Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Sorry if I am repeating anything which has already been said... At least with RH 7.0, I have found that setting up pretty strict Ipchains DENY rules works great, but with RH 7, Redhat made a smart move to Xinetd, and now, it's much easier to setup service-based filtering, so, on the public sites I run, if I need to allow FTP, I drop into the wu-ftpd Xinetd script and manually add an ALLOW FROM string, but deny everything else. This way, not only do I have IPCHAINS blocking anything from *.aol.com ..etc, I have the services themselves only allowing from specific IP ranges. Just my .0002 cents. -Jesse <Note: I do not run firewalls out of general principal, I do all logging and lockdown on the service machine itself> -----Original Message----- From: Debra Douglass [mailto:ddoug at catrio.org] Sent: Wednesday, February 21, 2001 12:38 PM To: Christoph Doerbeck A242369 Cc: discuss at Blu.Org Subject: Re: My firewall was cracked! On 2/21/2001, on discuss at blu.org, Christoph Doerbeck A242369 wrote: >> >>Well, it wasn't mine, but a friends firewall box ( i486 running Slackware ) >>was recently cracked (notice that I used the proper term). >> >>Anyway, his system was supposedly tied down pretty good. All exterior >>facing services were additionally shunted by ipchain rules, >>yet someone still managed to get on and start unpacking a rootkit >>of some kind. >> >>Fortunately the kit was tailored for RedHat, and that's how he detected >>that he had been violated. A lot of system binaries (ls, df, login) were >>replaced and because they were redhat built they didn't work on his >>slackware system. I'm not sure of the exact details but... >> >>Assuming he had a good firewall configuration, does anyone have hints on >>what exploits the cracker may have used to get access? My system (RH6.2) was broken into similarly three months ago and the entry point was a root shell access bug in wu-ftpd. I've since changed to proftpd and tightened up my rules. Two things made it very easy to identify and recover from this breakin. I was running tripwire which let me know exactly which files were added or changed and I was running logwatch which let me know who did what and when. I'm not running a Linksys firewall but I am running simple ipchains-based firewall script. Any ports that are open in a firewall are suspect and that is the best argument I've seen for logging both denied AND accepted packets. -Debra -- .------------------------------------------------------------------. |Debra Douglass ddoug at catrio.org http://www.catrio.org| `------------------------------------------------------------------' - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored). - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |