Importance of securing systems

Importance of securing systems

Post by Belgario » Wed, 14 Apr 1999 04:00:00



Quote:>What this should say to anyone is that you shouldn't take your system's
>security for granted. Don't believe just because you're anonymous
>that you're safe.

>Here are the attempts extracted from the log file(s). As you can see,
>they come from all over:

    That's all the connections you've had? Damn...

    Paranoia if you ask me. I have a machine on a dynamic 28.8k dialup and
get at least this many connections. If you IRC, you're asking for
connections like this, especially if you hang out in a place with a lot of
unix geeks. Every single time you connect somewhere that IP and hostname are
slathered all over their logs, and lot of these places also have
portscanners now or other bots that try and verify that you're not spoofing.
For instance, if you join #linux on efnet, you're going to get portscanned,
if not by one of the users, by one of the ops (despite the fact that they
have a rule against it, the ops in there are some of the most hypocritical
*s I've ever seen)..

    The things to look for in logs are repeated connections over an extended
period of time, or someone specifically hammering one port over and over
again. (10+ times in a few seconds is a good way to make it into my
hosts.deny file)

    If you were on a school network, you would realize this is even moreso
common. When I was at Oregon State I got a bazillion exploit attempts,
portscans (most of them by the network administration) and other various odd
connections, just because I was in an easy to predict group of IP's that
were running linux boxen.

    I wouldn't worry about it too much, if someone was going out of their
way to crack your system they would have been trying a hell of a lot harder
than to hit you twice and give up.

    After all, if you really want to lock down your system just comment out
all the lines in /etc/inetd.conf and killall -HUP inetd :)

Erik

 
 
 

Importance of securing systems

Post by Gary Camero » Wed, 14 Apr 1999 04:00:00


    Since you can read the addresses it is coming from, you should send a
*gram to their ISP if you detect frequent breakin attempts from the same
source...  That is exactly what I do to spammers.  They always have a
"remove" notice, but that only tells them that they have found a legitimate
address they can sell to other spammers.  I send the "remove" notice to
their ISPs, and it almost always works - the postmaster at their ISP usually
e-mails back to tell be the spammer has had their account disconnected.  The
overwhelming majority of ISPs are NOT spam or hacker friendly.  In the
latter case, they can probably be held legally liable if they know somebody
is using their service for illegal activity and do nothing about it.

    If the attempts are more than a one time random probing, and you really
have solid evidence somebody is trying to hack your machine, then you can
snip the relevent portion of your log as you did here, and email it to

will get their plug pulled pronto.

        << Snip >>>

Quote:

>Here are the attempts extracted from the log file(s). As you can see,
>they come from all over:

>Feb  8 01:11:45 becca in.telnetd[26424]: refused connect from 24.113.59.205
>Feb  8 07:07:12 becca in.telnetd[27763]: refused connect from


Quote:>Feb  8 07:07:12 becca in.telnetd[27764]: refused connect from


        .
        .
        .

        << Rest of list snipped >>

 
 
 

Importance of securing systems

Post by John Meiss » Thu, 15 Apr 1999 04:00:00




>>Here are the attempts extracted from the log file(s). As you can see,
>>they come from all over:

>    That's all the connections you've had? Damn...

it was a slow period ;-)

Quote:

>    Paranoia if you ask me. I have a machine on a dynamic 28.8k dialup and
>get at least this many connections. If you IRC, you're asking for
>connections like this, especially if you hang out in a place with a lot of
>unix geeks.

Don't use IRC. Don't seem to have the time.

Quote:>    I wouldn't worry about it too much, if someone was going out of their
>way to crack your system they would have been trying a hell of a lot harder
>than to hit you twice and give up.

I don't worry. It's just an interesting data point. If I see someone
make repeated attempts I forward the log file entries along with
a complaint to their ISP; I figure if they're poking at my system they're
probably actively trying to get into other systems, too.

Quote:

>    After all, if you really want to lock down your system just comment out
>all the lines in /etc/inetd.conf and killall -HUP inetd :)

I could turn the power off, too :-)

I wonder...I never thought about it before, but does going through
a proxy server mask your address?

john-

 
 
 

Importance of securing systems

Post by Andreas Dilg » Thu, 15 Apr 1999 04:00:00




>Since I got my cable modem and my machine is on the net 24/7 I see
>fairly active attempts to connect. Most times it's just a telnet,
>other times there will be corresponding hits on finger, popper,
>ftp, web, and several others. I generally keep 8 weeks worth of
>log files. In the last 8 weeks I had 80 attempts to telnet into
>my machine.

