Correction - you've BEEN cracked. Now its time to clean up the mess. > > Rick Rosinski wrote: > [snip] > > The point to all of this is: I want to find out how to stop this from > > happening. I have a few ideas of my own, and I have lots of questions. > > > > Besides setting up a firewall, what other security measures should I consider > > implementing? > > > > What will it take to keep this guy out of my system? What is he capable of > > doing besides knowing my command history in my term windows. Would it be > > effective if I set up a user for myself (I am always root) to keep him out? > > I am not on a LAN, just ppp to inficad, and I don't know if being root is > > dangerous or not. > > You should consider your system completely compromised! At this > point, the cracker could very easily have total access to every part If the guys are half as good as they claim to be, or if they are using a rootkit, then the cracker(s) DO have total access to every part of your system. > of your system. In your case, you MUST do a clean reinstall. Backup > your important data then nuke your harddrive and start from scratch. > This is *necessary* since your cracker could have put in any number of > back-doors or trojans that will circumvent anything you do! The only thing I might add - if these were 'bad guys' that you wanted to prosecute then you'd take a sightly different approach. Otherwise, backup your critical info, turn off that computer, get a CLEAN linux install CD, turn off your modem, power up and boot off the CD (or make a clean install floppy), and re-install from scratch. DO NOT use ANY PART of your previous system. DO NOT restore directories blindly from that compromised system... Oh - yeah - don't run as root as your normal user. ALso - DO NOT HAVE '.' in your $path! Or, if you do, make CERTAIN its last! > That done, you'll need to beef up the security on your box. This is > one area where most Linux distributions really fall short... the > default install on all general distros are *way* too permiscuous. > > Unfortunately, the topic of security isn't an easy one. If you RTFM, > you'll see that the FMs are very long and very complex. They assume > usually that you are a dedicated sysadmin. Very few HOWTOs deal with > a "normal" home user. I've seen a good one somewhere. The short version is - turn off anything you do not absolutely know you must have. (The best thing is to set up a true firewall in front of all your other machines - great use for that 'useless' 486 gathering dust. Don't have a useless 486 gaterhing dust? email me ;-) > That said, I recommend that you check out www.linuxsecurity.org. They > have a number of HOWTOs there that can help. > > In the meantime, though, I recommend doing at least the following: > ... > 2) Setup a packet filter (firewall) that denys *all* incoming packets. > 3) Shutdown all non-essential services. Since you are on a dial-up, > 4) Pick a very good password for Root and preferably change it every > 5) Rarely login as Root. Create any number of normal users and do > 6) Always keep up to date with your distro's update patches all good suggestions... (A truly paranoid person would disallow root logins on anything but the 'console' as well....) again, I'd add 7) use a firewall machine with NAT in front of everything else, even if its only one other machine! Sometime back someone posted a good reference to the psychology of crackers. Lets see... nope, sorry, I cannot find it. Try looking for 'psychology of cracker' or something like that. Anyway, this is good, though: http://www.enteract.com/~lspitz/papers.html rc