[olug] remote root heads up on Redhat
Phil Brutsche
phil at fury.brutsche.org
Wed Sep 27 05:22:09 UTC 2000
A long time ago, in a galaxy far, far way, someone said...
> Sounds good when you refer to an anonymous, experienced admin. I'm
> sure they'll all be rolling here in a second.
:)
> We've been digging today both here and at work because we've had some
> weirdness going on.
>
> I had syslog running at home accepting remote messages and I failed to
> protect it with a ipchains ruleset. I set it up for an experiment a
> while ago and neglected to put it back to local messages only. I had a
> couple of crashes here but I am thinking they're some sort of DoS that
> 2.2.14 was subject to
2.2.14 was subject to a DoS? The only thing I know of was a security bug
regarding a program running as root properly dropping priveliges.
> - I moved to 2.2.17 and it seems to be gone.
2.2.17 seems to have other problems, though :(
> As a matter of policy I run nothing but ssh and occasionally turn on
> inetd for tftp or ftp when I am installing a router image or doing a
> network OS install.
You need to invest a little time in a VPN between home and work/wherever
you are at the time.
I have a set of shell/perl scripts I threw together for Jimmy if you want
them - they set up a VPN with pppd and ssh.
> I strongly suspect that it was a DoS because I've been bitch slapping
> skr1pt k1dd13s on IRC lately and one of 'em really took a disliking to
> the procedure ;-)
I bet - I heard about the *really* pissed off guy on #efnet...
> Work was a little more troublesome. My personal box is connected
> public, has syslog properly configured with an ipchains rule set as
> well as tacacs. I had two inexplicable crashes at the same time the
> stuff was happening at home. I managed to utterly hose the system
> myself on an unrelated task Monday and I gave up trying to fix it
> manually and just reinstalled 6.2. I wasn't sure what was going on so
> I put it back on a NAT'd segment - so much for any chance of forensics
> there.
>
> As I write this I've been wondering about UDP services like syslog and
> ipchains protection. You can easily spoof source IP on UDP, assuming
> your ISP allows source routed packets out which is pretty rare any
> more so the traffic would have to come from some disorganized, ghetto
> ISP. Even if you had an attacker that had that source spoof capability
> the ruleset is going to drop any packet ... unless the kiddie knows
> enough to spoof an address that your system is likely to accept.
>
>
> ie if my internal network is 198.88.20.0/24 and my host is 198.88.20.7
> someone would have to spoof 198.88.20.x before my ruleset would allow
> it to pass.
You should be telling the router to drop packets going coming from your
isp to your internal 'net that have the IPs of your internal net
> There is a lot more to this but its late and I am tired ... I think
> its Mr Garrity's turn to pick this up and run with it since he has
> actually been trying to get the exploits to work.
Tell Mr Garrity to look for some rootkits - the rpc.statd exploit he
mentioned is being actively exploited - enough for CERT to send out an
advisory several times.
--
----------------------------------------------------------------------
Phil Brutsche pbrutsch at creighton.edu
"There are two things that are infinite; Human stupidity and the universe.
And I'm not sure about the universe." - Albert Einstein
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list