[oclug] knark attack
iwormsbe at nortelnetworks.com
Fri Jan 12 11:14:57 EST 2001
If I may, I would suggest one addition to David's excellent response. Change
every single password on every box on your network. All your email accounts, ftp
accounts, smtp accounts, telnet accounts. ie: EVERYTHING. Any password that is
floating around on your network in plaintext can now be considered compromised.
"David F. Skoll" wrote:
> On Fri, 12 Jan 2001, Lafleur Maurice wrote:
> > I immediatly brought the system to a non-networked stated and now I am
> > asking you guys: How to I secure my system???
> First, wipe the entire disk, repartition and reinstall.
> Do NOT run rshd or rlogind. Don't run fingerd, telnetd or ftpd.
> Don't run a mail transfer agent unless absolutely necessary. Don't
> even install these programs.
> The only port which should be open to the outside world is port 22, SSH.
> Run sshd for remote access, disabling "Password Authentication". Firewall
> off all privileged ports and firewall off TCP packets with the SYN bit
> set, except those destined for sshd. Use tcp_wrappers as well; it can't
> hurt and the overhead is small.
> Get a cheap machine, install Linux, connect it to your box with a
> serial cable and have the Linux syslog log to the serial port. Do not
> network the cheap box. That way, there's no way on earth someone can
> wipe out your logs without having physical access to the machine.
> Don't laugh; I set up exactly this configuration for a client of mine.
> Download the latest updates from Red Hat and install them before bringing the
> machine live on the network.
> Subscribe to Bugtraq. Keep your eye on Red Hat's security advisories.
> Do not allow Windows machines to connect to your Linux box. Treat all
> Windows machines as compromised (or hostile). Firewalling a Windows
> box is next to useless; crackers get into those machines with e-mail
> viruses or trojans (which firewall rules do not prevent.)
> Do not run any program which relies on host names or IP addresses for
> authentication. In your firewall rules, filter by interface, not (only)
> by IP address.
> If you do all of that, you will stop most crackers from getting in. :-)
> oclug mailing list
> oclug at lists.oclug.on.ca
More information about the OCLUG