On Tue, 27 Jan 2009, in the Usenet newsgroup alt.os.linux.mandriva, in article
Post by Frank PeeloPost by Moe TrinThat's but one of many ways. Any time you are using a '-r' or '-R'
option to ANY command, you're probably setting yourself up for a
disaster. Typ0s are always entertaining if you aren't the recipient,
It was the first example to come to mind.
It's fine. It's also fun to see people mis-using the 'chmod' and
'chown' commands - especially when they throw in the -r option. Aim
the gun very carefully at your foot - squeeze the trigger gently...
Post by Frank PeeloBut I still would like the low-down on what stuff happens when the
firewall is not right
Back around 1996 or so, the most common open mail relay was a Linux
box, with sendmail configured to relay from/to everywhere, and every
daemon known to man (at the time) running with a default password.
"Install (and enable) everything" was one of the install choices.
Amazingly, the distributions finally figured out that this was not the
optimum installation procedure, and (for example) the Sendmail FAQ
(http://www.sendmail.org/faq/) still has sections explaining why
sendmail is only bound to the loopback rather than the eth0 interface.
Reach over, and unplug your computer from the network. Next, disable
or otherwise stop the firewall (how - depends on your setup). Find a
command line, and run the command
[compton ~]$ netstat -antu
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
[compton ~]$
Hmmm, not a whole lot open. Actually on this system, port 22 is also
firewalled, such that it accepts connections from the other systems on
the LAN (but not the router), and from a /22 and two /24s (a total of
1533 addresses) out on the Internet. Now if you have more things than
this open (yes, you can ignore those on 127.0.0.1), find out what it is
(netstat -anptu will give the process ID that owns a port) and why it's
here. You may want to repeat the test with the firewall running as
normal, just to make sure there are no surprises.
Post by Frank Peeloand on Linux viruses in general.
There aren't that many out there. I've been more concerned with the
attacks from last August, where a bit of malware uses stolen keys from
other systems on the net to log in to your system. Once they gain
access, they use any available unpatched vulnerability to gain root,
and then install a 'phalanx2' root kit (which does a pretty good job
of hiding itself). That kit looks for SSH keys on your system, and
mails them to a drop-box, but the next version may add features like
mailing bomb threats to the wife of the late dictator in Spamistan, who
would otherwise be willing to share her ill-gotten wealth with you or
let you know you won the national lottery with her help. Main defense
(in addition to keeping your system up to date) is to restrict where
external connections can come from.
One of the advantages of Linux is the fact that it's not a single or
even a few versions. To the poor sods who have to support Linux, this
does make life more complicated (each of the thousand-odd distributions
knows the ``right'' way to do things - to bad they can't agree what it
might be), but a piece of mal-ware built for Mandriva 2007 may not run
Slackware 12, SUSE 11.0, Fedora 9, Debian 'etch', Ubuntu 8.10, Xandros
4.1, or... (never mind other versions of a given release).
Post by Frank PeeloAfter Stef's earlier post, naming the Linux/Rst-B virus, I did some
googling. Found that Sophos has a recogniser for it, so I ran that;
it didn't find any instances of the virus, which was a relief.
I put very little faith in the average anti-mal-ware tools. They are
reacting - generally late - to what the mal-ware looked like when last
seen/reported. Could it be changed/modified since then? Harrumph.
Post by Frank PeeloBut I also have an sshd server, allowing login only of a specific user
with low privileges on a nonstandard port with a delay between allowed
logins to prevent brute-force attacks.
