LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-27-2004, 08:53 AM   #16
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30

I would suggest buying a router, and following its manual to create an effective firewall. I saw a wireless one in PC World being sold for 47, last week.
It is possible to use a Linux box to act as a router, but that is well beyond my skills at the moment.
 
Old 06-27-2004, 09:07 AM   #17
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
What about software firewall?
 
Old 06-27-2004, 09:56 AM   #18
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If your machine has indeed been compromised (esp. multiple times) then re-installing from trusted media is the only way to be sure that a cracker hasn't planted backdoors and rootkits on the system. Using a firewall and/or changing the root password is not enough. In fact by continuing to run a potentially compromised system, you are putting your clients and other systems around you at increased risk as well.

You can backup any human readable files or things you can verify (for example by md5sum), but all other files including binaries and un-verifiable client files should not be retained. Taking the time now to address the compromise properly and to put some forethought into a real security strategy will save you much more time and headaches in the long run. Trying to salvage a cracked box that has clearly shown to be an easy target and may have hidden daemons, sniffers, kernel modules installed on it is really a poor choice.
 
Old 06-27-2004, 11:33 AM   #19
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Fedora 8, Centos 5.1
Posts: 480

Rep: Reputation: 30
After you reinstall, might be a good idea to create a master backup of your /usr / and /etc dirs, and keep it on cd to deal with these unfortunate occurences. Its a lot easier to restore a couple of images from cd than reinstall.
 
Old 06-27-2004, 11:35 AM   #20
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
What if the /usr and /etc foders are "infected"?

Quote:
Originally posted by v00d00101
After you reinstall, might be a good idea to create a master backup of your /usr / and /etc dirs, and keep it on cd to deal with these unfortunate occurences. Its a lot easier to restore a couple of images from cd than reinstall.
 
Old 06-27-2004, 06:54 PM   #21
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,286

Rep: Reputation: 62
For a firewall i would suggest Ipcop or Smoothwall, set them up on a dedicated machine, you can then use the firewall rules and IDS (intrusion detection system) to block unwanted intruders. They are both really easy to configure and usually you'll be up and running within the hour.
 
Old 06-27-2004, 07:26 PM   #22
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
I was recommended APF for firewall.

Anyway I might shell out $90 for this service.
http://www.rfxnetworks.com/linux_appsec_secbundle.php

I have the feeling that this will tighten my security to the MAX.
Do you think I could have done it myself? It looks like a lot of work. Definitely not something for newbie like me.
 
Old 06-27-2004, 11:48 PM   #23
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Rep: Reputation: 30
My recommendation would be to re-install as well. Although you may be able to "reverse" the damage, you would never know if anything else was left behind.

I guess one way you could find what changes were made is to compare the time and date stamps in your log files with the range of files and folders amended within the same timeline. I do understand that you run an ISP service and maybe you could move them (your clients) over to a secondary server while you rebuild your existing server and maybe you ought to seriously consider hardening your server before ever exposing it to the internet. There are plenty of good firewalls. It all depends on what you are willing to spend. A good "free" firewall is fwbuilder you can find at sourceforge.com. However your firewall should be separate from your server e.g. DMZ. I also suggest reading up on UnSpawn's security reference guide

What distribution are you using by the way?
 
Old 06-27-2004, 11:50 PM   #24
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Rep: Reputation: 30
I'm not sure if we are allowed to post services here. if this is not allowed, please remove this post.

cpanelskindepot, if you are in dire need of help I know someone who works at Cisco as a security expert who may be willing to help you at a cost of course. Let me know if you are interested.

Last edited by Obie; 06-27-2004 at 11:52 PM.
 
Old 06-27-2004, 11:53 PM   #25
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
Obie, hiring someone who works at Cisco sounds like a lot of money.
I think I will invest $90 in the service I mentioned above.
Anyway if the posting of service related URL is prohibited, moderators please tell me and I will remove it.
I am in no way related to the owner of that website.

Quote:
Originally posted by Obie
I'm not sure if we are allowed to post services here. if this is not allowed, please remove this post.

cpanelskindepot, if you are in dire need of help I know someone who works are Cisco as a security expert who may be willing to help you at a cost of course. Let me know if you are interested.
 
Old 06-28-2004, 04:59 PM   #26
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Rep: Reputation: 30
cpanelskindepot,

I can still ask him. I'll post a reply here if he agrees.

In any case, like the numerous posts here my suggestion is to re-build your server. Hopefully you have a backup of your files prior to being "hacked". Also you may want to consider rebuilding with a hardened "distribution" such as OpenBSD or FreeBSD. If you are using Red Hat (since I'm more exposed to it than other distributions), it's pretty easy and straightforward to harden your server.
 
Old 06-28-2004, 06:25 PM   #27
HadesThunder
Member
 
Registered: Mar 2004
Location: London
Distribution: Mandrake 9.1
Posts: 281

Rep: Reputation: 30
So people can advertise their services on this site?

I know a Linux/Windows/Novell/Unix/Cisco guy who can recover lost data, set up a secure network, repair your Grandmothers Desktop and install what ever you want him to install on your bosses home box. Get your PA to become a CCNA, fly you to the moon for tele sponsorship deal, and Bootleg you a Win98 install for a beer, as I am Gill Gates alta ego Pirate black Beard and all my pirated software is protected by the data protection act.
Terms and conditions apply.
Mods please read this thread before you think about closing it. There is nothing offencive or illegal there. Anyway Mods you Rock
 
Old 06-28-2004, 06:57 PM   #28
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
I think I will go with a rollback. I have a server backup from 14th of this month. And I will isntall tripwire, and harden my kernel (anyone know of any good tutorial for hardening redhat kernel?). Then hopefully it will not get hacked again.
 
Old 06-28-2004, 07:03 PM   #29
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Mods please read this thread before you think about closing it
Thanks, we have been

There is nothing offencive or illegal there
No, but advertising is against the site rules, so please keep the thread on topic. If you wish to discuss/offer comercial services and whatnot, do so off of the forums or see our advertising page. Thank you.
 
Old 06-28-2004, 07:12 PM   #30
cpanelskindepot
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 15
Yeah it gets a little out of control now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration