Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Chkrootkit, Hackers/Crackers
Robert83
post Mar 2 2004, 04:13 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I've downloaded chkrootkit, at beeing playing it for a while, there is a option for it to send mail automaticaly to root, and using it with CRON on a regular basis [hourly should be enough right?].

Now what interests me is, do you know how to make chkrootkit outputs ouput into a file?


[Some other questions]

If you're firewall is set up the way it should be set up, I mean, that only the really necesary ports respond to connections attempt, and the others are in stealth mode, how safe am I? [I've been reading those pages at www.chkrootkit.org, and got really scared], I mean how on earth can a hacker come in trough a stealthed port?, and is that really true? that this buffer overflow isue can be a serious threat?, what is you're opinion regarding this?


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 2 2004, 07:44 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



chkrootkit > filename

--------------------
You are never really unsure.gif totally safe huh.gif (that is true with any firewall system, be it a million dollar cisco firewall, a $40 dlink router, or a DOS based packet filter on a 8088 PC) .... and yes, buffer overflows are a major problem.

A stealth port means that the kernel net-filter (iptables) drops the packet if it doesn't meet the requirements to get in .... BUT if you can do something to the packet that causes net filter to instead open up a command prompt with root access, then you have defeated the firewall ...

Here is an example of a security issue that allows a local user to get root that involves iptables .... and here is one (see bug 3) that actually discusses a bypassing of iptables rules by a remote user (WBEL is not suseptable to this issue, it has been corrected, this is just an example).

That is why it is critical that security updates get installed ... wink.gif

(This is not to say that you shouldn't have a firewall ... and linux systems {when properly hardened and when updates are applied} are much more secure than Windows systems, BUT all systems are vulnerable)


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Mar 2 2004, 11:00 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

A Few more questions :

1.in my /var/log/secure file where I keep the ssh logins, the following two lines always shop up :

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Mar 2 16:24:59 WindowsXP sshd[10966]: lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory
Mar 2 16:24:59 WindowsXP sshd[10966]: lastlog_openseek: /var/log/lastlog is not a file or directory!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Mar 2 16:24:59 WindowsXP sshd[10968]: lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory
Mar 2 16:24:59 WindowsXP sshd[10968]: lastlog_openseek: /var/log/lastlog is not a file or directory!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If I would create a file /var/log/lastlog would these messages stop? and what is lastlog for? [perhaps, last login?]

2. what if [maybe a really stupid question or thing to do] I put 2 firewalls to the outside world like this

LAN-WEBSERVER-MAILSERVER-FTPSERVER-FIREWALL2-FIREWALL1 would this be a bit better security?
I mean if a hacker would break in, and see the second firewall , maybe he would live with "oh my god, I can't take this anymore" smile.gif .

The two firewalls would have identical ip tables rules , if that is good, I mean that port forwarding thing would work the same way right?, the only thing I would need to change on the second computer would be to trust the first firewall,
wich would lead to, if I'm correct that if firewall1 is hacked, firewall2 would let itself be hacked...right? sad.gif or is this possible somehow?

Or like this

LAN-FIREWALL2-MAIL-WEB-FTP-FIREWALL1 and in this case firewall2 would not trust firewall1 ...

do you recomend using two firewalls? and if yes, what is the most efective use for a two firewall system?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 2 2004, 05:15 PM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



A second firewall probably wouldn't be much help ... because, the exploit used to break into the first one would also probably work on the second one.

What might be good, however, is a third network card. This would allow you to have a DMZ that has all the servers on that card (eth2, with a different subnet 192.168.2.0/255.255.255.0) ... and you would forward the ports from eth1 to eth2 (instead of eth0) ... but you wouldn't have any ports from eth 1 or eth2 forwarded to eth0 ... so if someone compromised one of the other servers (ie, they got root access to the e-mail server, the web server, or the ftp server, etc.) they would not have any access to the rest of the network.

They would only have access to the rest of the network if they compromised the firewall itself...which isn't normally the problem.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 2 2004, 06:13 PM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



/var/log/lastlog shows the lastime a user logged in ... if yours doesn't exist, you can create a blank one with the command:

touch /var/log/lastlog

then use the command lastlog to see the last time each user logged in.

That will stop the error messages....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 22nd October 2017 - 05:22 AM