RE: [cobalt-security] URGENT Hacking

["Chris Weiss" <chris@xxxxxxxxxxxxx>]

If you are willing to run SSH and safeTP and shut off standard telnet and
ftp, you block the overwhelming majority of brute force attacks.  Most brute
force attacks look for standard telnet and FTP ports.  If these don't
respond the hacker usually moves on.

http://www.cs.berkeley.edu/~smcpeak/SafeTP

By using encrypted FTP and SSH, no passwords will ever pass in the clear,
making your machine much much safer.  I have never had a successful brute
force break-in on machines where standard FTP and standard Telnet are
replaced with their encrypted equivalents.

Another good choice is to run SSL mail.  Outlook 2000 and Outlook Express
support this very well.  Netscape does not, nor does Eudora, so you might
have to get user buy in before implementing this.

Once your standard services are encrypted, it becomes very hard for the
typical mindless hacker to break in.  I say "mindless" because most hackers
simply download tool kits and bots and use them without understanding how
they work.

Also, never give a shell account to anyone who doesn't need one.

For Windows, there is a safeTP client and you can use the SSH form of Tera
Term pro.  There are also command line versions of SSH that run in DOS
shells.  In Linux, SSH and SSL mail are trivial to set up for any
sophisticated user.  The worst thing the user will have to do is download
and install and RPM.

If you provide your clients easy ways of using encrypted tools, you can
prevent most security problems.

If your environment allows you to restrict access to known hosts, you can
use TCP wrappers to block most probes on your machine (hosts.allow,
hosts.deny, inetd.conf).  Even if you can't, many hackers have cable modems
and DSL lines with visible IP addresses.  You can add these to your
hosts.deny file simply to block specific idiots who won't leave you alone.

Brute force assumes repeated attempts can be made on specific ports, etc.,
If you block the ports and encrypt the access, most attacks are blocked
before they can start.  A simple trick that stops many attacks, is to
redirect services to non-standard ports such as using port 999 for telnet.
However, any hacker with a port scan program will figure this out pretty
quickly.

Finally, if you can get the IP address and/or host names of hackers breaking
into your systems - REPORT THEM!!!!  If everyone prosecuted illegal accesses
on their machines, it might actually stop the annoying hacking of
adolescents and college students who have too much time on their hands!!  I
have had people kicked off their services such as @Home for hacking
activities that I could trace.  If the word gets out that hacking will be
pursued, then petty attempts will fall off.  Right now there are essentially
no consequences for casual hackers going after small sites.

Chris Weiss



-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Hugh Taylor
Sent: Friday, September 08, 2000 10:52 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] URGENT Hacking


I know I'm coming in late to this thread, but please bear with me. I would
suggest, as has been previously suggested, that you go to www.sans.org and
look
there for the next level one classes they are offering. I took the whole
track
in July in DC and found it very ineteresting and informative. One thing you
will
learn from the courses, is that brute force password cracking WILL ALWAYS
WORK,
it is just a matter of time. The only way to prevent this type of attack is
to
make sure you have strong passwords and change them regularly. How often
depends
on how strong the passwords are, how fast the current PCs are, and how
important
it is to protect the data (there are some other variables also).

The other thing you'll learn is NEVER run a password cracking program
without
prior written permission from your management, preferably at least two
levels
above you. I would suggest that if you are using a hosting service, getting
written permission from them also. Without written, signed permission you
may
find yourself looking for another job and/or being criminally prosecuted.


Mark Baker - Cobalt Lists wrote:

> Hi All,
>
> We've just had an account hacked on our RaQ3, the person who did this
claims
> he got it from the log files just above the user name e.g.
domain.com/~user
> Apparently he got the FTP password from there, and used it to chance the
> site e.t.c
> He claims he used brute force, this is all i know so please help anyone
out
> there!!
>
> Is this a known fault and when do cobalt expect to fix it?
>
> Regards,
>
> Mark Baker
> Dark Marketing Ltd
> http://www.yoursitehere.co.uk
> ------------------------------------------------------------------
> Low cost Internet Solutions including Hosting,
> Domain Registration and Design.
> http://www.yoursitehere.co.uk | info@xxxxxxxxxxxxxxxxxx
> ------------------------------------------------------------------
> FREE .co.uk with Unix hosting package 2 to 7 at
> http://www.yoursitehere.co.uk !!
> ------------------------------------------------------------------
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

--
Hugh Taylor
Supervisor, IS
The Johns Hopkins University
Chemical Propulsion Information Agency
10630 Little Patuxent Parkway, Suite 202
Columbia, MD 21044-3204



_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security