[Techtalk] Server was broken into ... what good tools are there to probe vulnerabilities?

Raven, corporate courtesan raven at oneeyedcrow.net
Wed Nov 21 17:20:36 EST 2001 

Heya --

Quoth jennyw (Wed, Nov 21, 2001 at 12:27:20PM -0800):
> When you say privileges, do you mean file system privileges? Or just that it
> gives access to a lot of running processes?

	Filesystem and processes -- anything owned by nobody can be
affected by the user nobody.  Many people give the "nobody" account
great priviliges (access to many files and directories, and many daemons
run as 'nobody') because they do so many things with their web server.
Or they'll install their FTP daemon under the nobody account too.  Or
they'll go through all the trouble of chrooting bind, and then run it as
the nobody user.  Aaaaaah!  [grin]  As was already mentioned, having
each service run under its own user is generally a good idea.  It's
damage control in case that user account gets hacked.  

> I'm not happy about this last, but sendmail is what they use for an mta, and
> I believe it needs to run as root. I guess I should read a security book and
> see how to set stuff to run as other users. So complicated ... all I want to
> do is setup Web sites! And DNS. And IMAP. Okay, maybe I need to read up on
> security a bit ...
 
	Security is tough to get good at since it requires a thorough
understanding of all the services you're running on the box, as well as
a decent understanding of your OS.  On the plus side, it's really
educational.  [grin]  Usually in the humbling sort of way.

	I, too, think you would be happier running your own box.  I
doubt you'll get your ISP to change their MTA because you don't like it.
[grin]  Sendmail and Bind are notorious for being hard to maintain
securely.

> Yeah, I'd love to dump them, but there is this little issue of money ...
> I can't find anything close to as expensive that doesn't have a huge setup
> fee. Ugh.

	Speakeasy, as has already been mentioned.  They do have a huge
setup fee, but IIRC they're currently running some special where you get
it all back in a few months.  DirectTV DSL is very affordable and may or
may not let you host your own server off their line, (depends on which
salesperson you talk to, I think) but they're not going to give you
proper reverse DNS.  Also, it's RADSL, so your upstream is slower than
your downstream -- not ideal for a server, which gets small requests and
replies with big files. 

	Other than those two, I think you have to look at business class
DSL if you want to host servers.  (Others may know different providers
that are affordable.)

> The main reason I don't run the server at home is because of
> bandwidth, and because I'd rather have hackers breaking into systems
> *outside* of my home network. Of course, with only 300 MB transferred
> per month, a 384 connection might not be too bad. 
 
	I hate to say it, but you can virtually guarantee that the
hackers are already looking at your home network.  Bigger bandwidth
connections are more juicy targets, but when my home network was hosted
off a 56k dialup line, we got random attempts at our firewall several
times a day, and full-on portscans about once a week.  And we're small
potatoes.

	Much of the time, hackers will just scan a range of IP addresses
for systems vulnerable to whatever exploit they're thinking of doing.
They don't care what the ones that come up vulnerable are -- they'll
just try to get all the systems they can.  So whether you're off dialup
or an OC-12, they'll still come after you.

	Granted, the IP ranges assigned to broadband providers do get
scanned more often.  But being a home network doesn't make you safe.
You should have seen how much of @Home's bandwidth was eaten by the
recent Nimda worm.  (Systems infected with Nimda preferentially scanned
their network's IP block looking for new hosts to infect.  So many home
networks off @Home were infected that the scanning traffic slowed many
of their users to a crawl.  They had to take drastic measures to restore
normal bandwidth.)

	Sorry to be the bearer of a wet blanket.  But it just isn't a
friendly Internet anymore.  If you host your server at home, set it up
in a DMZ if you can, and limit the trust between the machines on your
home network and your server.  There should be a firewall between them,
at the least.

Cheers,
Raven

"I'm eating stealth cheese that may or may not be immortal?"
  -- Danielle, on pizza and perpetuity

More information about the Techtalk mailing list