LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-02-2011, 01:58 PM   #1
jnolan19
LQ Newbie
 
Registered: Jun 2011
Posts: 2

Rep: Reputation: Disabled
Security question from a CCDC captain.


Hey everybody, this is my first post so I hope I'm doing this right. CCDC stands for Collegiate Cyber Defense Competition. Last year we took second in state from Indiana behind Indiana Tech. This year I am one of the captains. What I believe really took us down was that our CentOS box had been compromised prior to competition and a backdoor was put into the FTP service. I hope someone can inform me on how to check for something like this and, if possible, to correct. Thank you in advance for anyone's help.
 
Old 07-02-2011, 03:32 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
Don't run FTP; unmodified, it transmits passwords as clear text making you an easy target. Use sftp via the sshd server instead, which is encrypted.
 
Old 07-02-2011, 03:42 PM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
A couple of things to try:

- A file integrity checking system like AIDE, Samhain, Osiris or Tripwire should be installed and configured before the system is connected to the network. Running those scans could tell you if files have been tampered with. Just be sure that the "good" database is protected so it can't be altered if the machine is compromised.

- Check out the verify option for rpm (rpm -V) as that can tell you if something has happened to any official rpm package.
 
Old 07-02-2011, 03:57 PM   #4
jnolan19
LQ Newbie
 
Registered: Jun 2011
Posts: 2

Original Poster
Rep: Reputation: Disabled
I know running FTP is not the smart thing to do but in this kind of competition, this service is a must and has a scoring engine attached to it. If the service is down for more than 10-15 mins. points start getting taken from our team. A quick background of what our team comes in to is that the entire IT staff has been fired but before leaving they have compromised machines. There is no reference machine or "good" database. Was curious if FTP Server with TLS would help with security but I haven't tried it yet.
 
Old 07-02-2011, 04:01 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
If you're starting with a compromised machine, rpm -Vv should still give you some useful information, unless the RPM database has been compromised as well.
 
Old 07-02-2011, 04:03 PM   #6
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
It would help, but you might want to run it in a minimal virtual machine as well. That way, compromising the ftp server doesn't impact the host. With a snapshot or copy of the virtual machine image, in the event it's taken down you can get it back in service in pristine condition in seconds.
 
Old 07-02-2011, 07:05 PM   #7
sunnydrake
Member
 
Registered: Jul 2009
Location: Kiev,Ukraine
Distribution: Ubuntu,Slax,RedHat
Posts: 289
Blog Entries: 1

Rep: Reputation: 61
Backup as soon as intrusion detected ALL DATA! really all hard drive image
Then run copy of disk image in read-only virtual machine and trace back all steps where taken to compromise system
Why full analysis needed ? because really good attacks include many layers of exploits so there is no guarantee that attack compromised only one system and not left hidden backdoors in other software.
How to check what was modified? Generic method is compare files with default package files and configs. Quick&dirty is to check access logs/filetime modifications/configs.

There is no way on generic work system to maintain security. To run secure box you must use 5-10years tested OS Core(linux kernel) and minimum required amount of services(hand tuned for security) and no bleeding age or new versions. Government and commercial protected systems have even no connection to external networks. Other interesting technologies is honeypot.

Last edited by sunnydrake; 07-02-2011 at 07:09 PM.
 
Old 07-03-2011, 10:55 AM   #8
bogie5464
LQ Newbie
 
Registered: May 2011
Posts: 4

Rep: Reputation: 0
You guys are from Indiana? I'm from Indiana and am very interested now. Do you guys have a webpage of some sort?
 
Old 07-03-2011, 12:44 PM   #9
scottrkahler@yahoo.com
LQ Newbie
 
Registered: Jul 2011
Posts: 2

Rep: Reputation: Disabled
one time passwords

Linux does support one time passwords. It maybe a good time waster for someone sniffing the packets. It would protect from key-loggers.

http://socsinfo.cs.mcgill.ca/wiki/FTP

http://www.linux.com/learn/tutorials...linux-security
 
Old 07-03-2011, 03:31 PM   #10
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,937

Rep: Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619
Disable ftp.

Problem is there are tons of junk on a distro that all has holes in it. Netbsd is claimed to be almost unhackable but when you start to put apps on it the thing is open to attack.
 
Old 07-05-2011, 07:50 AM   #11
orgcandman
Member
 
Registered: May 2002
Location: new hampshire
Distribution: Fedora, RHEL
Posts: 600

Rep: Reputation: 110Reputation: 110
Quote:
Originally Posted by jnolan19 View Post
Hey everybody, this is my first post so I hope I'm doing this right. CCDC stands for Collegiate Cyber Defense Competition. Last year we took second in state from Indiana behind Indiana Tech. This year I am one of the captains. What I believe really took us down was that our CentOS box had been compromised prior to competition and a backdoor was put into the FTP service. I hope someone can inform me on how to check for something like this and, if possible, to correct. Thank you in advance for anyone's help.
If this is for a RT/BT or CTF challenge, double check the rules first. Often-times, you have restrictions on which services you can or cannot turn off. If this IS for a challenge, you may be starting with bugged ftp/ssh/whatever application, and it's your job to lock it down and prevent the bug from being exploited.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Brave captain Jeebizz General 15 11-12-2007 05:51 AM
Captain Mail truespace4u Linux - Software 2 02-22-2007 06:23 AM
Im picking up the pieces now captain Zvezda Linux - Networking 1 10-30-2002 11:20 AM
Xine, DVDs, Captain Scarlet hamsterdude Linux - General 9 04-12-2002 12:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration