Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Hacker at High School in Saginaw
- From: Matthew McMahon
- Date: Tue Mar 09 17:34:35 1999
> Lastly, watch your logs. Both for traffic coming to the servers and
> for traffic leaving the servers.
A lot of activity does not get logged. You may want to implement some
kind of tcp/upd/icmp logging. These utilities will log syslogd entries
like these:
tcplog[100]: port 12345 connection attempt from dialup-...
last message repeated 2 times
tcplog[100]: port 12345 connection attempt from 198.112...
last message repeated 3 times
The above is an attempt to open a NetBus (Win95 backdoor) connection to
my home Linux box.
or, even more interesting:
tcplog[100]: www connection attempt from ieee-store...
tcplog[100]: telnet connection attempt from ieee-store...
tcplog[100]: imap2 connection attempt from ieee-store...
tcplog[100]: sunrpc connection attempt from ieee-store...
tcplog[100]: pop3 connection attempt from ieee-store...
tcplog[100]: port 6000 connection attempt from ieee-store...
tcplog[100]: finger connection attempt from ieee-store...
tcplog[100]: domain connection attempt from ieee-store...
tcplog[100]: netbios-ssn connection attempt from ieee-store...
tcplog[100]: port 1114 connection attempt from ieee-store...
tcplog[100]: tcpmux connection attempt from ieee-store...
tcplog[100]: ssh connection attempt from ieee-store...
tcplog[100]: port 31337 connection attempt from ieee-store...
tcplog[100]: port 2766 connection attempt from ieee-store...
tcplog[100]: smtp connection attempt from ieee-store...
Which is a port scan of vulnerable services. What's really interesting,
is that my machine is hanging off from a cable modem and nobody really
knows its there, which means that these are *random* "attacks". When I
see these, I add them to my hosts.deny to keep them from my inetd
services.
I'd concur that paying close attention to your inetd.conf file and your
startup files - generally /etc/rc.d/rc.* - is the best first step. Know
what you're running (ps -ax) Next is to run nmap on yourself in as many
different ways as you have patience for. Another important thing is to
get rid of ALL unneccessary cgis in your cgi-bin directory. Of course,
if you aren't running httpd then this isn't an issue.
You can pick up either of these two packages from most linux/unix ftp
sites. Or, get the rpm version from one of the RPM repositories out
there or from RedHat. Or, grab them from my machine at
ftp://hobie.edzone.net/pub/linux/net
snplog-0_1_tar.gz
iplog-current.tar.gz
Both of these contain the tcp, udp, and icmp logging utilities. You
will probably not want to run anything except the tcplog utility. And
even then, be careful which machine you put it on. If you put it on a
busy server, you'll get a huge log file. You may want to put it on an
out-of-the-way machine to catch who's scanning your IP range.
Another thing (whew!) is to get rid of the machine/OS/version "banner"
you see when you telnet to your machine. Many unices place this info
there by default, making it very easy for people to telnet to you
machine, see what you're running and then leave - these are called
"banner grabs". I get a lot of these, but all they get is "hobie
login:" Its still easy to figure out what OS you have, but why
advertise it?
- Matt McMahon
|
