user tracking

Mark Peoples gascsd@gascairlines.com
Tue, 26 Sep 2000 01:18:46 -0700 

What group is this? Throwing the combo of Solaris and 2k together makes me
think something to do with IT.  =)

Personally, techrepublic.com is pretty cool. They have some cool articles
every once-in-a-while. I did some NT stuff a few months back and did a
presentation to WNUG...backing up ACLs, ERDs, DHCP databases, etc etc. The
nixen part of it was writing to a smb share on linux box.  =)

As for security at ASU, heh. They're testing the ASURITE/kerberos stuff with
W2k. The goal is to get everything to authenticate in the krb domain. I
think the problem they're running into is having w2k clients authenticate
against the current nixen krb servers, or it's the other way around. krb is
the way to go at asu though, that's for sure. On the nixen machines, don't
bother with AFS though...they're going to stop using that in a few years,
moving to DFS (not MS DFS), so I've heard.

**HANS: We need to get that tour scheduled. =)  **

As for automation and s/w comparison for windows machines, you should be
able to get SMS through IT for your group. Make sure you get 1.2 and not 2.0
(unless you don't want to support Macs <g>). We used this for package distro
stuff to the windows machines (only nt4 right now), and it worked pretty
well...now we just use ghost or LabExpert (LE is *very* cool...one of the
coolest damn things i've seen). Registry hacks are still your best friend to
make sure each system does things the same (eg, coordinating a/v updates and
upgrades).

I'll be starting on a nixen s/w comparison deal here in the next few days,
hopefully. We essentially run a mirror of redhat, and have all the RPMs
local on an NFS export to, well, the world. <g> The problem is that with
god-only-knows how many linux boxes in the dept., we have a hard time making
sure things are up to date on all of the boxes we administer. The goal is to
tie it into bb (we love bb <g>) to get the list of machines to update, and
so on.

Central administration rocks.


-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Kevin
Brown
Sent: Tuesday, September 26, 2000 12:54 AM
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: Re: user tracking


Hmm, I start a job in the CC next monday doing sysadmin work for a small
group
of people at ASU.  My job is basically to take over that part of their work
so
they can devote their time to a program they are writing.  Looks like I will
be
handling Solaris, BSD, linux, NT and 2000.  Security is an issue that I will
be
facing and it's not something I've spent much time worrying about.  My
systems
are behind a cisco router 675 (not that it's very secure, but it does have a
changing external ip).  Haven't done much even when the router was in
bridging
mode (configured ipchains to only allow forwarding from the internal network
if
destination was not on the internal network and to ignore any external
requests
that weren't initiated internally)  Kinda simplistic, but the box was there
just
to do masquerading for my 9 other systems in the house (NT, Win98, Linux,
2000
server, etc...).

Without doing an 'rm -rf *' or 'format c:', what are some good sites or
utils
for aiding in tightening the hatches on a system (i.e. how-to's, or sites
similar to http://www.securityfocus.com).

Also I will be working on Automation of the NT systems to make sure they are
all
running the same software, anyone have any experience with this or have
pointers
for how.  I vaguely recall something for the win95 resource kit doing this,
damn
wish I hadn't gotten rid of it.

> We were going to implement a tool at work to monitor 20-30 various nixen
> boxes (DEC, Linux, BSDs [we need more of these <g>]) using some csh
> scripting, ssh, and rsync, and, tie it into our bb stuff.
>
> I was reading something and came across this link which does almost the
same
> task that we want, except with perl.
> http://perl.oreilly.com/news/sysadmin_0800.html
>
> The proggies you mentioned below were on the top of our list to monitor.
> We've got boxes (tier 3...we're not the admins) that get broken into
fairly
> often (ASU is a favored target for douche bags, i mean script kiddies).
> Usually it's one break-in and we're the admin or they don't get their
ether
> cable back. EG, last week, a tier-3 system was compromised and flooded an
> entire subnet, spiked the router to 100% for a few hours, and pissed off
two
> TSAs.
>
> -----Original Message-----
> From: plug-discuss-admin@lists.PLUG.phoenix.az.us
> [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of
> plug@arcticmail.com
> Sent: Monday, September 25, 2000 10:59 PM
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Re: user tracking
>
> There are also other items in a standard rootkit.
>
> You could spend time checking ls, ps, top, sum, yada
> yada yada, against your pristine versions on read-only
> installation media (after booting into single-user
> mode on pristine read-only trusted media (and ONLY
> running binaries from said media)), but IMHO your best
> bet after a breach/rootkit incident is to take off and
> nuke the site from orbit.  It's the only way to be sure.
>
> I'm sure there's a HOWTO on cleaning up your system
> after a rootkit "upgrade."  Check Google.
>
> D
>
> * On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> > Thanks for the responses.  I never know about the command "last".  Very
> > cool.  I've already found out most of what I needed.  It was some guy
over
> > in Russia.  Those punks!  :-)  He left some cool utilz on the hard drive
> > for me though.  A login replacement that logs all usernames and
passwords
> > and a in.ftpd replacement.  That's how he got in in the first place.  I
> > was running wu-ftpd 2.5.x... I already know there's tons of documented
> > exploits with that verison.  I've just upgraded to wu-ftpd 2.6 so that
> > should slow 'em down a little bit.
> >
> > Don
> >
> > On 26 Sep 2000, Bill Warner wrote:
> >
> > > This information is located in the /etc/shadow file.  it is refrenced
> > > in the standard unix time thing (seconds sense jan 1 1970) check
> > > man shadow for more details
> > >
> > > Bill Warner
> > >
> > > > Hey guys.
> > > >       At login I get a printout of when the last login occured.
Where
> > > > is that info stored?  I want to check out a user on the system but
> > > > don't want to log in as them.  One of the machines I work with had
the
> > > > root account compromised.  It's just running a few mushes so it's
not
> that
> > > > big of deal but I don't want it happening again.  I went through it
> with a
> > > > fine tooth comb and wouldn't mind it if any of you guys tried to
whack
> at
> > > > it...  Lemme know what you find.  The IP is 205.216.140.17
> > > >
> > > > Don
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post
> to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss