Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
The Joys of Protecting Networked System

By trog in Culture
Thu Sep 21, 2000 at 05:09:35 PM EST
Tags: Security (all tags)
Security

As a security sysadmin, I often stumble across "Cracker" websites, where the kiddez rant on and on about how wonderful it is to compromise a system. What amazes me is that I've yet to see the flipside of this argument: The intense rush you get when you foil the kiddiez' attempt.


While I have been interested in system security from day one (I started coding when I was 7, so "day one" was approximately 19 years ago), I've never bought into the Cracker mentality - whatever the moral justification, it just seemed to be wrong to willingly exploit another's system, even if it was wide open. To me, nothing matched the thrill of protecting the system.

As a syadmin, you are often at a disadvantage. Dozens of exploits surface daily, both publically and those that remain in the "Underground" for a while. The great bugaboo of security is complexity, and any reasonably useful system is going to be very complex. Despite the fact that most Crackers couldn't crack their way out of a raw egg, there are a minority of truly skilled intruders out there. To constantly raise the bar, to make it more and more difficult for the kiddies to break what you worked so hard to build, gives me a huge feeling of accomplishment.

Any sysadmins out there feel like I do? Anyone want to share their experiences with this?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by trog


Display: Sort:
The Joys of Protecting Networked System | 73 comments (50 topical, 23 editorial, 0 hidden)
Hunters v. Gatherers (1.00 / 9) (#2)
by MeanGene on Thu Sep 21, 2000 at 01:12:13 PM EST

The reason is simple gender imbalance...



Stories (1.83 / 18) (#4)
by billnapier on Thu Sep 21, 2000 at 01:15:50 PM EST

Anybody have any good tales of how they tracked down the script kiddies and secured their systems? (ala. "cuckoo's egg")

rootprompt.org (4.00 / 2) (#54)
by Anonymous 242 on Fri Sep 22, 2000 at 09:34:15 AM EST

The not quite so highly publicized rootprompt.org ran an excellent series not too long ago about the cracking, tracking, cleaning and aftermath of a community network getting cracked.

Start reading here: http://rootprompt.org/article.php3?article=403

[ Parent ]

Re: Stories (5.00 / 4) (#68)
by arcade on Sat Sep 23, 2000 at 10:32:06 AM EST

Anybody have any good tales of how they tracked down the script kiddies and secured their systems?

Indeed. I'm currently the administrator of 5 computer for a smalltime norwegian company. Two years ago, the 5 computers were 1, and I wasn't very security aware at all.

I installed SuSE 5.2 (I think it was 5.2, that might be wrong) - and left it happily running the sevices we needed. Including qpopper.. version 2.2 (Those of you that are into security are now starting to moan loudly).

The system ran happily for 2 months. Until December'98. I was/am an operator of the channel #norge on EFNet, which is, well, one of the most attractive channel for takeoverkiddies on EFNet. I had ircii running from the SuSE 5.2 box. The 24.December'98 (!) a Canadian Scriptkiddie with the moniker "j0n" cracked my server, and made an unsuccessful takeover attempt on #norge. My Coadmin which was active on #norge at the time, phoned my parrents (which I was on x-mas vacation at) and asked them to wake me up. The system had been cracked.

I was awoken on 24.December (god, why did the idiot have to chose that date) with the words "We've been cracked, go connect to the net NOW!!". I ran down, and tried to connect to my server. No response. I talked to my buddy via IRC, and he was connected - he had tried to throw out the cracker (killed his shell), but the cracker reconnected.. and rm -rf'ed ..!! TWO MONTHS OF WORK LOST. We were going to buy our tapestreamer in January...!

God was I mad. Well, I got the takeover-attempts log from my buddy, and looked at the hostmasks. I deduced that those too, were cracked systems. So, I contacted the administrators of the different computers (among other Dave Dittrich at washington.edu ,yes, the guy behind all the DDoS analysis). Most of them responded within 24 hours (hey! It was 24th of december, and they were online! We System Administrators are great!:). most of them sent me logs, and ack'ed that the computers were cracked.

Furthermore, a person nick'ed "b0zo" messaged me on IRC, bragging about cracking my system (Fitting nick,btw :). I did a /whois, saw the channels he were on, and joined them. My dialup was smurfed down several times, but I just reconnected. dialups are great that way. ;) (poor ISP ;).

I fired in some "dummy-probes" that relayed everything that was said on the channels to me. And, I questioned the 'b0zo' guy some. I don't remember how, but I found the connection to the 'j0n' guy pretty quick. I think he was on one of the home.com hosts that was connected to my box before they rmf'ed it.

Anyways, he was hanging out on the channel #montreal on EFNet, which I relayed to me via different shellaccounts for an entire month. I contacted the systems he was bouncing to IRC via, most of them cracked. Including but not limited to: mit.edu, hawaii.edu, washington.edu, nasa.gov, nist.gov, harvard.edu, cmu.edu, berkeley.edu, bu.edu, ih2000.net and columbia.edu.

