Spying

[Old Meat]

I read some interesting news a few months back about spy ware any body heard of this    
Symantec {Norton's} and McAfee   will not upgrade its anti-virus software for FBI spy ware {magic lantern}
.
Symantec Lease

[badkarma]

obtaining an ip address is quite easy and quite harmless in most cases as well, it's quite easy to look up a normal (snail mail) address for someone, and if they leave the door wide open, or leave the key sticking in then you're just asking to get robbed. If you install a infrared motiondetection burglar system the chances of someone coming in without at least you knowing about it are slim to none, this is a perfect analogy to internet security. A computer is as secure as the owner wants it to be (that's why a *lot* of people running windows 9x who have a cable/dsl/other broadband connection get hacked a lot and are acting as virus magnets)

On my linux box there are 2 ports open, the SSH port (which is a secure shell port, quite secure   ) and the X network port (so I can run programs from work at home, not quite as secure as SSH but not that insecure ....)

[iancom]

BadKarma... you've probably already patched it but just to make sure, and also to demonstrate that nothing is every really 100% secure:

Have you patched your sshd recently? A friend of mine had the RPM's of openssl and ssh installed (circa RH 6.2) and got seriously hacked a few weeks back. Nasty thing that installed a sniffer and emailed back any passwords it found that went over the wire plaintext (ftp, pop3, etc).

I was running exactly the same firewall setup as him with the exception that I recompile openssl and ssh from source whenever necessary, rather than relying on RPM's! A lucky escape for me I think...

I also prefer to have no ports whatsoever visible to the outside world in general... I lock down access to ssh only to IP addresses I know I'll need access from, ie work etc.

[badkarma]

Hmmm ... you probably don't know the version of sshd which has that exploit? Cause I just use the standard sshd which comes with SuSE 7.3 (but seeing that 7.3 is quite recent, it will probably contain the patched version)

My slackbox will probably have the insecure daemon installed however that pc isn't visible to the outside world, so I don't think that is much of a problem....

thanks for the tip anyway  

[voidmain]

I believe if you are above v 3.x of ssh you should be good. It's not a bad idea to restrict access to specific IP addresses or ranges.  Keeps the rif raf from trying anything anyway...

[badkarma]

hmm ... 2.9p ... /me thinks it's upgrade time  

[voidmain]

Karma, it's a good idea to get on the CERT mailing list where you will get notified of any new vulnerabilities as soon as they are known so you can upgrade the parts that become vulnerable. I find that running "stock" packages from a distribution (any distribution) is generally a bad thing.  Any packages that are exposed to the network (open sockets) should be upgraded to the latest versions which in itself will make you less prone to a hack down the road.  Hackers usually look for exploits in a packages contained in a stock distribution that listen on network ports. Because a lot of people have the "Microsoft Mentality" of just installing the distro and leaving at that, there is a great more number of machines that can be hacked when an exploit is found.  If you upgrade your's becomes "not like the others" and less prone to a hack.  But if you continually upgrade your network listening services you will be even less prone to an attack.  The first thing that should be done (and you have already done it) is limit the number of network listening services to a minimal, second would be to restrict those exposed services to a limited IP range, third have those packages up to date.

I have a dedicated machine acting as my firewall so I can be less strick about the machines behind my firewall.  But if I want to forward a couple of ports from an inside machine to the firewall, I still have to apply the rules I mentioned above to that inside machine.

[badkarma]

Yeah ... I know I should really install slackware (or better yet, linuxfromscratch) and keep a limited selection of updated packages (because the amount of packages that ships with SuSE is kind of overkill) though there are a few problems I have with this:

1. still not quite enough knowledge to really feel comfortable when installing slack/LfS on my main workstation (but I got VMWare and my second pc for that)

2. it takes time, which is a rather limited commodity in my inventory (with all my projects at work and a personal pet project I started a short while ago)

Ow, I just remembered that I also (sometimes) have a postgresql server running, though not on the default port (5432 is kinda very obvious, even though a portscanner doesn't care about that    ) and it's the latest (7.2) version which is only 2 weeks old orso, plus I only allow 2 connections to the db, and those 2 are myself 99% of the time    

I've never actually took the time to take a in depth look at security, somewhat because of lack of time, somewhat because of lack of interest and mostly because of the fact that the last virus I ever had was on my (parents actually) 8086, though I never used a virus scanner under windows. This is changing a bit now since I started working for my present employer (and started using linux) though, and I'm developing an interest for networking and network security (so when I get bored with programming I can do something else, I'm after all a self taught man   )

[ouch ... that layout hurted   ]

[ February 19, 2002: Message edited by: BadKarma ]

[voidmain]

If you are like me (also self taught) then you probably end up teaching the instructor when you *do* take a formal class?  For me I find classes to be a waste of time.  Classes have to teach to the dumbest person in the class.  I don't recall ever learning something in a computer class that I didn't already know.

Speaking of PostgreSQL, I assume you already tightened up pg_hba.conf restricting access to limited IP addresses/users/databases.  You should follow similar rules with that as you do with your firewall.  Only grant access to those that need it.  And make sure you have passwords set!

[badkarma]

You mean like my (minimum) of 14 characters pseudorandom, which aren't in any dictionary in the world (afaik) passwords?  

And I use a passphrase for SSH (hah, hope you like my 50+ character passphrase silly cracker)

Didn't tighten my pgsql access yet, thanks for mentioning it, will have a look at it now  

[voidmain]

You got it buddy!  Too bad more people don't "get it".  Although, long pass phrases do you no good if there is a buffer overrun vulnerability in sshd.  And long passwords do you no good if they float over the netword unencrypted.    Restricting based on IP can further help prevent a hack even if they did get your long password/phrase.

[ February 19, 2002: Message edited by: VoidMain ]

[iancom]

BadKarma... you can find details on finding out whether you're vulnerable from here:

http://www.whoi.edu/CIS/systems_support/security/upgrading-ssh.html

For security, I tend to go with the following philosophy:

1. At the kernel-level (ipchains, iptables, ipfilter etc) deny all incoming packets to the machine that are not necessary (including filtering based on source IP)

2. Do not run any daemons on a machine that you do not have to

3. Daemons that do not absolutely have to run as root should be run as an unpriveliged user

4. Daemons should, if possible, also be set up to do their own checking (independent of your firewall setup) on source-IP etc. Most common ones are capable of that.

5. Don't use stock distribution daemons. Compile your own from the latest source, subscribe to their "announce" mailing lists, and subscribe to CERT announcements to know when to upgrade.

Once you get used to doing it that way, it's surprisingly easy to keep it up!

[voidmain]

Actually rather than going to IanC's link why don't you go straight to the CERT site.  That link has no date and you don't know if it is outdated.  For instance I found this on CERT:

http://www.kb.cert.org/vuls/id/JARL-557PVR

Which shows for SuSe 7.3 you should be 2.9.9p2-74 and a link to download it... Joining the CERT mailing list you will be kept up to date on vulnerabilities as they are made known, along with fix information.

[iancom]

Good point...

I put that one in mostly because it's concise and easy to follow... I know that it's up-to-date enough to deal with the vulnerability that I was referring to with my friend's PC, which is what BadKarma was asking about.

Of course though, there is no substitute for getting your up-to-the-minute security information from a truly reliable source, like CERT.

[voidmain]

And I'm not sure what SuSe uses but RedHat has an "Errata" section on their web site with all the latest updates, I'm sure SuSe has something similar.  Checking that often and upgrading the key parts you are interested in is usually a fairly easy thing to do and keeps you pretty up to date on vulnerabilities. CERT is good for explaining the effects of a vulnerability and why you should upgrade...