[TAG] (forw) Re: (forw) Re: lpr works for user not root in Basiclinux 2.1
keesan at grex.cyberspace.org
Sun Jan 28 06:51:56 MSK 2007
On Sat, 27 Jan 2007, Rick Moen wrote:
> Quoting Neil Youngman (ny at youngman.org.uk):
>>>> Do you monitor the logs? Do you run chkrootkit regularly? Do you
>>>> monitor portscans?
>>> /var/log/ shows which packages were installed not portscan info. We
>>> do not have chrootkit.
>> It sounds like you wouldn't notice.
> Neil, chkrootkit (and/or rkhunter) is probably a good thing to suggest
> as a retroactive measure for someone like Sindi who might have reason to
> worry about system security. Although I have problems (to be detailed
> below) with its general approach, your suggestion is commendable in this
> (limited) context.
> Sindi, one might describe chkrootkit / rkhunter (both of which you can
> easily find and download) as attempts at "paranoia in a can" -- tools
> that search your filesystems for patterns of files that typically exist
> as artifacts/after-effects of intruder breakin activity, e.g.,
> replacements of system facilities with trojaned equivalents, malware
> installed that keeps UDP-based backdoor methods of re-entry open, etc.
> Taking the longer view for a moment, both tools exemplify a losing
> strategy that Marcus J. Ranum dubs "enumerating badness" in his essay
> "The Six Dumbest Ideas in Computer Security" -- with that concept
> qualifying as one of the six:
> The problem with enumerating badness is that it comes in vastly too many
> varieties, and so you end up knowing only that _known_, i.e., sloppy and
> incompetent badness has been found. Which is better than nothing -- but
> should make one wonder if we can't do better.
But if I run chrootkit and it finds nothing, and I am not running any
network services when I go online, can I continue as root without
worrying? I have switched Opera to run as user (in the menu) because it
uses an X server. After inserting modules and dialing as root.
> I would suggest there definitely is -- but that the superior tools in
> that area are prospective-looking tools you need to install / configure
> when the system is new or at least healthy, i.e. file-based intrusion
> detection systems (IDSes), such as AIDE, Prelude-IDS, Samhain, etc.
> It would be good if future distros installed with AIDE configured and
> issuing daily reports by default -- and less reliance on chkrootkit /
> rkhunter, which are in the final analysis just glorified virus-checkers,
> and we can _sure_ do better than that. There are an increasing number
> of write-ups about how to configure AIDE manually, e.g.,
> http://www.debuntu.org/intrusion-detection-with-aide .
> My point about chkrootkit/rkhunter as opposed to IDSes in Sindi's
> particular situation is that IDSes require a normal-operation baseline
> for configuration. If you're already worried about intrusion, it's too
> late to set one up.
I was told if I have no open ports I don't need to worry. I ran telnetd
once for 30 seconds on another computer.
>>> We have an nmap add-on for scanning hosts on the network and determining
>>> which services they are running. Downloaded it. No documentation.
>>> 101 pages of man page online. I don't understand much of it.
>>> nmap -A -T4 127.0.0.1 (localhost)
>>> All 1663 scanned ports are closed.
>> I'm no expert either, but I would say that's encouraging.
> Yes. That's a TCP-port scan of localhost (only one of several major
> scan modes nmap can do). Ordinarily, I would caution that nmap must
> always be run from a nearby-on-network node (which, yes, could be
> talking to one's temporary dial-up IP from elsewhere), and _never_ used
> by a host to scan itself, because the report would include local-only
> network services, which obviously _cannot_ be attacked from remote
> locations. (Thus, you tend to think you have remote vulnerabilities
> that really don't exist. This is a very common error.)
> However, in this case, Sindi's results suggest there are _zero_
> TCP-based network services at all, so whether they're strictly local or
> not is entirely moot.
I told you I had no servers running except sometimes X, and I usually go
online with ssh or lynx.
> For the record, this is how I tend to do TCP-service, UDP-service, and
> TCP ACK Ping scans, respectively, using nmap:
> # nmap -vv -sT -sR -O -o N /tmp/nmap-tcp.log -n 22.214.171.124
> # nmap -vv -sU -sR -O -n -oN /tmp/nmap-udp.log -n 126.96.36.199
> # nmap -vv -sA -sR -O -n -oN /tmp/nmap-ack.log -n 188.8.131.52
You are way beyond me already. It was a major accomplishment running nmap
on localhost. Should I do the same as above but substitute the IP address
assigned when I dial the ISP?
I will look for chrootkit. Thanks for all the info.
Is this discussion being archived so I can point other list members at it?
More information about the TAG