[Techtalk] Re: Server was hacked into; looking for tips on how to secure it

jennyw jennyw at dangerousideas.com
Wed Mar 5 13:53:45 EST 2003 

On Wed, Mar 05, 2003 at 01:25:24PM -0500, Raven Alder wrote:
> 	A thousand messages a day?  I thought I was bad -- I get maybe
> 200 on an average day.  Lots more when Something Bad happens to the
> Internet.

Yes -- I read a lot of mailing lists.  After getting my immediate tasks 
done (work, taxes, figuring out what happened to my server), I plan to 
hack phpBB so that my mailing lists will each appear as a separate 
forum.  I think I'll be the first person to use phpBB as an MUA. ;-)

> 	My Debian boxes run unstable for this very reason -- there are
> times when the version of a package available in the stable tree is one
> that I know doesn't have the new feature that I desperately need, or has
> a security hole that I know has been patched in a newer version of the
> same package.  I'm not sure exactly how the Debian maintainers determine
> what goes in what branch where, but I find that unstable suits what I
> want to do better.  (And I haven't had any horrible system stability
> problems yet... and now that I've said that I have probably cursed
> myself to incredible bouncing daemons and such...)

I was under the impression that stable was the most secure?  Others I've
talked to said they run stable for servers (for security) and testing
and unstable on workstations.  I thought that even if they don't put a
later version of the software that includes a security fix, they'll at
least apply a security patch to the older version of the software.  Of
course, I'm guessing you see tons more attacks than I do and if you're
running unstable without issues, then I guess that's a pretty good
argument to go with unstable.

Another reason I don't use unstable generally is because there are often 
some pretty severe problems. For example, before Woody became stable, 
I remember that IMP wasn't working for me because of a problem with the 
PHP4 that came with Sid (hmm, now that I think of it, it might have been 
Woody that had the problems, not Sid -- and it was in testing!). Also, 
some packages are missing some features in stable. For example, you 
can't install mutt-ssl from the testing distribution.  You can get 
around this by pinning -- my workstation uses testing, with mutt pinned 
to stable.

I've never run unstable only because testing has given me enough 
headaches, and I figured unstable would be even wackier.  I can just 
imagine apt-get dist-upgrade changing 100 MB of packages every week. Of 
course, I've never tried it, that's just what I assume is happening!

> > By the way, even if I chroot the server, if it was compromised, could
> > it still send spam through 127.0.0.1?  Is there a way to control this
> > through a firewall or postfix?
> 
> 	The server would likely still accept mail on the loopback
> interface -- local agents send mail that way and all.  Controlling where
> it sends mail is probably more complex, though.  If it can send mail to
> people you want to mail, it can mail people you don't want to mail also.
> I'm sure there is some way to control who and what it mails, though.
> Perhaps people who are more mail-server-guru than me have ideas for
> appropriate filtering mechanisms?

I'd love to be able to control processes individually. It would be great
to be able to block processes from accessing particular ports, for
example.  I did think about setting up a Web server inside User-Mode
Linux, without a mail server available to it.  I've even thought about
running the mail server and DNS server in other UML sandboxes ... that
might give the benefits of having a separate firewall computer and three
dedicated servers using the same hardware. Of course, I know next to
nothing about UML (I hate that they picked an acronym that wa already in
use for Unified Modeling Language).

On my list to learn more about when I put up the new server:

* UML
* Snort and IDSes
* Ethereal and other network analyzers
* IPtables/Netfilter (I'm using netfilter now, with shorewall as
  the front-end to make things easier; I'd like to learn more of 
  what's going on underneath, though. I'd also like to learn about 
  content filtering on the firewall.)
* Integrit/Tripwire and similar tools
* Various forms of e-mail authentication
* TCT and other post-mortem tools

Unfortunately, I suspect that Integrit/Tripwire might not be as helpful
as I thought since it's possible to run processes to get a shell and
send mail without modifying files that would normally be monitored. 
Worse, I doubt that a firewall or Snort would help much for an exploit
that allowed a remote shell because of a bug in a Web server, for
example.  Having Ethereal or tcpdump logs may have captured the 
information needed. Storage of that information may be an issue, though. 
;-) And, aside from doing content filtering, no firewall is going to 
help protect a publically-accessible Web server from being exploited, 
and content-filtering may end up being very difficult to keep up.  UML 
sounds very promising, but that could all be because I don't know much 
about it.

Jen
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list