Hi, Fred.
I'm not sure how it was determined that the hacker didn't do anything to
the system, but I wouldn't be so sure. I would be more inclined to
follow Dan's advice, personally.
That having been said, I'll address your last question, here.
You have a couple of options...to secure telnet from specific IPs, you
can make use of the TCP-Wrappers, and modify the hosts.allow and
hosts.deny files in your /etc dirctory.
First, in your hosts.deny file, you want entries like this:
in.telnetd: ALL
This will shut out telnet to everyone.
Then, in your hosts.allow file, you want entries like this:
in.telnetd: xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
in.telnetd: zzz.zzz.zzz.zzz/mmm.mmm.mmm.mmm
The first of these lines would let specific machine IPs in to the telnet
daemon...the second line would be a network address/network mask...this
is useful for allowing whole netblocks in.
Check your /etc/inetd.conf file. Any entries that look like:
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
should be using TCP Wrappers. The "/usr/sbin/tcpd" before the actual
daemon gives that away...however, this being the case, you can set up
entries in your hosts.allow and hosts.deny files, for whichever daemons
you like, that will allow/deny access to whichever services you want for
whichever IPs/networks you want.
On Thu, 9 Nov 2000, Fred Edmister wrote:
> Dan,
>
> Thank you so much! This helped tremendously! The good news
> is, I've not only found thier IP address, traced them back to their ISP
> (BEZEQINT.NET) and found that they did NOT do anything to the
> system!! (aparently he's been using his telnet account since this past
> weekend... VERY wierd... ) I've deleted the account, changed all the
> passwords, and am working on the rest for security.
>
> I have NO idea how they got in. I *DO* know that for a "hacker"
> they are not very "good" (knock on wood) because 1) hackers generally don't
> crash a system BEFORE they cover their tracks, and 2) they also generally
> never return to the same place twice unless it is a personal
> vendetta. This person's ISP was traced back to Isreal, and I don't know
> anyone there, and I'm a very small WSP in Upstate NY, so I'm sure I haven't
> gotten on anyone's bad side from there! LOL I have the log saved with his
> IP's, and login times and dates for the last couple days.
>
> Lastly, you mention using a secure telnet.... At the risk of
> sounding stupid (I never admitted to being a Linux Guru! LOL) What can I
> do to change the telnet type... I would like to make it more secure...
> Maybe even limit it to certain IPs/domains... (if possible) If you (or
> anyone) knows anything about this, it would be great to know! Thanks again
> for everything!
>
> Fred
>
> At 12:43 AM 11/10/00 +1100, you wrote:
> >Hi - I have a couple of quickie bits of advise for you...
> >
> >1) remove the machine from the network (pull the net / modem cable) so you
> >can check exactly what has happened without him / them logging back in and
> >screwing stuff up more / covering their tracks. don't bring the machine
> >back up till you've done step 2 thoroughtly...
> >
> >2) go to http://www.auscert.org.au/ and check out teh "root compromise" or
> >something similar (don't have acess to a web browser right now - but the
> >info is there) documents... there's cimilar stuff at cert.org - but I know
> >of the auscert stuff first hand...
> >
> >3) to check last logins and stuff type "last" and - well - it may have the
> >details there - or the intruder may have deleted the logs that contain the
> >login history... or may be they didn't get that far if they locked the
> >server trying stuff out...
> >
> >4) find out what happened, document it, back up the whole system to a DAT
> >if you have a chance, remove the tape and lock it, then wipe the HD and
> >set up the server from scratch using the redhat install cds - then
> >selectively restore stuff from the DAT that you know you need... it's best
> >not tring to clean up after an intrusion as you can't really be sure what
> >eth intruder has done - if they're really good at what they do and you're
> >not super savvy then it's quite probable that it'll look like there's
> >nothing wrong whatsoever with the machine... but they'll still be on the
> >machine, hacking away! :(
> >
> >5) if you get a chance to find out who they are then do whatever you can
> >to make sure they do it again - ranging from reporting them to the
> >authorities and taking any action available to you to make their life as
> >unpleasant as possible!
> >
> >hmm... this all brings back painful memories of server compromise by
> >inexperienced script kiddies over a year ago resulting in large loss
> >of data and time in recovering when I didn't really know much better
> >(and didn't have a backup of the only stuff that happened to get
> >wiped!) good luck & I hope there's nothing too critical on there / nothing
> >lost....
> >
> >cheers, dan.
> >
> >ps. as to how did they get in - lack of errata updates / insecure services
> >being run / non-encrypted telnet (always use ssh!) would be three guesses...
> >
> >On Thu, 9 Nov 2000, Fred Edmister wrote:
> >
> > > This morning I awoke to my Linux server not responding, and when
> > I went to
> > > the system itself, there were a bunch of PAM *** info lines on the screen
> > > for a username I had never seen... I couldn't log in, and had to just
> > power
> > > down and do a manual fsck when it came back up... (bear with me, there
> > is a
> > > question here) Once the system came back up (after changing all the
> > > passwords of course... ) there was a new user "shlomi" added to the
> > > system, and in the home directory was a program directory, and the tar
> > > file... (bnc2.6.2 bnc2.6.2.tar.gz) My questions are 1). What is
> > > this BNC, and should I worry about what this guy may have done to my
> > system
> > > (everything seems to work fine, but I don't know if he did something
> > > "behind the scenes") 2). How did this guy get in, and what can I do to
> > > avoid these things from happening in the future (I noticed on the screen
> > > when I got to the system one of the PAM's was him being su'd.. NOT
> > > good) And Lastly, where is the log that holds the telnet info so I can
> > > check and see EXACTLY what this guy did... Thank you all in advance for
> > > you help! It is greatly appreciated!
> >
> >
> >
> >_______________________________________________
> >Redhat-list mailing list
> >[EMAIL PROTECTED]
> >https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
