[oclug] knark attack

Ian Wormsbecker iwormsbe at nortelnetworks.com
Fri Jan 12 11:14:57 EST 2001 

If I may, I would suggest one addition to David's excellent response. Change
every single password on every box on your network. All your email accounts, ftp
accounts, smtp accounts, telnet accounts. ie: EVERYTHING.  Any password that is
floating around on your network in plaintext can now be considered compromised.


Ian.


"David F. Skoll" wrote:

> On Fri, 12 Jan 2001, Lafleur Maurice wrote:
>
> > I immediatly brought the system to a non-networked stated and now I am
> > asking you guys: How to I secure my system???
>
> First, wipe the entire disk, repartition and reinstall.
>
> Do NOT run rshd or rlogind.  Don't run fingerd, telnetd or ftpd.
> Don't run a mail transfer agent unless absolutely necessary.  Don't
> even install these programs.
>
> The only port which should be open to the outside world is port 22, SSH.
> Run sshd for remote access, disabling "Password Authentication".  Firewall
> off all privileged ports and firewall off TCP packets with the SYN bit
> set, except those destined for sshd.  Use tcp_wrappers as well; it can't
> hurt and the overhead is small.
>
> Get a cheap machine, install Linux, connect it to your box with a
> serial cable and have the Linux syslog log to the serial port.  Do not
> network the cheap box.  That way, there's no way on earth someone can
> wipe out your logs without having physical access to the machine.
> Don't laugh; I set up exactly this configuration for a client of mine.
>
> Download the latest updates from Red Hat and install them before bringing the
> machine live on the network.
>
> Subscribe to Bugtraq.  Keep your eye on Red Hat's security advisories.
>
> Do not allow Windows machines to connect to your Linux box.  Treat all
> Windows machines as compromised (or hostile).  Firewalling a Windows
> box is next to useless; crackers get into those machines with e-mail
> viruses or trojans (which firewall rules do not prevent.)
>
> Do not run any program which relies on host names or IP addresses for
> authentication.  In your firewall rules, filter by interface, not (only)
> by IP address.
>
> If you do all of that, you will stop most crackers from getting in. :-)
>
> --
> David.
>
> _______________________________________________
> oclug mailing list
> oclug at lists.oclug.on.ca
> http://www.oclug.on.ca/mailman/listinfo/oclug

More information about the OCLUG mailing list