LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue15/security.html

158 lines
6.9 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<title>Learning about Security Issue 15</title>
</HEAD>
<BODY >
<H4>
&quot;Linux Gazette...<I>making Linux just a little more fun!</I>&quot;
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H2>Learning about Security </H2>
<H4>By Jay Sprenkle,
<a href="mailto:jay@shadow.ashpool.com">jay@shadow.ashpool.com</a></H4>
</center>
<P> <HR> <P>
It all started when the system rebooted...
<P>
I had been having reliability problems with my system for over a
month. It would run fine for up to a week or so then it would crash
with wierd symptoms. I know it's unusual to trust in your software
these days, but I had faith that Linux was not the culprit. Only
operating systems produced by large companies have to be rebooted
every day.
<P>
I took the motherboard out of the system and drove down to the
supplier. The guy behind the counter had the standard "electronic
supplier salesperson disease". He thought I was A. an idiot, B. trying
to rip him off or C. trying to ruin his day/profit margin. I explained
the problem, told him how it gave different symptoms each time it
died, and how I had swapped out parts. After about 20 minutes he had
no more arguments and he gave me a new motherboard.
<P>
I took it home and put it back into the case. I was back up in a few
minutes and I put the system back into service. After almost three
weeks of blissfull operation it rebooted itself and started back up
without a problem. I didn't even know about it until I saw the system
log file a day later. ARGGG! The **** thing is broken again...
<P>
I studied the logs and found that odd things had happened. The web
server process log was filled with total nonsense. The system log had
stopped working shortly after the reboot. I felt that a power failure
had caused the odd log messages and possibly damaged the system
logging program.
<P>
As I began looking at the other logs I found that someone had
transferred copies of some of my files to a system I had never heard
of before. This was serious! I had been violated! I didn't have
hardware problems, some sleazoid-weasel had broken into my system! I
had previously been over the system carefully trying to eliminate all
the security holes. I hadn't been careful enough!
<P>
I copied off every log file I could find and immediately changed all
the passwords on the system. If they had gotten in and copied the
password file they could eventually crack the encoding on their own
system and they would have all the passwords.
<P>
I sent off a message to the system administrator of the system that
the files had been sent to. With a little time at a search engine site
I found that this system was located in Chicago. I later found out
from the site's system administrator that this guy had somehow broken
through the security in one of their systems routers. Once into the
router he installed a packet sniffer. This program reads the data
packets that go across the net and records anything that looks like a
password.
<P>
I had been connecting to my system remotely to get mail from it. I
have since found out that the POP3 protocol used to get mail sends
your account password in clear text (unencrypted) when getting your
mail. This sleazy booger's packet sniffer probably captured my
password when I was getting my mail. The rlogin, rsh, rexec, rlp,
telnet, adn FTP protocols also send passwords in clear text by the
way!
<P>
I went through the '/etc/services' file one more time and found that I
had not disabled the 'rlogin' service as I had first thought. This
service runs on port 513 but is not called 'rlogin'. I went through
and disabled every service that starts with an 'r'. These are the
remote services programs that a cracker can use to get into your
system. I disabled all file sharing and all protocols except tcp/ip. I
disabled the telnet service altogether since there is a better
replacement. I also made sure that NFS and RPC were disabled since
there was supposed to be a security hole in these too.
<P>
Well, not a lot had been done to my system, other than the reboot
after the break-in. One nagging thing was that the system logging no
longer worked. After goofing around with it for a day or so I finally
noticed what should have been obvious. The 'syslogd' program had been
replaced with another program with the same name.
<P>
I haven't verified it but I believe this program is another copy of
the packet sniffer the cracker used in the router. When you do a 'ps'
to see what's running you wouldn't think anything about it since this
program should be running all the time. I replaced the 'syslogd'
program with the correct one and it worked like a champ again.
<P>
While poking around in my /tmp directory I found a copy of the 'bash'
shell with the SUID bit set. WHOA! What's this? With this little baby
you can become root by simply running it. When I happened to mention
this to a fine gentleman [Jim Dennis, The Answer Guy --Editor]
who was helping me try to get it working he
immediately remembered the security hole associated with this. There's
a bug with the 'sendmail' program that allows you to make an SUID copy
of your shell in the /tmp directory. If you don't have version 8.8.3
or later of the sendmail program you're vulnerable too! (go to
http://www.sendmail.org for the latest stuff).
<P>
So, what have I learned from all this?
<ol>
<li>Security is more important than I thought.
<li>Security is no fun to implement...
<li>Cracker's read the CERT releases so they can keep up on
the latest, coolest, ways to break into your system. They
think it's a fun challenge to 'beat you'
<li>Security is no fun to implement...
<li>Don't use FTP, telnet, rlogin, rsh, or POP3 remotely. If
you need to do this get the newer versions that encrypt
the session BEFORE they log in.
<li>Security is no fun to implement...
<li>If you have an older version of sendmail than 8.8.3 replace it. 8.
<li>Don't give access to programmers tools. It just makes
the cracker's job easier.
<li>Security is no fun to implement...
<li>Turn off all remote services on your system
<li>Security is no fun to implement...
<li>Read the CERT bulletins to see if you have any obvious holes
in your system. If you do, fix them
</ol>
and lastly... <BR>
Security is no fun to implement!
<P>
best of luck to you!
<P>
Jay
<!--===================================================================-->
<P> <hr> <P>
<center><H5>Copyright &copy; 1997, Jay Sprenkle<BR>
Published in Issue 15 of the Linux Gazette, March 1997</H5></center>
<!--===================================================================-->
<P> <hr> <P>
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
ALT="[ TABLE OF CONTENTS ]"></A>
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
ALT="[ FRONT PAGE ]"></A>
<A HREF="./gm.html"><IMG SRC="../gx/back2.gif"
ALT=" Back "></A>
<A HREF="./midi.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
<P> <hr> <P>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink