topic Re: Password sniffed; hacked in Operating System - Linux

Password sniffed; hacked

Vernon Brown_4 — Tue, 27 Jan 2004 15:00:32 GMT

Saturday I noticed numerous failed ftp attempts to login to my RedHat 7.1 Apache server. I only noticed one duplicated IP address; all other attempts were from different IP addresses.

Sunday morning, some critical files in /etc were missing; any attempt to do anything produced only error messages on the console.

I reformatted the drives, reinstalled Redhat 7.1 and recovered the server from backups.

Now I'm looking for a way to block ftp and telnet from eth0 (the gateway) while allowing them from eth1 (my lan). I'm using IPchains. Can anyone construct and IP chains entry that would do that ??

Thanks for any help !!

Re: Password sniffed; hacked

Steven E. Protter — Tue, 27 Jan 2004 15:21:48 GMT

Your best bet is to use the firewall iptables for the job.

in /etc/sysconfig/iptables

-A input -i eth0 -p tcp -m tcp --dport 21 -j DROP

This prevents ftp access

You can block services from certain ip addresses or network segments as well

-A INPUT -i eth0 -p ALL -s 192.168.0.15 -j DROP

ipchains:

in the /etc/sysconfig/ipchains file

-A input -s 0/0 23 -d 0/0-p tcp -y -j DROP
-A input -s 0/0 23 -d 0/0-p tcp -y -j DROP

That will do it.

The reason you probably got hacked was password policy.

One guessable password makes your system vulnerable. If that user has a suid capable shell or something out there then your system is someone elses slave. A word starting with a b comes to mind. Bad SEP.

I encountered a number of these attacks on my HP-9000 server. I used /var/adm/inetd.sec to stop all outside ftp and telnet access

This attack was crude, simply trying to guess the password for root. There were hundreds of attempts.

I reported the information to the relavent authorities and they promised to investigate.

SEP

Re: Password sniffed; hacked

Vernon Brown_4 — Tue, 27 Jan 2004 17:10:30 GMT

Thanks !!

I don't know if IPTables is on that server; guess I could put it on there. I'll try the Ipchains method first. It gets installed with RedHat 7.1.

-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT

That is the ipchains entry for telnet and ftp that gets installed with RH 7.1. If I just change the ACCEPT to DROP, how do I get connected from my LAN ?

Re: Password sniffed; hacked

ger donohue_1 — Tue, 27 Jan 2004 21:14:51 GMT

Configure this in the inet deamon as this is what is controling these services.

for xinetd only bind these services to the lan interface.

for inetd only allow the services to be available in /etc/hosts.allow to your local LAN This assumes that "ALL: ALL@ALL" is in /etc/hosts.deny to deny everything that falls through /etc/hosts.allow

The above will work as an extra for xinetd if you compiled xinetd from source with tcpwrappers support enabled.

I have an compiled RPM for a recent version xinetd with tcpwrappers built but was built on a 6.2 system.

Regards Ger

Re: Password sniffed; hacked

Stuart Browne — Tue, 27 Jan 2004 21:32:39 GMT

RH7.1 onwards comes with both IPChains and IPTables.

Prior to RH8 however, IPChains is the default.

You can easy swap these by issuing the following commands:

chkconfig --level 0123456 ipchains off
service ipchains stop
chkconfig iptables on
service iptables start

You will have to translate your firewall rules however.

I'd suggest moving to IPTables as it is by far the better option to use, in both management, and forward-planning.

Re: Password sniffed; hacked

Vernon Brown_4 — Tue, 27 Jan 2004 23:33:09 GMT

Great example Stuart; thanks !!

You've convinced me; I'll switch over to IPTables.

Re: Password sniffed; hacked

Basil_4 — Wed, 28 Jan 2004 06:27:03 GMT

I've found that setting up a firewall can be pretty confusing and labourious.

However, I happened across a firewall tool that I found so useful it's the only one I use: shorewall.

It's got very clear documentation on setting up a firewall and comes with loads of examples (including what you're after)...

http://www.shorewall.net/

On top of that, there is webmin (a web based admin interface) and it supports shorewall...

http://www.webmin.com/

(Sorry for going a little off topic).

Bottom line is, I knew little about firewalls, but now happily have my linux router up and running using shorewall and suffering almost no external attacks...

HTH.

Re: Password sniffed; hacked

Bill Thorsteinson — Wed, 28 Jan 2004 10:58:44 GMT

I second the recommendation for shorewall.

Also look at protecting ftp with tcpwrappers, and replacing telnet with ssh.