Help - Search - Members - Calendar
Full Version: Chkrootkit
Linuxhelp > Support > Technical Support
Robert83
Hi,

I've downloaded chkrootkit, at beeing playing it for a while, there is a option for it to send mail automaticaly to root, and using it with CRON on a regular basis [hourly should be enough right?].

Now what interests me is, do you know how to make chkrootkit outputs ouput into a file?


[Some other questions]

If you're firewall is set up the way it should be set up, I mean, that only the really necesary ports respond to connections attempt, and the others are in stealth mode, how safe am I? [I've been reading those pages at www.chkrootkit.org, and got really scared], I mean how on earth can a hacker come in trough a stealthed port?, and is that really true? that this buffer overflow isue can be a serious threat?, what is you're opinion regarding this?


Sincerely
Robert B
hughesjr
chkrootkit > filename

--------------------
You are never really unsure.gif totally safe huh.gif (that is true with any firewall system, be it a million dollar cisco firewall, a $40 dlink router, or a DOS based packet filter on a 8088 PC) .... and yes, buffer overflows are a major problem.

A stealth port means that the kernel net-filter (iptables) drops the packet if it doesn't meet the requirements to get in .... BUT if you can do something to the packet that causes net filter to instead open up a command prompt with root access, then you have defeated the firewall ...

Here is an example of a security issue that allows a local user to get root that involves iptables .... and here is one (see bug 3) that actually discusses a bypassing of iptables rules by a remote user (WBEL is not suseptable to this issue, it has been corrected, this is just an example).

That is why it is critical that security updates get installed ... wink.gif

(This is not to say that you shouldn't have a firewall ... and linux systems {when properly hardened and when updates are applied} are much more secure than Windows systems, BUT all systems are vulnerable)
Robert83
Hi,

A Few more questions :

1.in my /var/log/secure file where I keep the ssh logins, the following two lines always shop up :

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Mar 2 16:24:59 WindowsXP sshd[10966]: lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory
Mar 2 16:24:59 WindowsXP sshd[10966]: lastlog_openseek: /var/log/lastlog is not a file or directory!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Mar 2 16:24:59 WindowsXP sshd[10968]: lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory
Mar 2 16:24:59 WindowsXP sshd[10968]: lastlog_openseek: /var/log/lastlog is not a file or directory!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If I would create a file /var/log/lastlog would these messages stop? and what is lastlog for? [perhaps, last login?]

2. what if [maybe a really stupid question or thing to do] I put 2 firewalls to the outside world like this

LAN-WEBSERVER-MAILSERVER-FTPSERVER-FIREWALL2-FIREWALL1 would this be a bit better security?
I mean if a hacker would break in, and see the second firewall , maybe he would live with "oh my god, I can't take this anymore" smile.gif .

The two firewalls would have identical ip tables rules , if that is good, I mean that port forwarding thing would work the same way right?, the only thing I would need to change on the second computer would be to trust the first firewall,
wich would lead to, if I'm correct that if firewall1 is hacked, firewall2 would let itself be hacked...right? sad.gif or is this possible somehow?

Or like this

LAN-FIREWALL2-MAIL-WEB-FTP-FIREWALL1 and in this case firewall2 would not trust firewall1 ...

do you recomend using two firewalls? and if yes, what is the most efective use for a two firewall system?

Sincerely
Robert B
hughesjr
A second firewall probably wouldn't be much help ... because, the exploit used to break into the first one would also probably work on the second one.

What might be good, however, is a third network card. This would allow you to have a DMZ that has all the servers on that card (eth2, with a different subnet 192.168.2.0/255.255.255.0) ... and you would forward the ports from eth1 to eth2 (instead of eth0) ... but you wouldn't have any ports from eth 1 or eth2 forwarded to eth0 ... so if someone compromised one of the other servers (ie, they got root access to the e-mail server, the web server, or the ftp server, etc.) they would not have any access to the rest of the network.

They would only have access to the rest of the network if they compromised the firewall itself...which isn't normally the problem.
hughesjr
/var/log/lastlog shows the lastime a user logged in ... if yours doesn't exist, you can create a blank one with the command:

touch /var/log/lastlog

then use the command lastlog to see the last time each user logged in.

That will stop the error messages....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.