't have any signs of intruders.. I wonder and question the security integrity of Redhat 7.0. Does any one know of any serious exploids or any thing. It does not look like he damaged anything, but the funny thing is that both my telnet daemon and my lpd daemon where down and that's when I decided to check for unusual stuff. I turnd off telnet and ftp also made sure that ssh is turned off. What other port do I need to tutn off. I must keep HTTP and smtp, POP3 open.

Sounds like the same thing that happened to me. I get hacked by the same guy(s) twice a day.

I have to disagree, I've used just about every OS system there is. "even the AS400 nightmare" and I've found RH to be the best all round secure system.
I've also found that lots of the large financial companies use RH systems to secure and monitor front line NT boxes.
It's how you manage the system that makes it secure.

Anyway....
Easy way to stop them is to make it so they only have a few options to get in.

1. put up a firewall that only allow access to your website & pop * smtp from destination ports above 1023, then all other access denied.
Switch off other things like ping etc etc etc etc etc.

Now the only way in is through these services.
Now patch these services.
Now build an IDS system that will notice this and reject them forever next time they try anything.

/Raz

Well firewalls are nothing but another machine to hack into.
You hack into one then you do the next one behinde it.
So what is the difference. You lockup everything you got with a useless firewall then you endup getting hacked anyway. I personally think that is something wrong with Redhat really. It seems an easy target for hackers...I am not a hacker so I could not tell you how easy it is, but I have been a victim of 2 hacks already in less than 3 months. Luckely I had a good backup system implemented and I was able to restore everything like it used be including user accounts and passwords, email and the whole works from 1 day before. But the question is still there. How much really can We trust OS our server is running. Redhat can tell you theirs is so secure and impossible to break in and the next day some kid gets in with no problem. I have to have telnet and ftp open. I can't just close these ports and live with it.
I dunno, I give up...Do you have any good suggestion for another useless easy to setup firewall.

Are your RH 7.0 up to date. There where a few rather major exploit found in the Red Hat distroibutions recently. Check with http://www.redhat.com to see if there are any security upgrades.

The idea of a firewall is to separate the outside from the inside and to make it as invisible as possible. This way you can minimize open ports to the internet and still have full functionality inside. You can also make ip translation so that your internal network isn't revealed.

<offtopic>
A distro is as secure as you make it...
</offtopic>

Hi,
Personally if I were you first I would make sure I had all the current security patches for my distro installed. Then I would install a good firewall, also probably nmap. Using nmap I would scan and find what ports I had open and what was using them and close as many as possible. If i knew for sure that I was "hacked" I would run chrootkit to check for the presence of a rootkit. True words, your system is only as secure as you make it. In a perfect world we wouldn't have lame script kiddies, but in fact we do. If you go online without good security you are only inviting trouble.
When selecting a firewall, i would suggest something a bit better than some of the "advanced" packer sniffers out there.

Dallam

I agree... any machine (doesn't really matter which OS) is as secure as you make it... but for instance to secure an NT server correcly you need to disconnect virtually everything (modems, keyboard, the works ) and as for Linux it is much easier...

I use Freesco (http://www.freesco.org/) on a seperate machine to secure my cable connection which is on 24 hours a day, but basicly its nothing more than just having one machine with no services running on the internet side.... so those lame script kiddies can try, but there's nothing there

Unless ofcourse you forward incoming connections or a malicious user opens an ssh tunnel to the outside

On a gateway when you use <insert your packet filter here> possibly in combination with <insert your application firewall here> and ofcourse a good set of firewall rules(It's all about the rules...), your firewall should be safe from _most_ threads from the [in|out]side.

If on the other hand, you leave your firewall wide open and never install the patches, why even bother to install one....

Dallam, what would you advice then?

[Edited by r3b00t on 05-16-2001 at 03:31 AM]

Nabil, to get back at your question: start all services and do a netstat -an|grep LISTEN to see the ports to leave open.

Hi all,
Well, first off I am real touchy about my computers. The thought of being hacked doesn't scare me...it pi**es me off.
First off, do some reading. Start with these:

http://www.suse.de/~marc/

http://www.oreillynet.com/pub/a/linu..._firewall.html

Rather than tell you all I have done to make my systems secure, I think if you read these and follow some links you will be better off.
One other thing, I learned not to use programs like icq clones and mail managers...they leave ports open. Also, I don't use software that is known to be vunerable to exploits or new software that has earlier versions that were vunerable. If a software manufacturer has a history of buggy software, I don't want it.

Anyway, enjoy the reading and let me know what you decide to do. There are lots of credible resources out there on good security.
Dallam

about those icq like apps, shouldn't the following netfilter (2.4.x) rules enable them:

-------
iptables -A INPUT -p tcp --sport <destination port> -d <your ext ip> -m state --state ESTABLISHED,RELATED
iptables -A INPUT -p udp --sport <destination port> -d <your ext ip> -m state --state ESTABLISHED,RELATED
for port in <destination ports>; do
iptables -A OUTPUT -p tcp --sport $port -s <your ext ip> -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -p tcp --sport $port -s <your ext ip> -m state --state NEW,ESTABLISHED,RELATED
done
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

<note>
this is an example, do not use unless modified and tested
</note>
-------

Ofcourse, you'll need to lookup the correct protocols and ports.

A good book about firewalls is "O'reilly's building internet firewalls" (This is like the bible to me )

Kiddies p#$%#% me off too, but with the proper security measures, auditing and user training, there's (well almost) nothing to worry about...

Dallam, why not use software which previously was vulnerable? I mean, the Linux kernel did have some vulnerabilities in the past, do you use it now?

r3b00t,
My decision about not using certain software is a personal choice made after years of seeing certain software manufacturers release the same buggy stuff in a new, brighter package every 6 months to a year. Granted, this was under windoze. Of course i now use linux. However, the difference as I see it in reqards to your question is that through forums such as this, lugs and bbs's bugs in most releases are fixed almost as soon as they are found. This doesn't give much time for someone to discover a vunerability and wreak havoc with it. As you are aware, under other OS's the bug fix is not so quick, making a normal user vunerable for an extended period of time. (to wit: yet another massive hack of microsofts servers over the past week or so.)
Also, if you will note that one of the url's in my last post refers to oreillynet.com which I consider to be an excellent source of information on firewalls for anyone. They are many ways of setting up secure systems, mostly depends on what you want use your system for. Whatever works for you works...
Bye,
Dallam

every distrobution of linux is going to have its exploits and problems one-way-or-the-other. My friend who runs a rh 6.2 box has never got hacked because he keeps good tabs on his system, uses all recent patches, knows what he is doing, and uses a hardware firewall. It also depends on what port you have open like http, ssh, pop3...also close all un-used open ports.

I had http, smtp, pop3, ftp and telnet open. Every thing else where closed. I went a head and closed telnet and left the others open. Also upgraded to Redhat Linux 7.1 using the 2.4.4 kernel. At one point I had an IPchains firewall setup between the server and the internet but it crashed and I never replaced it. Anyway it was useless cause it was just one step extra for them to get thru. ALso I had problems with sendmail. Mail Servers as Yahoo and HotMail thought my sendmail was a spammer cause the connection was forwarded from local IP on server to internet IP on the firewall.
Let's assume that I close all ports except 80,25. Would that make my server secure or still there is a chance that someone can easily hack these ports too if no firewall is running.