[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] URGENT Hacking
- Subject: RE: [cobalt-security] URGENT Hacking
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Fri, 8 Sep 2000 20:06:09 +0100 (BST)
On Fri, 8 Sep 2000, Chris Weiss wrote:
> If you are willing to run SSH and safeTP and shut off standard telnet and
> ftp, you block the overwhelming majority of brute force attacks. Most brute
> force attacks look for standard telnet and FTP ports. If these don't
> respond the hacker usually moves on.
>
> http://www.cs.berkeley.edu/~smcpeak/SafeTP
Agreed. As far as I'm aware, there isn't a brute-force tool for SSH or
SafeTP (of course, this doesn't stop somebody writing one).
> By using encrypted FTP and SSH, no passwords will ever pass in the clear,
> making your machine much much safer.
Well, yes and no. I broke into a network a few years ago now and
trojanned up SSH on all the boxes, so that it logged users passwords to a
text file and mailed it to me. I just sat back for a few months and
watched everybodies passwords role in. Most people don't understand that
although SSH password authenication passes through a 'secure channel', the
passwords are still exchanged in plain text (ie non-hashed) and so you
have to trust the server.
> I have never had a successful brute
> force break-in on machines where standard FTP and standard Telnet are
> replaced with their encrypted equivalents.
Well, it depends what other stuff you were running. Don't discount
attacks like generic buffer overflows (rpc.statd, bind attacks
etc). They make up a sizable amount of Internet attacks.
And its just as easy for script kids to launch them.
> Another good choice is to run SSL mail. Outlook 2000 and Outlook Express
> support this very well. Netscape does not, nor does Eudora, so you might
> have to get user buy in before implementing this.
Another option is to also limit pop connections to localhost (127.0.0.1),
and make users SSH in and use SSH port forwarding to redirect to pop3. It
does work, and theres plenty of decent SSH clients for Linux, bsd,
solaris, windows etc.
> Once your standard services are encrypted, it becomes very hard for the
> typical mindless hacker to break in. I say "mindless" because most hackers
> simply download tool kits and bots and use them without understanding how
> they work.
And 'generic exploits' (not just brute forcing tools). It's far easier to
sweep across a hosting company's network for hosts running an old version
of say qpopper, and using that to break into all the machines, than
cracking users passwords.
> Also, never give a shell account to anyone who doesn't
> need one.
Agreed. This is an easy way to get 'owned'. Its also worth remembering
that even if you trust your users, its quite easy for their accounts to be
comprised by third parties (eg SubSeven crackers).
<snip>
> If your environment allows you to restrict access to known hosts, you can
> use TCP wrappers to block most probes on your machine (hosts.allow,
> hosts.deny, inetd.conf).
Agreed. FE, I run qpopper, ssh, telnet and ftp on owned.lab6.com with
hosts.deny set to deny all, and hosts.allow set up to allow certain UK ISP
users to connect. Theres no reason people the otherside of the world need
to be able to access ftpd when they don't have accounts.
> Even if you can't, many hackers have cable modems and DSL lines with
> visible IP addresses. You can add these to your hosts.deny file
> simply to block specific idiots who won't leave you alone.
It would be nice if Cobalt hadn't removed ipchains from their
distribution, as this would aid greatly in blocking things like this.
> Brute force assumes repeated attempts can be made on specific ports, etc.,
> If you block the ports and encrypt the access, most attacks are blocked
> before they can start. A simple trick that stops many attacks, is to
> redirect services to non-standard ports such as using port 999 for telnet.
> However, any hacker with a port scan program will figure this out pretty
> quickly.
Indeed. If they are just scanning huge subnets looking for boxes, with,
for example, telnet running they won't spot your box if you've changed the
port.
> Finally, if you can get the IP address and/or host names of hackers breaking
> into your systems - REPORT THEM!!!! If everyone prosecuted illegal accesses
> on their machines, it might actually stop the annoying hacking of
> adolescents and college students who have too much time on their hands!! I
> have had people kicked off their services such as @Home for hacking
> activities that I could trace. If the word gets out that hacking will be
> pursued, then petty attempts will fall off. Right now there are essentially
> no consequences for casual hackers going after small sites.
You have to remember that a lot of system crackers are using comprised
systems to hack from. And they are logging into those systems from other
cracked systems.
In reality, security of Linux systems in very basic terms is crap. If
people got together, they would take GNU'ed programs like ProFTPD and
modify them so if logins are tried successively on an account for >XXX
times, lock the account automatically and mail root.
Gossi.
Who had 8 breakin attempts from 'generic' UK ISP users to his Windows 2000
PC while writing this reply.