Most of the administrators were really very cooperative. Around 10th-15th of january, me and the admins at nasa.gov and mit.edu were cooperating in tracking him down. We came in contact with a canadian ISP, which were DOS'ed heavily from - i THINK it was mit's machines.

Together with them, we tracked down the cracker. 28th of january 1999 4 RCMP troopers arrested him, and confiscated his computer equipment. He was a 16 year old boy. Apparantly by the name "Jon Fortin" (unconfirmed, canadian government apparantly don't give out the names of that young criminals).

He was sentenced to 250 hours community service earlier this year. The only thing is -- I used about 15 hours a day, 30 days in a row, to track him down. In other words, I used about 450 intense our to track him down, and that bastard did only get 250 hours of community service.

Damn the courtsystem sucks.

The upside of all this, is that I learned a LOT about computer security. I now considered myself a competent security admin. I also knew what it was to truly HATE somebody.



--
arcade
[ Parent ]
not front page material (1.00 / 21) (#10)
by dexsun on Thu Sep 21, 2000 at 01:35:53 PM EST

this is a really great discussion piece, but i have to agree with some of the others and say that it does not belong on the front page... i would recommend resubmitting it w/ a different section heading, then you'll get my vote... as it stands, ive got to vote it down... sorry. --dexsun

Not a topical comment (3.69 / 13) (#27)
by fluffy grue on Thu Sep 21, 2000 at 05:29:46 PM EST

This is the sort of comment which is supposed to be editorial, as it is non-discussion-oriented and is about aspects of the article itself. As it stands, I've got to vote it down. Sorry.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Different rush (3.53 / 15) (#28)
by El Volio on Thu Sep 21, 2000 at 05:50:54 PM EST

The problem is that, even though I feel good when I've secured a new system, and better when I've secured an existing system that was exposed, it's not the same kind of rush (for me, at least). You never know when you've turned away a potential intruder; maybe when you see a scan in the logs, and then never hear from them again, but that's about it.

It's more of a workman-like feeling. I know I'm doing a good job (albeit not perfect) protecting the systems I administer within the bounds of the resources I've been given. Every time I bring a system up to current patch level, it's a sigh of relief. Every time I run nmap against a system after I've worked on it and see a better picture than when I started, it's nice. But it's not a rush.

IOW, the feeling's not momentary, it's the continuous satisfaction of a job well done.

My systems. (3.26 / 15) (#29)
by fonetik on Thu Sep 21, 2000 at 06:13:10 PM EST

Well... I think I might be the first one to talk about the STORY instead of argue about weather it should be here, or what it should be called. Look people, you obviously know what the story is about, let's not argue the simantics of it.
This reminds me of the scenes in "Life of Brian" where the committes that hate the romans argue more about who hates the romans, and never get anything done.
Anyways...
I am a network administrator. I have worked for hospitals, banks, Sprint, and even UCLA. I'm 22, and I barely made it out of high school, I have no college besides working for one. I owe much of my knowledge to the fact that crackers are so full of pride and are so boastful. I learned about a lot of systems just by finding out the faults they exposed and working backwards to see how everything else works. I have never broken anyone else's systems, or really had much urge to. The information, and the stories of what others did was great enough, and taught me a TON about systems.
In so many of the systems that I have worked with in all of these places, the security is a joke. They are too busy merging, centralizing, decentralizing, defining buisness goals and mission statements to do much of anything proactive about security. The additude that I see soo prevalent is "I could spend all of this time just making it so 90% of the kiddies can't get in, and no one will ever notice." Never have I had a boss that cared about security until something scared him, like hearing something on the news. The other 10% or the system is left insecure by my users that are so dense that light bends around them. The would shout their passwords accross the room on the rare chance they could remember them. Users don't care about security if it's not their data. Bosses don't care until it's cost effective. Admins don't care, if it ever hits the fan, I can have a better job in 20 minutes off of dice or monster or whatever.
Above all, in all of the places that I have worked that I have set up sniffers and watched the traffic go by, I have detected a total of one actual cracking attempt to my knowledge. (Minus the pings and enumeration attempts.) This was just a login attempt at one of our servers through telnet. Futile at best. The sniffer told me the username was that of an ex-employee in our department, who was trying, among other things, the old NT admin login/password on this system.
No real threats in years of being an admin? I tend to fall the way of obscurity rather than make my systems bulletproof.

-Fonetik
A thousand compromises doesn't add up to a win. -Aimee Mann
Re: My systems. (4.28 / 7) (#36)
by trog on Thu Sep 21, 2000 at 08:45:53 PM EST

Users don't care about security if it's not their data.

Hell, they don't even care about it when it is their data. The CEO of a company I once worked for demanded that he not have to change his network password ever (which was, of course, his mother's first name). The man had very, very sensitive files on his machine, and because of who he was, I couldn't protect them. The fact that no one got ahold of his files amazes me to this day.

I have detected a total of one actual cracking attempt to my knowledge

It has been my experience that it depends on the location and type of the network. For most corporate networks, the threat isn't generally outside crackers, but disgruntled employees. This is especially true in a company that is aquiring other companies.

