Are Linux boxes vulnerable to be used by botnets?
Matt Graham
danceswithcrows at usa.net
Mon Mar 17 09:17:50 MST 2008
After a long battle with technology, Josef Lowder wrote:
> This is all very interesting ... and confusing for my simple mind.
> It sounds like most of the replies to my question pertain to
> boxes that are used as "servers" and not just "regular users."
> Or are we all "servers"?
If you're running sshd/apache/smbd/postfix/sendmail/exim/telnetd/
anything like that, then you are a server.
> Hans wrote: "... someone could take advantage of it to deliver
> a payload that would turn GNU/Linux boxen into trojans."
>
> How can I determine if one of my computers has had something
> like this done?
"chkrootkit" is a starting point. tripwire is another package that can be
used for system monitoring. IIRC, tripwire takes md5sums of each executable,
library, and config file, then writes those md5sums to something (secure
removable storage?), then periodically scans the executables and such to make
sure their md5sums haven't changed. If something *has* changed, it sends an
OMGWTFBBQPANIC!!1! to a configurable address or takes other user-defined
actions. Naturally, when you upgrade software, you have to turn tripwire off
and then tell it to rebuild its database before starting it up again.
> Erich Newell wrote: "You will simple be 'pwnt' ..."
> What does that mean?
http://icanhascheezburger.com/category/pwned/ . It was originally a typo and
has become one of those silly Net memes.
> John Hanson wrote: "at least once a day my Linux box ...
> is probed for a weak password /account through SSH."
> How can I determine if one of my systems has been "probed"?
/var/log/sshd/* , look for a bunch of lines kind of like so:
12:00:13 sshd: failed login [keyboard-interactive] for user admin , 1.2.3.4
12:00:17 sshd: failed login [keyboard-interactive] for user alex , 1.2.3.4
12:00:22 sshd: failed login [keyboard-interactive] for user andrew , 1.2.3.4
12:00:22 sshd: failed login [keyboard-interactive] for user andy , 1.2.3.4
> Mike Bydalek wrote: "... all my servers is use 2 little tools
> to help stop these automated attacks: DenyHosts"
> Is that something most Linux user should add to their system?
It depends on how paranoid or security-conscious you want to be, and how many
services you're running, and whether your box is plugged in 24/7 or
intermittently connected on dialup. Remember, security is usually directly
proportional to pain-in-the-assitude. I would suggest doing *something* like
what Mike suggested there though.
"Anthony Boynes" wrote:
>One thing about port knocking - I have found in the past that an
>extremely fast port scanner, such as scanrand, can hit all the ports
>fast enough to get me to an ssh prompt on a machine using it. I don't
>recall the exact timing sequence, but it was at least 3 port which
>needed to be hit in a certain order. I found that quite interesting
>when I discovered it.
Figures. (/me gets a 5-port sequence ready....)
--
No man is an island, but then no man is a potato salad, either.
My blog and resume: http://crow202.dyndns.org:8080/wordpress/
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
More information about the PLUG-discuss
mailing list