Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

My firewall was cracked!



Sorry if I am repeating anything which has already been said...

	At least with RH 7.0, I have found that setting up pretty strict
Ipchains DENY rules works great, but with RH 7, Redhat made a smart move to
Xinetd, and now, it's much easier to setup service-based filtering, so, on
the public sites I run, if I need to allow FTP, I drop into the wu-ftpd
Xinetd script and manually add an ALLOW FROM string, but deny everything
else. This way, not only do I have IPCHAINS blocking anything from *.aol.com
..etc, I have the services themselves only allowing from specific IP ranges.


Just my .0002 cents.


-Jesse

<Note: I do not run firewalls out of general principal, I do all logging and
lockdown on the service machine itself>

-----Original Message-----
From: Debra Douglass [mailto:ddoug at catrio.org]
Sent: Wednesday, February 21, 2001 12:38 PM
To: Christoph Doerbeck A242369
Cc: discuss at Blu.Org
Subject: Re: My firewall was cracked! 


On 2/21/2001, on discuss at blu.org, Christoph Doerbeck A242369 wrote: 
 >>
 >>Well, it wasn't mine, but a friends firewall box ( i486 running Slackware
)
 >>was recently cracked (notice that I used the proper term).
 >>
 >>Anyway, his system was supposedly tied down pretty good.  All exterior
 >>facing services were additionally shunted by ipchain rules,
 >>yet someone still managed to get on and start unpacking a rootkit
 >>of some kind.
 >>
 >>Fortunately the kit was tailored for RedHat, and that's how he detected
 >>that he had been violated.  A lot of system binaries (ls, df, login) were
 >>replaced and because they were redhat built they didn't work on his
 >>slackware system.  I'm not sure of the exact details but...
 >>
 >>Assuming he had a good firewall configuration, does anyone have hints on
 >>what exploits the cracker may have used to get access?

My system (RH6.2) was broken into similarly three months ago and the
entry point was a root shell access bug in wu-ftpd. I've since changed
to proftpd and tightened up my rules. Two things made it very easy to
identify and recover from this breakin. I was running tripwire which
let me know exactly which files were added or changed and I was
running logwatch which let me know who did what and when.

I'm not running a Linksys firewall but I am running simple
ipchains-based firewall script. Any ports that are open in a firewall
are suspect and that is the best argument I've seen for logging both
denied AND accepted packets.

-Debra
-- 
.------------------------------------------------------------------.
|Debra Douglass          ddoug at catrio.org     http://www.catrio.org|   
`------------------------------------------------------------------'


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org