[oclug] knark attack

[David F. Skoll]

On Fri, 12 Jan 2001, Lafleur Maurice wrote:

> I immediatly brought the system to a non-networked stated and now I am
> asking you guys: How to I secure my system???

First, wipe the entire disk, repartition and reinstall.

Do NOT run rshd or rlogind.  Don't run fingerd, telnetd or ftpd.
Don't run a mail transfer agent unless absolutely necessary.  Don't
even install these programs.

The only port which should be open to the outside world is port 22, SSH.
Run sshd for remote access, disabling "Password Authentication".  Firewall
off all privileged ports and firewall off TCP packets with the SYN bit
set, except those destined for sshd.  Use tcp_wrappers as well; it can't
hurt and the overhead is small.

Get a cheap machine, install Linux, connect it to your box with a
serial cable and have the Linux syslog log to the serial port.  Do not
network the cheap box.  That way, there's no way on earth someone can
wipe out your logs without having physical access to the machine.
Don't laugh; I set up exactly this configuration for a client of mine.

Download the latest updates from Red Hat and install them before bringing the
machine live on the network.

Subscribe to Bugtraq.  Keep your eye on Red Hat's security advisories.

Do not allow Windows machines to connect to your Linux box.  Treat all
Windows machines as compromised (or hostile).  Firewalling a Windows
box is next to useless; crackers get into those machines with e-mail
viruses or trojans (which firewall rules do not prevent.)

Do not run any program which relies on host names or IP addresses for
authentication.  In your firewall rules, filter by interface, not (only)
by IP address.

If you do all of that, you will stop most crackers from getting in. :-)

--
David.