Actually, I try to avoid them even getting as far as being denied
by telnetd.  I would rather have ipchains DENY the connection attempt
(this takes a few seconds/attempt).  I basically have all incoming
traffic sent to the bit bucket.  As an added measure, I still try
to keep the system as secure as possible (ie few login accounts, few
daemons running, etc), but two layers of defence are better than one.

However, from your logs, it doesn't look like serious attempts yet.
If someone is going at 3 or 4 ports from the same source address, I
would go after them...  One connect attempt can be written off as
mistaken identity (eg their friend used to have that IP last week).

Cheers, Andreas
--
Andreas Dilger   University of Calgary  \"If a man ate a pound of pasta and
                 Micronet Research Group \ a pound of antipasto, would they
Dept of Electrical & Computer Engineering \   cancel out, leaving him still
http://www-mddsp.enel.ucalgary.ca/People/adilger/       hungry?" -- Dogbert

 
 
 

Importance of securing systems

Post by John Meiss » Thu, 15 Apr 1999 04:00:00






>>Since I got my cable modem and my machine is on the net 24/7 I see
>>fairly active attempts to connect.

>......., from your logs, it doesn't look like serious attempts yet.
>If someone is going at 3 or 4 ports from the same source address, I
>would go after them...  One connect attempt can be written off as
>mistaken identity (eg their friend used to have that IP last week).

Actually, I have a fixed IP address (well, assigned via dhcp but it
hasn't changed since I got the connection last November).

I figure 99.9% are trolling....they downloaded something off a
hacker ftp site and they're scanning the net looking for something
that responds. I watch for patterns; three or more attempts from
the same address and I figure they have more than a passing
interest and I pass the information along to their ISP.

Once I was probed from a school Web server, so I contacted the Webmaster
and they discovered the system had been cracked.

In general, I just keep a tight system, keep my eye on the logs,
and don't worry about it too much.

john-

 
 
 

Importance of securing systems

Post by Jim Harpe » Thu, 15 Apr 1999 04:00:00



> A while back I had asked about suspicious network activity (that turned
> out to be innocent). At that time I had volunteered to post a summary
> of some of the activity I typically see. Since I was looking at the
> log files anyway, I thought I would follow through and provide a
> glimpse of what goes on.

> Here are the attempts extracted from the log file(s). As you can see,
> they come from all over:

> Feb  8 01:11:45 becca in.telnetd[26424]: refused connect from 24.113.59.205

You need to set up ipfwadm or ipchains to deny those attempts *before*
in.telnetd has a chance to give them a login prompt. I know from experience that
tcpwrappers doesn't work, my system got busted into anyway.

One of these days you'll see:

12:00:01 refused connect from host.xyz
12:00:02 refused connect from host.xyz
12:00:03 connect from host.xyz

and they'll be in...

--
Jim Harper
http://24.0.127.204
"Linux... it's not just for breakfast anymore."

 
 
 

1. Importance of "SuperCache" on a timeshare system ???

I'm currently looking into buying some new hardware for the Vancouver Freenet.
Once of the questions that has cropped up is "how much difference would the
1Mb second level cache" make on a timesharing system running a limited set of
programs? Since the instruction cache would be flushed for almost every
process swap would it be worth the extra money?

If you have a feel for what difference having the cache vs. not
having it I would like to hear about your experiences. Thaks

   George

--
George Lindholm                                  phone:    (604) 822-4375
University Computing Services, UBC               fax:      (604) 822-5116

V6T 1Z2

2. error messages

3. Secure Secure Secure

4. NULL modem dialin server.

5. /var/log upkeep and importance

6. ALSA question

7. Announcement: a new history of the Net and the importance of Open Source in its evolution

8. Q: look thru windows

9. Importance of the DOC project

10. The fundamental importance of WINE for Linux

11. importance of tset

12. Importance of the salt when using the crypt() function

13. importance of -fno-strength-reduce