Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello everybody
here is my big problem :
i m an admin of a box that has a NAT server behind a router ( cisco ) i have 2addresse in the net server public and private one
the probleme is , that the admin of the router has descovred that someone has loged into his box ( cisco ) using the public addresse of the NAT server , i thought it's someone that have a private one and beeing masqueraded , well i cheked all today's connections ( i have a script that do the ipchains -L -M work ) , the probleme is there is no connection to the router over t he port 23 ; not one at all , this means the attacker wasen't one of my clients ( because i m the admin of the NAT machine) , thus i thought about beeing spoofed , someone got the IP of my nat server and used it to login the router , i even thought my box was compromized , i installed chkrooutkit , but it doesn't dtetected anything suspect i did this :
grep -r xxx.xxx.xxx.xxx /var/log/ ( where xxx.. = ROUTER IP) but nothing much this connexion isn't loged , PLEASE can someone help me , because the boss thiks i m the attacker since it's my machine , here is a worst stuff i had today !
thnx from theadvence and sorry for the bad english
In case of doubt, regard the box as compromised, and act on it.
1. Since the Cisco is involved, please tell us:
- how long ago this incident happened,
- what the exact "evidence" was,
- if the admin took precautions and steps towards recovery and what they where,
- if adjacent boxen, subnets are (to be) investigated.
2. How you handle compromise detection and recovery of your NAT box depends on if the box is critical wrt business or not.
In any case you should:
- officially alert upper mgmnt, local IT dept, Security Officer or Incident Response Team (where available) of a suspected incident. If they are available, let them handle the process and do not access the box,
- let upper mgmnt alert customers or upstream ISP's (where applicable),
- ask assistance from experienced admins if available.
3. Your next step is to isolate the box from the network to remove the risk of it being part of the compromise. Before you do so, please tell us in detail about the box, it's services, accounts, upgrades, hardening measures etc etc. Please provide any details, anomalies you found in authentication, login, user, system or daemon config, resource or log files (and if you're responsable for investigating subnets behind the NAT too).
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
It would also help to know if there were any modifications made to the Cisco router(?)'s routing table, ACLs, etc... anything different can tip you to where the attack came from.
By the way, this shows why it's generally dangerous to allow IP connectivity for administration of network devices. It's much better (if you can afford it) to use a terminal server connected to the other devices with serial cables (then lock down the terminal server like crazy with IDS, security kernel patches, etc).
well first of all thanx for the reply ! this helped me so much .
after a long time of investigation i found that my box wasn't involved anymore , well let's say it was just used as gateway to acces the router , somebody of our staff ( which has a private ip) was sniffing the router and making a grep on each packet going to port 23 ( telnet ) he gor the pass that way , after that he loged in but he hasent all privilages ( i m notreally a cisco guru but they said: there is an other pass to get the root's ) that privilages since i m not teh router admin , i just gives the admin an advice : TO USE SSH rather then the insecure telnet , hope they will listen to me , thanx again for ur advices , now i m doing some research to set up a so secure machine from scratch ! ( hope a good luck for me )
over .
Last edited by freelinuxcpp; 12-31-2003 at 04:17 AM.
As far as I know Cisco doesn't support SSH.
Your right. Cisco has two mode, unprivileged and privileged mode.
In unprivileged mode you can run some show commands and some information but to do any configuration you will have to enter privileged mode, which should require a password.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.