Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #216
| From | Bit Twister <BitTwister@mouse-potato.com> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: Security breach? |
| Date | 2013-01-13 03:01 +0000 |
| Organization | A noiseless patient Spider |
| Message-ID | <slrnkf48sj.rpi.BitTwister@wb.home.test> (permalink) |
| References | (7 earlier) <XnsA145D152BCD6MyBigKitty@216.196.97.131> <QH3Is.24294$tK1.12909@newsfe07.iad> <XnsA145E07E53ACCMyBigKitty@216.196.97.131> <iL6Is.20389$KS4.4121@newsfe11.iad> <XnsA146B1F1F1686MyBigKitty@216.196.97.131> |
On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:
> this case. Now I will install tripwire and rkhunter while clean to
> further protect against these attacks.
I tried tripwire awhile back. A bit complicated for me. That is why
I went with http://sourceforge.net/projects/aide
Installed it, ran aide --init, rebooted, ran aide --check
appended changed files to bottom of /etc/aide.conf with leading !
to keep aide from warning about them after reboots.
Then added /home and whatnot and have a fair amount of confidence
all is well.
The su - root is good advice. My /etc/ssh/sshd_config has
PermitRootLogin without-password
which means I can not log in with a password, but I can get in if I
have correctly setup authorized_keys,public/private keys in /root/.ssh.
I also have tcpwrappers installed. That saved my butt a few days
ago when the firewall did not start up. Started getting emails from
root about ssh attempts when cracker was attempting brute force log into
root account. That made me check the firewall.
Here is a copy of my tcpwrappers /etc/hosts.(allow,deny) files.
$ cat /etc/hosts.allow
#************ Start of hosts.allow. ***************************************
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
#
# Created by /local/bin/hostx_changes
#
# After changing this file
#
#
ALL: .home.test, 127.0.0. 192.168.1.100,192.168.1.200,192.168.1.132,10.0.2. 169.254.1.
#
# 192.168.1.100,192.168.1.200,192.168.1.132: LAN_RANGE
# 10.0.2: VBOX_GUEST_RANGE
# 169.254.1: HDHOMERUN_RANGE
#
# found/generated in/from /etc/shorewall/params by /local/bin/hostx_changes
#
#************ End of hosts.allow. ***************************************
$ cat /etc/hosts.deny
#************ Start of hosts.deny ***************************************
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY
#*********************** end host.deny ********************************
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600
csiph-web