Cracked

[John]

My mail service (which is not the one in my address) was cracked last week.


I allow logins via ssh (I need access to do remote maintenance).

One person, possibly as many as three, gained root access to the box 
with the ever-reliable dictionary attack.


The box concerned was not running Ubuntu, but I think the problem  and 
my thoughts on it will be of interest to the U community.


There are things a more thoughtful sysadmin would have done: indeed, I 
administer several servers, and this is the only one susceptible to a 
dictionary attack.


The intruder's actions were these:
1. Download and run a tracks-eraser. I have the execuable of the 
program, and as it didn't do the job properly:-) I have the evidence.
2. Download and install energy-mech 2.8. Comes with source and our 
favourite software licence.

It seems this is a fairly standard IRC daemon; possibly it gives remote 
admin capablilities.

3. Download a root kit.
I'm not sure that the rootkit I have is the one that was acutally run: 
this one doesn't touch gzip, and gzip was clobbered and is the reason I 
discovered my problem.

Apparently my box wasn't used for spamming: we didn't get blacklisted.
I think it wasn't used for any other bad purpose, though I expect such 
was planned.

Fortunately I disvovered the problem a little over a day after it happened.



One can mount partitions etc with various security-enhancing options 
such as ro,nodev,noexec etc. To do so requires more than the 
Ubuntu-standard one filesystem.

It would be nice to be able be able to specify that directories can be 
able to have similar options. There is no reason at all for people to br 
running programs from /var/spool/cron.

Omitting gcc and other program development tools from a server is 
sensible. Make is sensible (sendmail and ypserv use them), bug gcc, g++, 
-dev packages? I don't think so.

Some of the available countermeasures are difficult (but I've not 
invesitigate selinux or lids to help here), some should be attended to 
in default server installations.

However well I learn lessons from this experience, the fact remains that 
others don't have a similar experience, others will be setting up Linux 
computers and exposing them to the Internet without understanding the 
hazards and taking proper countermeasures.

One of the other possible countermeasures is to detect dictionary 
attacks and stop them cold.

It seems to me this is something that's easily-done. There exists a 
package, pop-before-smtp, that scans the mail log and opens a mail relay 
for anyone who authenticates.

I've taken the source code (it's written in Perl where I have modest 
skills) and hacked in it to the point it's almost ready for the .9 
release. The main work remaining is some degree of configurability 
beyond the commandline, and code to implement the blocking.

Creating an iptables rule is simple enough, and a satisfactory 
starting-point, but there's more needed.

The proper place to detect a dictionary attack against sshd is where 
people connect to. The proper place to block the attack is at the 
firewall, not necessarily the same box, maybe not even using iptables or 
Linux.

There may be some benefit in linking machines: I manage several machines 
at different Internet locations. I might wish to block on all when I 
block on one.

While the current code is written in Perl, I'm considering rewriting in 
Python once I have 1.0 out.

Comments?