[ale] Linux Firewall

[Russell Enderby]

Mark,

I recommend that you first goto RedHat and go through the erratta and make
sure your 5.0 is up to date on all of the patches.  There are many holes in
all the stock installs and you will need to patch them all if you have not
done already.

Now if a hacker got in with one of those remote access entries it is assumed
they got a ton of your accounts.  Assuming this backdoors may be in place
and security holes that can be run via shell are now also issues (if you are
running telnet, rlogin, rsh, or ssh).

You should get a copy of linuxrootkit IV and print out what files it messes
with as I have had trouble with this in the past.  It automatically modifies
the /bin/login, finger, who, ps, and all the other critical files to allow
them to be invisible on the system without you even knowing.  Grab this from
my personal stash at: http://www.gdn.net/~rte/security/ (this far from up to
date of exploits since they come out daily, but happens to have the one prog
you may be interested in checking and learning about).  If anyone else has
some good stuff to add to it, send it to rte at gdn.net and ill slap it on the
stash list if it is good.

I would recommend to catch your perps, you put up a sniffer (linsniff works
good).  You might have to hack it to throw in the time and date on entries
as I have done but it will atleast tell you anyone comming in via any port
as long as it is NOT ssh (shut down ssh during this time so you can log this
info).

Shutdown stuff in your inetd.conf (imap, and other services known with holes
in them and your not using, if its your firewall you prob should have almost
all of them shutdown depending on your services your running).

Next make sure all of your suids files are shutdown do a scan with "find /
-perm +a+s -print > suids" and it will print all the suids files on your
system.  This is the first thing you should do when you setup a fresh
install.

Finally if still have issues, goto rootshell.com or similar exploits sites
and see what is new that they may be nailing you with.

Hope this helps,
Russell Enderby

Mark Bedish wrote:

> Hi,
>
> First off let me just say that I've learned quite a bit just being on
> the list and appreciate the frank discussion. I'm no expert at anything,
> just like to dally in different things, but I have a question that I
> hope someone out there can give me guidance on.
>
> The company I work for uses a linux box running RedHat 5.0 as our
> firewall, gateway to the Internet and to forward email to our internal
> mail server. Recently we were hacked by someone using an "eggdrop", or
> something of the sort that set up users with root privilege. We were
> alerted to the fact that this had happened our mail service failed when
> the intruder changed the IP address in resolv.conf and changed our.
> Because of this break in, we went through and removed all the services
> that seemed excessive to our base needs and patched ftpd, because we
> believed at the time that is how they got in, /var/log/messages showed
> that the process running anonymous ftp overflowed a stack buffer, and
> after that moment the intrusion began.
>
> Well it appears that we have been hacked again, with someone setting up
> users with root privilege, no damage has been done thankfully but it is
> a little disconcerting. This time there is no clear indication of how
> they got in. Should I disable anonymous ftp? Has anyone else experienced
> anything like this or have any suggestions, we are planning an upgrade
> to 5.2 soon.
>
> Thanks,
> Mark Bedish
> GWiz Systems, Inc.