Beware - you may be cracked
der.hans
PLUGd@LuftHans.com
Sun, 17 Sep 2000 13:39:59 -0700 (MST)
Am 16. Sep, 2000 schwäzte Shawn T. Rutledge so:
> On Sat, Sep 16, 2000 at 08:47:02PM -0700, Rod Roark wrote:
> > If you have a Linux box with a permanent net connection and have not
> > been particularly security-conscious, beware! Chances are very good
> > that your system is already compromised.
>
> I've had rstatd and ftpd disabled for a long time. (I don't even
> remember what rstatd does, some kind of status reporting probably?)
OK, looked at the advisories and rpc.statd is what's being exploited and
that is needed for nfs.
For ftpd to be compromised, the attacker has to have already logged in,
e.g. you're really only vulnerable if you allow anonymous ftp in from the
Net (if they sniffed a passwd and can log in via a named account, you've
got other worries as well).
Since none of us should be running nfs across the Net, that shouldn't be
available either.
The CERT advisory says rpc.statd doesn't have a standard port. Firewalling
this might be a little more difficult, but possible. I think it's UDP over
a certain port, so blocking that range might work quite well.
Portmaper, TCP and UDP ports 111, should also be blocked.
If a host directly connected to the Net doesn't need nfs uninstall portmap
and rpc.statd.
> I use the web server for any uploading/downloading I need to do on my
> gateway box from the Internet. The upload scripts are in PHP and
> protected by being in a directory which requires password validation.
> Someday I'll get around to using SSL...
Better to use ssh and scp. Maybe the java version could be modified to run
from a web browser, then you can have it most anywhere :).
In any case ftp shouldn't be needed from the Net side.
ciao,
der.hans
--
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.Opnix.com
# A t-shirt a day keeps the noose (tie) away. - der.hans