Once, I did some consulting at a company that was swallowing up several of it's smaller rivals. They suspected that some secretary somewhere was leaking documents out to another company. Turns out, it was an executive officer who was assimilated into the company when his company was bought. This person, who was considered to be very loyal, was fired on the spot.

Protecting data from the people who are supposed to have legitimate access to it is much, much harder then protecting systems from 'da kiddez'



[ Parent ]
Re: My systems. (3.80 / 5) (#39)
by fonetik on Thu Sep 21, 2000 at 10:19:37 PM EST

"Protecting data from the people who are supposed to have legitimate access to it is much, much harder then protecting systems from 'da kiddez'"

Well said, that's what I tried to say, but... can I still blame poor thought process on line noise?

I once had a CEO that "logged on" to his system by moving his mouse and typing in his screensaver password. Whenever ANYTHING but email was on the screen, he would call me and demand that I come to his office immediately to fix his computer that keeps breaking. I eventually got so tired of his complaining, that I set up outlook to be the only thing that would run on the system, with autologin, no server file access, and no powersaving on the monitor. His system was one of the fastest at the hospital, and it was being used to read mail on. Not even replying. he would print things out, write on the prints, give them to his 'secretary of the week' to type up. The cleaning crew, or even a casual passerby could learn what was going on in upper management by knowing his last name, the only password he could remember.
This man is a doctor. He also has an MBA. Scary huh?
-fonetik

A thousand compromises doesn't add up to a win. -Aimee Mann
[ Parent ]
Doctor of Technology? (1.66 / 3) (#51)
by lazerus on Fri Sep 22, 2000 at 03:47:45 AM EST

Not a Doctor of Technology, I hope :=)

[ Parent ]
Re: My systems. (2.00 / 1) (#72)
by unstable on Mon Sep 25, 2000 at 03:33:37 PM EST

This could have been written by me except the last part. I too am 22. have no degree, learned mostly from crackers and hackers, have worked for the "big companies" and delt with lusers (way too many times). but I still feel that given the descision of securing a box or "letting it go" I would lock it down as tight as I could.( i currently mostly do hell desk so they wont let me touch the servers) (btw the passwd on the swervers is simple enough to guess in about 20-30 tries)

Part of being a "computer room guy" (as I am called here at work) is doing my best to see that everything runs smooth, and that includes locking out anyone who is out to rough things up. And to get back on topic I find that finding out,testing, and defeating new vulnerablities is extreamly fun and rewarding. Its always fun to look at the log and see some script kiddie banging his tools on the firewall that you just patched. Do the job well or don't do it at all.



Reverend Unstable
all praise the almighty Bob
and be filled with slack

[ Parent ]

Rush? (2.40 / 10) (#30)
by Luke Scharf on Thu Sep 21, 2000 at 06:23:49 PM EST

It would be a rush if I respected the people who've cracked my system. Sadly, I don't respect script kiddies.

Now, if good had cracked my system, I would have had lots of fun tracking them down in a game of wits.

(During the cleanups, there was no evidence that anything other than an automated script had touched my system -- showing URLs of where the script came from.)



Re: Rush? (2.75 / 4) (#31)
by El Volio on Thu Sep 21, 2000 at 06:42:58 PM EST

If your system has been so easily cracked by script kiddies, then while they may not deserve any respect, your sysadmin practices need to be improved. Is everything kept patched? Are you running unnecessary services? Do you have any sort of a firewall? Most automated scripts can be defeated through these and other time-tested practices, and if someone gets cracked by them because they didn't use those practices, then he shares the blame.

OTOH, it is true that sometimes an exploit for a necessary service is released and used before a patch or workaround is developed. No shame for the admin there! As for the developer, that's another story... :/

(Nothing personal here, since for all I know your sysadmin practices are as near perfect as can be.)

[ Parent ]

Re: Rush? (4.00 / 1) (#73)
by Luke Scharf on Mon Sep 25, 2000 at 05:40:39 PM EST

If your system has been so easily cracked by script kiddies, then while they may not deserve any respect, your sysadmin practices need to be improved.

The incidents that I was refering to have definetly improved our sysadmin practices. No actual damage was done, and I don't think in either case that anyone actually logged onto the system after running the rootkit.

It's a bit of a wakeup call when people who probably can't use bash get root access.

So, now our Linux boxes are kept patched up to date, and we've set up an OpenBSD firewall that blocks everything but the services we really want outside people to see.

Thank you for your advice -- despite my massive ego, I do my best to listen to good sense when I hear it. :-)



[ Parent ]
securing systems. (1.77 / 9) (#32)
by pope nihil on Thu Sep 21, 2000 at 06:53:06 PM EST

i can't say i've dealt with much in the way of cracked systems. at a place of former employment, i had to "break-in" to an SGI workstation because we didn't know what the root password was (it's not too complicated when you can get a rootshell from the install CD and have console access :). i know of a website that cracked that was run by some of my friends. i've never had one of my servers cracked. now-a-days i consider it a fairly unlikely event because of how security-conscious i am. i use openbsd pretty exclusively (and i do some security tweaking beyond the default install). but, i don't get any sort of rush out of it. i just consider it a challenge.

