Re: [TCLUG:5611] Looks like real attack !???!!??!

[Ben Luey <lueyb@carleton.edu>]

Most of the services I'm running I have blocked outside of .carleton.edu.
via /etc/hosts.deny= ALL:ALL and allowed telnet and ftp etc via
hosts.allow. Does this safeguard me from an outside attack on one of my
services or not? I think I'm going to recompile the kernel and use
ipchains to do some heaftier blocking. Am I right I just need to have 

Network Firewalls
socket filtering
IP: firewalling
IP: firewall packet netlink device

to use ipchains for this (no masq or routing) and I don't need to do
always degragment IP?

About the Linux Security Admin Guide -- it is great. I was reading it
when the attack occured and noticed it only beucase the admin said to run
netstat and look for stuff.

I'll post my ipchains rules once I figure them out.

Thanks for all the help!

Ben

On Wed, 28 Apr 1999, Nathan Ahlstrom wrote:

> Ben Luey <lueyb@carleton.edu> wrote:
> > Sorry, here it is:
> 
> No problem.  ;-)
> 
> Ok that is an awful lot of things listening for connections.  Basically the
> cracker is looking for one of these to be insecure.  You can see that you
> have a web server running, sendmail, finger, ftp, etc.  If any one of these
> has a "hole" the cracker can get in and do some damage.  I think that by
> default linux is relatively secure.  You should, however, get rid of
> anything that you do not need here. [Someone posted a URL today on the
> tclug list about the lsag -- Linux Security Admin Guide -- or something
> like that, which you should probably read, just to be safe!]
> 
> As far as the cracker goes, report him to the domain adminstrative contact,
> keep an eye on your system email messages (should be sent to root each
> night?), and take a backup of any essential files that you cannot replace
> (i.e. school work, desktop config) without lots of work.
> 
> > [lueyb@pclueyb lueyb]$ netstat -a |grep LISTEN
> > tcp        0      0 *:4878                  *:*                     LISTEN
> > tcp        0      0 *:3963                  *:*                     LISTEN
> > tcp        0      0 *:nterm                 *:*                     LISTEN
> > tcp        0      0 *:6000                  *:*                     LISTEN
> > tcp        0      0 *:7100                  *:*                     LISTEN
> > tcp        0      0 *:www                   *:*                     LISTEN
> > tcp        0      0 *:smtp                  *:*                     LISTEN
> > tcp        0      0 *:printer               *:*                     LISTEN
> > tcp        0      0 *:1024                  *:*                     LISTEN
> > tcp        0      0 *:923                   *:*                     LISTEN
> > tcp        0      0 *:22                    *:*                     LISTEN
> > tcp        0      0 pclueyb:domain          *:*                     LISTEN
> > tcp        0      0 localhost:domain        *:*                     LISTEN
> > tcp        0      0 *:auth                  *:*                     LISTEN
> > tcp        0      0 *:time                  *:*                     LISTEN
> > tcp        0      0 *:finger                *:*                     LISTEN
> > tcp        0      0 *:telnet                *:*                     LISTEN
> > tcp        0      0 *:ftp                   *:*                     LISTEN
> > tcp        0      0 *:5680                  *:*                     LISTEN
> > tcp        0      0 *:sunrpc                *:*                     LISTEN
> 
> -- 
> Nathan Ahlstrom                        FreeBSD: http://www.FreeBSD.org/
> nrahlstr@winternet.com                 PGP Key ID: 0x67BC9D19
> 

Ben Luey
lueyb@carleton.edu
ICQ: 19144397

The great objective of social reform is to prevent a fundamental change in
class relations.   -- Eugene Genovese