|
Every day hundreds of crazy folks out there are looking to get to your files.
Anytime you go on networks like IRC, ICQ, Napster, Gnutella, etc where there
are thousands of other people, a small percentage of those people are looking to
get at your files. It's a fact. So what does one do to protect them self?
When you are running Linux, you have a myriad of ways of protecting yourself
from these crackers. Here I'll outline a simple method of finding people who
attempt to crack into your system and make sure they never do it again.
Since the most common operating system people use is Windows, these
crackers most commonly attempt to access your hard drive via the Windows File
Sharing system. Fact is most users that activate the File and Print Sharing
subsystem in Windows do so with little security in mind. In Linux, this means
making sure if you run Samba, make sure it only accepts connections from your
local area network, not from the Internet. This is accomplished by using the
"hosts allow" parameter in the config file /etc/smb.conf. Only allow hosts
which need access to the shares. Then when one of these crackers attempts to
get to your shares, Samba will log their hostname and IP address in their
log files.
I use the Mandrake Linux distribution on my systems, so what I describe here
works on those and should work on RedHat as well. For other distributions,
it is trivial to find the proper filenames, directories, etc. I will leave that
up to you. The first step in security monitoring is to look in the log files in
/var/log frequently for suspicious behavior.
/var/log/secure - This file contains information from programs which use
the tcp_wrappers system (/etc/hosts.allow and hosts.deny). Search this file
for phrases like "refused connection" to spot the intruders. This file will
tell you the hostname or IP address of the intruder, the date and time, and
the service they were trying to access. Here is one such line from my system:
May 3 16:32:56 moe in.telnetd[1749]: refused connect from thyme.epix.net
/var/log/samba/log.* - These files contain the information from the Samba
programs. When someone who is not allowed attempts to get to your Windows shared
files, it is logged here. Look for things like "Connection denied" to spot this
set of intruders. An example from my system:
[2000/05/03 18:07:27, 0] lib/access.c:check_access(262)
Denied connection from adslppp47.tcsn.uswest.net (216.161.144.47)
[2000/05/03 18:07:27, 1] smbd/process.c:process_smb(608)
Connection denied from 216.161.144.47
As you monitor these files and the others in /var/log frequently, you will come to
be able to quickly spot the odd behavior. As you go through these, keep notes
of the IP address of the intruders.
I keep a file listing hostnames, IP addresses, dates, and the service they
attempted to use. You may use this same format if you wish to use the scripts
below. Here is the format of this file, named crack.txt:
TELNET
======
irc-e.frontiernet.net 206.132.27.154 - March 20
IMAP
====
x 207.33.188.194 - May 7, 14:55:11
SMB
===
adsl-208-191-207-251.dsl.rcsntx.swbell.net 208.191.207.251 - March 14, 7:45:29
Note: The IP addresses listed above were not changed so as to point out the
guilty. If you are attempted to bust in my box, I do not care about any "rights"
you may think you have.
As you can see, this file has the service, followed by all the hostnames and IP
addresses of crackers attempting to come into my machine. The second field
is really all that is used in my script below. The rest is merely for myself
so I can see how often they attempt to come back. For those IP addresses which
do not resolve to hostnames, a mere "x" in that field suffices.
Now that you have a full list of offenders, it's time to make sure they do not
return. For this we will use the ipchains program to block their addresses
as they enter your Linux machine. The script
crack_ban.sh generates a file with all the ipchains
rules to make sure the intruders never show up again:
#!/bin/sh
awk '\
BEGIN { print "#!/bin/sh\n\n# Flush input chain\nipchains -F input" } \
NF > 2 { printf("ipchains -A input -s %s/24 -j DENY\n", $2); } \
NF == 1 && /[^=]/ { print "\n# " $1 }' /root/crack.txt > /root/crack_build.sh
/bin/sh /root/crack_build.sh
As you can see from this, I choose to ban entire class C subnets of IP addresses
(the "/24" part). Since many of the intruders are on dial-up, DSL, cable
modem connections, most likely they end up with a random address from a pool
their ISP owns. I have found that banning entire class C blocks tends to fix
the problem should the intruder re-dial and get a new IP address. Also, the
files this script uses are stored in /root so normal users on the system cannot
read them (your /root should never be world readable).
That is it. A quick and easy way to find and ban idiots that think they can bust
into your system. You can also go an extra step and email the administrators of
the Internet service providers. I'll leave that up to you.
I am sure there are other, better, worse ways of doing it. So
if you think you have a better plan, email me.
In a few days, I'll have another setup to log crazies and the wonders of
tcpdump.
|