I voted.

setting up a trap (2.77 / 9) (#33)
by Barbarian on Thu Sep 21, 2000 at 07:47:12 PM EST

I think a rush would come more from setting up a nice looking trap for skript kidd3z to fall into, and catching them red handed.

Lately I've noticed a lot of attempts to connect to windows netbios shares -- I assume this is caused by some trojan horse that tries to propagate itself. I'm thinking of shoving windows on an old machine, making it vulnurable, and diverting all this traffic into it to see what it does.


Re: setting up a trap (2.75 / 4) (#35)
by adamsc on Thu Sep 21, 2000 at 08:45:09 PM EST

I've been thinking about setting up an OpenBSD box so that it appears to be a Win9x box and seeing what attacks people try. It'd be interesting to write a perl script which automatically prepares reports to be sent to the appropriate abuse@ addresses.

[ Parent ]
Re: setting up a trap (2.66 / 3) (#41)
by Toojays on Thu Sep 21, 2000 at 11:11:56 PM EST

Would it even be possible to set up OpenBSD so that nmap would think it was running win95? I think you would have to make some changes to the IP stack or something.

[ Parent ]
Re: setting up a trap (4.50 / 4) (#45)
by trog on Fri Sep 22, 2000 at 01:12:13 AM EST

I remember on one of the nmap lists a while back there was some discussion on reworking the tcp/ip stack of a system to make it look like another system. Check out the list archives at http://www.insecure.org. I don't remember offhand which thread that was

Incidently, when Windows 2000 first came out, the tcp/ip stack WAS taken from a BSD (FreeBSD I believe). OS scans against early-build windows 2000 machines said the boxes were running BSD.



[ Parent ]
Re: setting up a trap (2.66 / 3) (#63)
by adamsc on Fri Sep 22, 2000 at 04:53:57 PM EST

It's opensource, so yes. I was thinking about starting with things like Samba and progressing to making some kernel patches to fool nmap.

[ Parent ]
automatic reporting scripts (2.50 / 2) (#67)
by Barbarian on Sat Sep 23, 2000 at 01:06:24 AM EST

As always, the big danger in automatic reporting scripts is Denial of Service -- if they figure out you have it set up, they'll bombard you will packets that cause reports -- if you have a spam timeout (i.e. consolidate all reports that occur within 5 minutes), they'll go just over the limit of it, if they're diabolical--i.e. they'll have r00ted a box on your netblock and they'll packet sniff you to see what's going on.


[ Parent ]
Re: setting up a trap (3.00 / 1) (#53)
by mwright on Fri Sep 22, 2000 at 07:39:33 AM EST

I've always thought of (and wanted to try that) myself. Perhaps looking for programs who's buffer overruns are often being exploited, and then modifying the source code of the updated version so that it would automatically take action if someone attempted the buffer overrun... for example, logging their IP and blocking them from the system. After that, the fun part would be calling up their ISP and telling them about it!

[ Parent ]
Re: setting up a trap (4.66 / 3) (#59)
by ocelot on Fri Sep 22, 2000 at 02:04:01 PM EST

Check out To Build a Honeypot by Lance Spitzner.

But be sure you know what you're doing before getting into this. Compromised boxes are most often used to launch attacks against other boxes. If you don't set things up to minimalize the ability for someone to turn around and launch outgoing attacks, and keep the box under constant surveillance (preferably redundant if you're relying on some sort of automated monitoring system), you're more than likely just going to contribute to the problem.

Also, remember that there's a good chance that the only thing you'll catch is another compromised system, not the attacker itself.

[ Parent ]

Re: setting up a trap (4.00 / 2) (#55)
by Joyrider on Fri Sep 22, 2000 at 10:48:10 AM EST

There's a notepad.exe trojan going around that incrementally checks the IP addresses above and below the one of its host for open netbios shares, and infects those when possible. Quite a clever propagation method if you ask me, especially for dialup users with dynamic IPs... see the 'incidents' list on securityfocus.com for more details.

[ Parent ]
Re: setting up a trap (3.50 / 2) (#64)
by jet_silver on Fri Sep 22, 2000 at 05:18:15 PM EST

These port 139 connect attempts made me quite curious, too - so for the last three or so incidents on my dialup I have done connect() scans on the senders' port 139s - which have invariably been open. Robert Graham (http://www.robertgraham.com? not sure) has a 'firewall_seen' page where he describes Netbios activity like this as 'background radiation' of the Internet. He suggests these connect attempts are nothing more than misconfigured Windows boxen trying to browse shares.
"What they really fear is machine-gunning politicians becoming a popular sport, like skate-boarding." -Nicolas Freeling
[ Parent ]
An EQ analogy... (3.50 / 12) (#34)
by sugarman on Thu Sep 21, 2000 at 08:15:06 PM EST

(note to self: get out into the real world so you can draw some connection with RL again...)

My take on this, which admittedly may not work for everyone, but at least it helps me wrap my brain around it, would be to say that a sysadmin's role is akin to that of a CLeric in EQ.