That's good, and the only thing I'd suggest adding is a restriction on
the IP address where the login attempt comes from. As of about two
weeks ago, there were 2,771,249,848 IPv4 addresses in use in 93,300
networks in the world. You really don't need to allow access to each
and every one. You're in Ireland, right? They have 214 networks from
ARIN and RIPE:
[compton ~]$ zgrep IE ARIN.gz | cut -d' ' -f3 | sort -n | uniq -c
2 255.255.255.0
[compton ~]$ zgrep IE RIPE.gz | cut -d' ' -f3 | sort -n | uniq -c | column
1 255.240.0.0 13 255.255.192.0 43 255.255.255.0
1 255.248.0.0 42 255.255.224.0 1 255.255.255.128
2 255.252.0.0 28 255.255.240.0 2 255.255.255.240
3 255.254.0.0 34 255.255.248.0 1 1536
11 255.255.0.0 12 255.255.252.0 1 7680
6 255.255.128.0 11 255.255.254.0
[compton ~]$
That's 4188064 IP addresses in total. You probably won't need access
from every one, but even if you did, that's about 1/8th of one percent
of the addresses available. (Allow from this, that, and the other
address that you KNOW you need, Default reject.)
Post by Frank PeeloAnd there's a NAT filter on the router, and some iptables rules... but
I still wonder if there is anything at all to what Stef is saying?
Even if your router is auto-forwarding everything to a "local" address
on your LAN (mine doesn't), is anything _listening_ on that host? If
you've also chosen the forwarding such that to reach your SSH server,
they've got to send packets to port 15369 (or something equally at
random) on your public IP address, the odds are pretty much on your
side. Not many skript kiddiez and/or 'bots are going to waste time and
bandwidth trying to find where you hid stuff when there are millions of
other (easy) targets.
Post by Frank PeeloBecause stuff happens... apparently a chain mail was forwarded to a
large number of people from my son's email account. My son checks his
email account about as often as he tidies his room, and the email was
apparently sent when he would have been in bed anyhow. I would have
thought someone was spoofing the sender address in an Outlook virus,
BUT the think is in his "Sent" folder!
I assume that is 'thing' rather than 'think'.
Post by Frank PeeloSeems only to have happened once, but I don't know how...
(Thunderbird, with Mandriva 2008.0)
Hardly enough details to tell - but 1) I don't recommend using a web
browser for everything; 2) what "plugins were active (I only enable
Java when I'm desperate and it's needed at the only site that has what
I'm looking for - rest of the time, I'm using a text ONLY browser when
I need web stuff); 3) what ELSE was running?
Post by Frank Peelo(I ran ClamAV afterwards, and it found nothing, but I noticed the
virus definitions were a few weeks old.)
A well designed rootkit does it's thing from in memory and doesn't need
to be stored on disk where the average anti-mal-ware tools will look.
Perhaps a bit brutal to say (and no insult intended), but all the
anti-mal-ware tools in the world are no substitute for common sense.
It just so happens that the most frequently used vector to date is that
of user stupidity. (Why is it that we laugh at the cartoon animal who
falls for the "stand here and press this button" gag, but so many of us
seem content to "click here and be amazed"?)
Most anti-mal-ware for use on Linux is looking for windoze crap on a
Samba server. The windoze "virus de heure" doesn't run on Linux. There
have been a number of worms/trojans aimed at Linux - and with few
exceptions they're vanishingly rare. The common Linux anti-mal-ware
(chkrootkit, rkhunter, OSSEC) look for about 70 rootkits - some as old
as 2000, and I really don't expect very many people are still using
wuftpd-2.6, glibc-2.0, sendmail 8.8.x, or bind-4.9.3 any more. Hence,
a lot of the Linux anti-mal-ware is looking for non-existent stuff and
I can only assume they do so to inflate their perceived capabilities.
Also, they commonly look for filenames - and I can't imagine that a
malware author would be so dastardly as to change the filename that he
knows the anti-mal-ware is looking for... right?
There are vulnerabilities. Recently, I saw posts in a security news
group from someone running a bunch of Ubuntu 8.04 systems who got 0wn3d
because, while he WAS keeping things up-to-date, he was unaware of a
vulnerable SSH authentication key mechanism (predictable keys) caused
by an error in a Debian application. He had replaced the application,
but not generated new keys - the old ones were vulnerable, and down the
tubes he goes.
With reasonable thought and care, the vulnerabilities are minimal, and
may even be controllable. Does that make Linux bullet-proof? No, you
are still required to think.
Old guy