[TAG] (forw) Re: (forw) Re: lpr works for user not root in Basiclinux 2.1

Sun Jan 28 06:51:56 MSK 2007

On Sat, 27 Jan 2007, Rick Moen wrote:

> Quoting Neil Youngman (ny at youngman.org.uk):
>
>>>> Do you monitor the logs? Do you run chkrootkit regularly? Do you
>>>> monitor portscans?
>>>
>>> /var/log/ shows which packages were installed not portscan info.  We
>>> do not have chrootkit.
>>
>> It sounds like you wouldn't notice.
>
> Neil, chkrootkit (and/or rkhunter) is probably a good thing to suggest
> as a retroactive measure for someone like Sindi who might have reason to
> worry about system security.  Although I have problems (to be detailed
> below) with its general approach, your suggestion is commendable in this
> (limited) context.
>
> Sindi, one might describe chkrootkit / rkhunter (both of which you can
> easily find and download) as attempts at "paranoia in a can" -- tools
> that search your filesystems for patterns of files that typically exist
> as artifacts/after-effects of intruder breakin activity, e.g.,
> replacements of system facilities with trojaned equivalents, malware
> installed that keeps UDP-based backdoor methods of re-entry open, etc.
>
> Taking the longer view for a moment, both tools exemplify a losing
> strategy that Marcus J. Ranum dubs "enumerating badness" in his essay
> "The Six Dumbest Ideas in Computer Security" -- with that concept
> qualifying as one of the six:
> http://www.ranum.com/security/computer_security/editorials/dumb/
>
> The problem with enumerating badness is that it comes in vastly too many
> varieties, and so you end up knowing only that _known_, i.e., sloppy and
> incompetent badness has been found.  Which is better than nothing -- but
> should make one wonder if we can't do better.
>

But if I run chrootkit and it finds nothing, and I am not running any 
network services when I go online, can I continue as root without 
worrying?  I have switched Opera to run as user (in the menu) because it 
uses an X server.  After inserting modules and dialing as root.

> I would suggest there definitely is -- but that the superior tools in
> that area are prospective-looking tools you need to install / configure
> when the system is new or at least healthy, i.e. file-based intrusion
> detection systems (IDSes), such as AIDE, Prelude-IDS, Samhain, etc.
>
> It would be good if future distros installed with AIDE configured and
> issuing daily reports by default -- and less reliance on chkrootkit /
> rkhunter, which are in the final analysis just glorified virus-checkers,
> and we can _sure_ do better than that.  There are an increasing number
> of write-ups about how to configure AIDE manually, e.g.,
> http://www.debuntu.org/intrusion-detection-with-aide .
>
> My point about chkrootkit/rkhunter as opposed to IDSes in Sindi's
> particular situation is that IDSes require a normal-operation baseline
> for configuration.  If you're already worried about intrusion, it's too
> late to set one up.
>

I was told if I have no open ports I don't need to worry.  I ran telnetd 
once for 30 seconds on another computer.

>>> We have an nmap add-on for scanning hosts on the network and determining
>>> which services they are running.  Downloaded it.  No documentation.
>>> 101 pages of man page online.  I don't understand much of it.
>>>
>>> nmap -A -T4 127.0.0.1  				(localhost)
>>> All 1663 scanned ports are closed.
>>
>> I'm no expert either, but I would say that's encouraging.
>
> Yes.  That's a TCP-port scan of localhost (only one of several major
> scan modes nmap can do).  Ordinarily, I would caution that nmap must
> always be run from a nearby-on-network node (which, yes, could be
> talking to one's temporary dial-up IP from elsewhere), and _never_ used
> by a host to scan itself, because the report would include local-only
> network services, which obviously _cannot_ be attacked from remote
> locations.  (Thus, you tend to think you have remote vulnerabilities
> that really don't exist.  This is a very common error.)
>
> However, in this case, Sindi's results suggest there are _zero_
> TCP-based network services at all, so whether they're strictly local or
> not is entirely moot.

I told you I had no servers running except sometimes X, and I usually go 
online with ssh or lynx.

> For the record, this is how I tend to do TCP-service, UDP-service, and
> TCP ACK Ping scans, respectively, using nmap:
>
> # nmap -vv -sT -sR -O -o N /tmp/nmap-tcp.log -n 157.22.20.227
> # nmap -vv -sU -sR -O -n -oN /tmp/nmap-udp.log -n 157.22.20.227
> # nmap -vv -sA -sR -O -n -oN /tmp/nmap-ack.log -n 157.22.20.227

You are way beyond me already.  It was a major accomplishment running nmap 
on localhost.  Should I do the same as above but substitute the IP address 
assigned when I dial the ISP?

I will look for chrootkit.  Thanks for all the info.

Is this discussion being archived so I can point other list members at it?

Sindi Keesan