  • You are responsible for the health and well-being of the party
  • You have a lot of down time, sitting and staring at a spell book, watching the chat logs scroll by.
  • You generally have the call as to when a fight is going badly and when the party needs to evac.
  • If the shit hits the fan you can often take a lot of the flack when a party member is killed, (though you can sometimes point this out to other members for screwing up)(or IRL, say not changing the default passwords)
  • You may also suffer a lot of downtime tyring to recover when the party suffers a loss. (Rezzing members, re-buffing, etc)
  • It is a passive roll, where you have to wait for the enemy to spawn, or come to you.

    However, when it does work, when you manage to keep everyone alive and take down a huge mob, or break a train, weathering a flurry of attackers, then you are truly appreciated, and that knowledge of a job well done can make it all worth while.

    The script-kiddies parallel probably wouldn't be a warrior or rogue, though. MOre likely a necromancer or druid, looking for an easily soloable class, and crying to high heaven every time there is a perceived slight, or a fix is made that hinders their ability to power-level. They often lack little skill themselves, but have taken the easiest path, checked out some spoiler sites, and gotten some phat lewt from guildmates.

    It takes a different kind of player. High-level clerics are few and far between, but they are appreciated for what they can bring to the table, and the good ones have endless offers awaiting them. Druids and necros litter the zones, and it is rare that one finds one with a)skill, b)talent, c) an interesting personality.

    Does the above sound familiar? =)


    --sugarman--

  • Re: An EQ analogy... (2.33 / 3) (#62)
    by KindBud on Fri Sep 22, 2000 at 02:57:27 PM EST

    You play far too much EQ, dude. Go get some sunshine.

    --
    just roll a fatty

    [ Parent ]
    my experiences (4.08 / 12) (#37)
    by Anonymous Hero on Thu Sep 21, 2000 at 09:19:09 PM EST

    I run a machine that offers a LOT of services to our members.. netatalk, samba, ftp, CGI, webmail, web hosting, email, etc...

    A few of our members also have shell accounts, because they want to run pine, hack some perl, run X etc..

    Shell accounts are, IMHO, the most dangerous things you can ever give somebody. These were only given to people who we knew IRL, and that we felt knew enough about *nix not to be stupid. People were also given fair warning that their shell was a privelage, and as such should not be abused.

    I made sure to put on process accounting, tripwire, quota's, nosuid on home directories and an audit of the software on the system. I did maintain a policy that users home's or processes would not be pryed into unless it was thought they were doing something harmful.

    I also kept up to date with CERT, Bugtraq, etc.. and made sure packages were kept up to date.

    Of everyone who had a shell, of course there had to be one idiot who proclaimed themselves to be a security expert, and tried every single exploit from rootshell on the system. I gave fair warning to them that this was not to be tolerated, and notified other members of the group that this person was doing this.

    Well, this person was quiet for a few weeks, until they decided they would start poking about in inetd. They NOHUP'd /etc/init.d/inetd thinking it was an identd server.. and then logged off without cleaning up. This brought down a few services because their inetd was forking and trying to bind ports, but was being rejected because they weren't root - yet resource wise it was almost the equivalent of a fork bomb. Not pretty.

    After finding out about this, I took away their shell for a few weeks as punishment. They, of course, whinged to superiours above me, promised not to ever do this again, yada yada yada and I was forced to give shell back.

    Basically, the same thing happened again and again, whether it be downloading hundreds of megabytes of warez in the quotaless (on purpose) /var/tmp, trying out exploits, or attempting to DoS our machine from other hosts.

    While this person maintained that these efforts were in the "interest" of the users, because they were "concerned about security" - it was sure as hell they had a personal vendetta against me because they had lost their shell a few times.

    In the end, I terminated their shell account and locked them out of EVERYTHING. Even then, they started to subscribe me to porn lists, and attempt remote exploits on the system (which could easily be traced back to their perm ip).

    What annoys me most, is that these kind of people abuse trust, and then every time they are caught, go on the lines of "i was just testing security for the rest of the users".

    Anyway, that was a long story, and missed alot of detail. But no, I don't get a rush from catching kiddies. I get pretty angry.

    Re: my experiences (2.50 / 2) (#46)
    by trog on Fri Sep 22, 2000 at 01:17:05 AM EST

    A better way (read: significantly more secure) way of offering services that normally run from inetd is to use the tcpserver program, which is a component of Dan Bernstein's ucspi-tcp tools. More can be found at http://cr.yp.to/ucspi-tcp.html. Bernstein's tools are EXCELLENT.



    [ Parent ]
    Always paranoid (3.50 / 4) (#38)
    by matman on Thu Sep 21, 2000 at 09:58:16 PM EST

    I've been getting into network security for the past year or two. The thing that keeps me wanting to secure things, is paranoia. I dont think that I'll ever feel that a box is really secured; this is probably a good thing, as it's not quite possible to totally secure a box. Watching my logs, the attacks that I see these days most often are related to smb or rpc... very rarely does anyone actually scan by system - attacks appear to be more random as if the attackers are trying to shoot fish in a barrel.. I hope to keep myself a small fish.

