[Techtalk] Re: Server was hacked into;
looking for tips on how to secure it
jennyw
jennyw at dangerousideas.com
Wed Mar 5 13:53:45 EST 2003
On Wed, Mar 05, 2003 at 01:25:24PM -0500, Raven Alder wrote:
> A thousand messages a day? I thought I was bad -- I get maybe
> 200 on an average day. Lots more when Something Bad happens to the
> Internet.
Yes -- I read a lot of mailing lists. After getting my immediate tasks
done (work, taxes, figuring out what happened to my server), I plan to
hack phpBB so that my mailing lists will each appear as a separate
forum. I think I'll be the first person to use phpBB as an MUA. ;-)
> My Debian boxes run unstable for this very reason -- there are
> times when the version of a package available in the stable tree is one
> that I know doesn't have the new feature that I desperately need, or has
> a security hole that I know has been patched in a newer version of the
> same package. I'm not sure exactly how the Debian maintainers determine
> what goes in what branch where, but I find that unstable suits what I
> want to do better. (And I haven't had any horrible system stability
> problems yet... and now that I've said that I have probably cursed
> myself to incredible bouncing daemons and such...)
I was under the impression that stable was the most secure? Others I've
talked to said they run stable for servers (for security) and testing
and unstable on workstations. I thought that even if they don't put a
later version of the software that includes a security fix, they'll at
least apply a security patch to the older version of the software. Of
course, I'm guessing you see tons more attacks than I do and if you're
running unstable without issues, then I guess that's a pretty good
argument to go with unstable.
Another reason I don't use unstable generally is because there are often
some pretty severe problems. For example, before Woody became stable,
I remember that IMP wasn't working for me because of a problem with the
PHP4 that came with Sid (hmm, now that I think of it, it might have been
Woody that had the problems, not Sid -- and it was in testing!). Also,
some packages are missing some features in stable. For example, you
can't install mutt-ssl from the testing distribution. You can get
around this by pinning -- my workstation uses testing, with mutt pinned
to stable.
I've never run unstable only because testing has given me enough
headaches, and I figured unstable would be even wackier. I can just
imagine apt-get dist-upgrade changing 100 MB of packages every week. Of
course, I've never tried it, that's just what I assume is happening!
> > By the way, even if I chroot the server, if it was compromised, could
> > it still send spam through 127.0.0.1? Is there a way to control this
> > through a firewall or postfix?
>
> The server would likely still accept mail on the loopback
> interface -- local agents send mail that way and all. Controlling where
> it sends mail is probably more complex, though. If it can send mail to
> people you want to mail, it can mail people you don't want to mail also.
> I'm sure there is some way to control who and what it mails, though.
> Perhaps people who are more mail-server-guru than me have ideas for
> appropriate filtering mechanisms?
I'd love to be able to control processes individually. It would be great
to be able to block processes from accessing particular ports, for
example. I did think about setting up a Web server inside User-Mode
Linux, without a mail server available to it. I've even thought about
running the mail server and DNS server in other UML sandboxes ... that
might give the benefits of having a separate firewall computer and three
dedicated servers using the same hardware. Of course, I know next to
nothing about UML (I hate that they picked an acronym that wa already in
use for Unified Modeling Language).
On my list to learn more about when I put up the new server:
* UML
* Snort and IDSes
* Ethereal and other network analyzers
* IPtables/Netfilter (I'm using netfilter now, with shorewall as
the front-end to make things easier; I'd like to learn more of
what's going on underneath, though. I'd also like to learn about
content filtering on the firewall.)
* Integrit/Tripwire and similar tools
* Various forms of e-mail authentication
* TCT and other post-mortem tools
Unfortunately, I suspect that Integrit/Tripwire might not be as helpful
as I thought since it's possible to run processes to get a shell and
send mail without modifying files that would normally be monitored.
Worse, I doubt that a firewall or Snort would help much for an exploit
that allowed a remote shell because of a bug in a Web server, for
example. Having Ethereal or tcpdump logs may have captured the
information needed. Storage of that information may be an issue, though.
;-) And, aside from doing content filtering, no firewall is going to
help protect a publically-accessible Web server from being exploited,
and content-filtering may end up being very difficult to keep up. UML
sounds very promising, but that could all be because I don't know much
about it.
Jen
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list