Home

Guarding the perimeter: portsentry

Sat, 03/11/2000 - 17:53 — charlie.collins

Use portsentry and pay attention to code levels so hackers wont be as likely to get you (nothing is bulletproof.) Portsentry is a great little program that is easy to configure and has some suprisingly sophisticated anti-attack measures.

Portsentry is a scan detection utility that detects when others scan your systems (often a sign of impending attack) and reacts to block the offending machine. Port sentry detects many types of scans including stealth and once an offender is identified it will use tcp wrappers or routing to disable traffic from them on the spot (its really sweet, it uses ipchains on newer Linux kernels to automatically create a dynamic DENY rule, it works great.)

Check the link for more details and GET portsentry so things like the following story do not happen to you.


LINU>< HACkD

Well, I have learned my lesson well. I preach about maintaining your code and I did not take care of my own responsibilities. This weekend one of the corporate Linux servers I installed and I maintain was HACkD!

I had a backlevel version of BIND (8.2.1 the STOCK RedHat distro rev) and a somewhat sophisticated intruder managed to exploit the buffer overflow and take over as root. Once in the bastard then cleared all the logs and every trace and created an obscure .fz directory that ran his show. From this compromised host the attacker then ran other attacks on other hosts.

I am not yet sure what exactly the .fz stuff has, but it uses a script called "egg" and "botc" to basically take over. It left all the services alone but was used as a platform host. It reset all user accounts and cleverly even though I had a terminal still logged in, as soon as I changed the root password back to what I wanted, it took it back.

When I have more details about the attack I will make them known. I did a meticulous search on the disk discoverd the well hidden files, then I saved the hard drive from the hacked machine (after making copies of everything, the evidence trail has been maintained.) I am opening an issue with CERT and I WILL figure out exactly what was done.

Its one thing to hack and look around and or screw with your friends, but to hack a commercial machine and then use it to attack other machines, that is not cool. This attack will be followed up upon and retaliation and or prosecution will ensue.

AS for the server, it was easy to rebuild and put BIND back, then I UPGRADED to 8.2.2P5 and I installed some other gotchas, including portsentry. All is back to well, but all is not forgotten.   Psionic portsentry