    Re: Always paranoid (4.00 / 2) (#47)
    by trog on Fri Sep 22, 2000 at 01:20:32 AM EST

    It has been my experience that this is the healthiest attitude you can have in regards to security - it is true that ANY MACHINE, regardless of countermeasures, security policies, or os (yes, even OpenBSD) can be compromised. The trick to being a security sysadmin is to constantly raise the bar; to make it more and more difficult to break into the system. As Schneier has said, "Security is a process"



    [ Parent ]
    Re: Always paranoid (3.00 / 1) (#52)
    by duxup on Fri Sep 22, 2000 at 04:02:29 AM EST

    I agree, raising the bar is the best way to look at it. Your never totally secure, however being more secure than the network next door makes you a less tempting target by the random freaks out there.

    [ Parent ]
    Re: Always paranoid (5.00 / 2) (#65)
    by inri on Fri Sep 22, 2000 at 07:48:39 PM EST

    AFAIK, the term for this is `target hardening', and is a good policy in general. E.g., if you're walking around in a bad part of town, the only way to really avoid being a crime victim is to be driving a tank ;) Short of that, you basically try to appear tough so that you aren't attacked, and the jerks pick on someone else. Same idea with networks.

    [ Parent ]
    NT Lab Security (2.85 / 7) (#40)
    by icer on Thu Sep 21, 2000 at 11:00:58 PM EST

    This may be a little off topic, as it pertains to NT 4.0 security as opposed to *nix security, but relevant nonetheless.

    I work at a small College as a net admin. We have 7 lab environments, all of which currently run NT4 workstation. The machines are used by students, and are prone to problems. We currently have an employee who deals only in supporting the labs, but never actually ends up rebuilding lab loads. So, because of the way things work, this job "falls" to me.

    While loading and securing a lab has its annoyances, there’s something thrilling about building a secure lab. It's fun to watch the CSC students try to d/l apps and install them on the boxes. Or better still, listen to them talk about "hacking". (It's almost as fun to listen to a CSC student go on, at length about the wonders of Linux, until you sit him in front of a machine with just a shell. :).

    In any case, for as much as security can be monotonous, it can be fun as well in my experience.



    Re: NT Lab Security - Question (2.00 / 2) (#49)
    by vrai on Fri Sep 22, 2000 at 03:01:28 AM EST

    At the risk of sounding like an utter nonce - what's CSC? Is it just another term for the all-encompassing comp-ski?

    [ Parent ]
    Re: NT Lab Security - Question (2.00 / 2) (#58)
    by icer on Fri Sep 22, 2000 at 01:28:54 PM EST

    CSC stands for Computer Science.

    [ Parent ]
    On teaching CSC students the wonders of the shell (4.33 / 3) (#61)
    by simmons75 on Fri Sep 22, 2000 at 02:27:59 PM EST

    /*
    (It's almost as fun to listen to a CSC student go on, at length about the wonders of Linux, until
    you sit him in front of a machine with just a shell. :).
    */

    Yeah, and I bet they learn a lot about the shell using NT4. My school had a mix of NT machines (at the time, it was 3.51; NT4 wasn't out yet) It was amazing to me to hear students (and a lot of those were kids that came from countries with supposedly better education systems!) who made brash statements like "UNIX is dead" and all sorts of stuff. I used to watch kids that didn't have their own computers log into an NT station then telnet over to one of the Sun stations...often one right next to them. Why didn't they just login to the machine directly? "UNIX sucks." OK, real reason? "UNIX is too hard." I think I nearly went blind in front of those old SPARCstations; that black-on-white console is hard on they eyes, IMHO. :^) Then again, I stuck to the command line with vi and command-line tools because it was either that or fire up X11 so I could start a couple of xterms (or whatever the OpenWindows equivalent was...I think that 's why the machines had 64MB, BTW. ;^)

    But, yeah, you're right. The most hilarious thing is that the folks doing the *real* hacking are actually pretty quiet about it most the time. I had a roommate who liked to brag that he hacked into the Pentagon. I idly asked him one day when he was sitting smoking, telling someone this for the 10th time, "Joon, what's 'ls'?" He gave me a blank look. That was all I needed to know. Thanks to his storytelling, he was always in trouble any time someone who knew him had weird computer problems: "Joon, WTF did you do to my computer?" Reply, exasperated "I didn't do anything!" Reply: "Suuuuuuuuurre, you didn't." Me, I always kept quiet and let him screw up his reputation, because I figure he shit in his bed, I might as well let him lay in it if he wanted.
    poot!
    So there.

    [ Parent ]
    It's like killing spammers (3.16 / 6) (#42)
    by David Gerard on Thu Sep 21, 2000 at 11:51:44 PM EST

    I kill a lot of spammer accounts. I teach other people how to kill spammer accounts. (Hey, you! In Australia? Join CAUBE-AU!)

    And damn is it a nice feeling to rack up another spammer head!

    I think it's the thrill of successfully fighting back the forces of evil and st00pid. Just for one moment.

    Re: It's like killing spammers (2.00 / 2) (#50)
    by henrik on Fri Sep 22, 2000 at 03:31:20 AM EST

    Hey, feel like teaching me how to kill spammers?
    They're *really* starting to annoying me now. Around 75% of all my mail is spam.

    Please mail me at henrik@abelsson.com or reply here if you can spare a minute.

    Acctually, it'd probably be a good article here on k5.
    Thanks.

    Akademiska Intresseklubben antecknar!
    [ Parent ]

    Re: It's like killing spammers (4.00 / 1) (#66)
    by fluffy grue on Sat Sep 23, 2000 at 12:11:54 AM EST

    1. View the message's headers.
    2. Take note of all domains in the headers which aren't for your ISP, and for all IP addresses, do a PTR query on it (i.e. a normal nslookup) and take note of those domains as well.
    3. Forward the message, headers intact, with a brief writeup of your own to root, abuse, and postmaster at all of those domains. Also forward it to uce@ftc.gov, the Federal Trade Commission's anti-spam-effort-thingy which doesn't seem to do any good but at least it scares the relaying ISPs if they see it in the Cc: list.
    Typically, that's about the best you can do to deal with spam. Either the sysadmins will respond or they won't, and if they do respond either they'll be able to deal with it or they won't. I've noticed that non-English-speaking country domains (most notoriously .jp and .kr) are the worst at never responding to spam reports, and typically (by ignorance or by malice) leave their mailservers up as open relays. You can't do anything about those except report them to their upstream ISP and hope they'll deal with it. To find the upstream ISP, do a traceroute on their mailserver.
    --
    "Is not a quine" is not a quine.
    I have a master's degree in science!

    [ Hug Your Trikuare ]
    [ Parent ]

    A better way (5.00 / 1) (#69)
    by ZephyrAlfredo on Sat Sep 23, 2000 at 07:45:08 PM EST

    "Forward the message, headers intact, with a brief writeup of your own to root, abuse, and postmaster at all of those domains."

    By shutting down a spammer you are attempting to reduce the amount of wasted email on the internet, not generate your own. :) Sending 3 messages to every ip the message was routed through is redundant.

    I use http://www.abuse.net/lookup.phtml and http://samspade.org/ to find out who I should contact, and then I send two emails. One to the correct address of the spammer's ISP, and one to the first upstream router.

    This requires more work, but reduces how much work others have to do, and isn't that your goal in stopping a spammer?



    [ Parent ]
    Re: A better way (4.00 / 1) (#71)
    by fluffy grue on Sun Sep 24, 2000 at 02:11:01 AM EST

    I wasn't saying to do root, abuse and postmaster at EVERY IP address (though I know some people who do that). However, the idea is that those three/four messages will stop several thousand more from that same spammer, since their account gets nuked before vast potential amounts of mail go out. And honestly, I don't even email root anymore, and if I know that a domain has a valid abuse address, I don't bother with postmaster either. Since most of the spam I get comes from two or three domains which do have (responsive) abuse addresses, typically I only send two or three messages per spam (the one to the ISP to get the spammer shut down and the one to the FTC to get the spammer potentially litigated by the feds, especially for the pyramid schemes which seem to be cropping up in a major way again).

    For a while I was using Spamcop, but when I switched to Mutt, Spamcop stopped acknowledging my headers as valid (which is odd, since Mutt's header mode just shows the raw message with no reformatting whatsoever, whereas Pine does some mangling, but Spamcop liked Pine's format just fine).

    Oh, and another thing I did as archiver of hobbes.nmsu.edu to try to stop spammers before they even get a chance to spam was to have a few spam harvester traps (using wpoison, a very nifty random-email-address-generating harvester trap). I'd usually get 5 or 6 address harvesters killed a week using that, BEFORE they could inflict the damage (or at least delaying it a bit, since then they'd have to find a new ISP to abuse). It also has the nice side-effect of making commercial harvesting "services" useless since then they get a whole buttload of invalid addresses which only make their clients unhappy and bring much more attention to their spamming due to the bounces involved.
    --
    "Is not a quine" is not a quine.
    I have a master's degree in science!

    [ Hug Your Trikuare ]
    [ Parent ]

    Re: It's like killing spammers (3.00 / 1) (#70)
    by elemental on Sun Sep 24, 2000 at 01:11:38 AM EST

    I think it's the thrill of successfully fighting back the forces of evil and st00pid. Just for one moment.

    And in most cases a moment is all you have before they're back with one of the other six carded accounts they set up last night. Whack-a-mole, anyone?



    --
    I love my country but I fear my government.
    --> Contact info on my web site --


    [ Parent ]
    Being hacked by a kiddie is shamefull (3.00 / 10) (#43)
    by mxmasster on Fri Sep 22, 2000 at 12:48:43 AM EST

    I run a fairly large web system, and I look at it like this. If I get hacked/shut down by some kiddie running a script or a known exploit I didn't do my job.

    Having a system compromised because you didn't apply a patch for a known exploit because you didn't get arround to it is just shamefull.

    Once I had a syn-flood run against my web servers that brought my garden (only systems like Yahoo with 2,000 machines have a server farm.) down. I felt like such an idiot because I forgot to turn on delayed binding on at the firewall. Of course once I realized it I shut the attack down in minutes.

    If I ever get hacked by a person who finds an exploit in code that a developer in my company wrote. Then fine, I can deal with that. But if I get hacked due to my, or my staff's laziness I'll be so ashamed.



    Re: Being hacked by a kiddie is shamefull (3.00 / 2) (#60)
    by simmons75 on Fri Sep 22, 2000 at 02:17:50 PM EST

    >If I ever get hacked by a person who finds an exploit in code that a
    > developer in my company wrote.

    I bet some English teachers are turning in their graves right now. :^) Sorry, couldn't resist.

    /*
    I run a fairly large web system, and I look at it like this. If I get hacked/shut down by some kiddie running a script
    or a known exploit I didn't do my job.

    Having a system compromised because you didn't apply a patch for a known exploit because you didn't get
    arround to it is just shamefull.
    */

    True, and while I don't have any machines permanently connected to the Internet, while I was still a bum living on a college campus, I had one. Just one. And it was mine. :^) The thing that always came to mind when I was reading security updates and whatnot was this: what if I'm the first? Uh, there's no patch to install unless I write it. And, someone has to find the exploit to be able to exploit it. I'm a terrible hacker. Some would say I have no business leaving a machine connected to the internet. AFAIK, however, I only had one incedent in two years. I was happy. :^) Even then, it was something that was my fault; I was lazy and was using smail to handle my email. On top of that, I had a lazy setup (actually, come to think of it, all I had was dialup, which explains the strange setup.) where I was using a perl script to spoof my return address (people bitched about that; I told 'em where they could put their complaint) and someone found out they could send email to my machine and, again, due to my lazy setup and a badly-coded Perl filter, that they could send spam and have it come out under my name and email address. That happened exactly once. :^)

    Yeah, it's easy to make brash statements like, "if I get 'sploited, it's my fault 'cause I suck" (I read between the lines once in a while) and leave the insult inferred. You'll feel silly later when you get hit.
    poot!
    So there.

    [ Parent ]
    War and Martyrdom (3.60 / 5) (#44)
    by mrkoeller on Fri Sep 22, 2000 at 12:55:34 AM EST

    I, for one, know exactly the feeling you speak of...although I haven't experienced it in the same context. I've been a sysadmin for just a few months now, and still haven't had the opportunity (or the experience) to detect and foil any kind of sustained, clever intrusion. But my knowledge has expanded (exponentially it feels like sometimes :) and it is my increasing capacity to deal with more substantial threats that gives me the real rush. I spent several years in the U.S. military, in a job that I didn't particularly care for. While the tedium of my work was sometimes unbearable, I found that simple competence is enough of a reward to make any thankless job worth doing. As for a script-kiddie like rush, I can imagine a sysadmin (not me...yet) painting pictures in their minds of dark rooms, sleepy faces peering into dim monitors, gallantly closing ports, md5-checksumming potentially comprimised binaries, stoicly battling the forces of (engage pinky in mouth corner, engage Dr. Evil voice) E-vell. Who wouldn't get a rush from such heroic imagery? Pile on top of all this a healthy does of morality (my users deserve the protection afforded them, right?) and we have all the ingredients for a modern day Knights of the Round Table. In short, script-kiddies may get a rush from being destructive, but sysadmins get a rush from being Sir Lancelot.

    Re: War and Martyrdom (2.00 / 3) (#48)
    by trog on Fri Sep 22, 2000 at 01:25:01 AM EST

    hahahahaha! I've never thought of it in those terms, but for me, that is very close to the truth! Perhaps it's a bit melodramatic, but hey, it keeps me amused ;-)



    [ Parent ]
    Re: War and Martyrdom (3.00 / 2) (#56)
    by zapman on Fri Sep 22, 2000 at 11:09:51 AM EST

    I do security as a sysadmin too. However, *MY* users don't treat me the way the people treated sir Lancelot... It'd be somewhat easier if they did...

    (an example: We're re-laying out the filesystem during scheduled downtime. User logs in. We write him to log out. He writes back: How do I know you're root? <sigh>)
    -- The request of a friend in need, is done by a friend in deed.
    [ Parent ]
    no script kiddies for me (1.50 / 4) (#57)
    by Spider-X on Fri Sep 22, 2000 at 01:04:18 PM EST

    I don't have a system connected to the internet beside our Firewall, and nobody tries to break into that because the only port listening is 80, and it's a Netscape server on Netware, so if you were trying to get a shell on it, you'd have to write an NLM shellcode... heh good luck. So I really don't worry about script kiddies. I do enjoy taking away access from our users though. :) What, you changed your desktop? Here let me disable that function for you!! MUHAHAHAHAHA
    Tracking Number: X00369S16
    The Joys of Protecting Networked System | 73 comments (50 topical, 23 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!