From owner-freebsd-questions Fri Jun 8 13:24:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132]) by hub.freebsd.org (Postfix) with SMTP id 5C5ED37B408 for ; Fri, 8 Jun 2001 13:24:45 -0700 (PDT) (envelope-from wmoran@iowna.com) Received: (qmail 17022 invoked from network); 8 Jun 2001 20:33:14 -0000 Received: from unknown (HELO iowna.com) (151.201.71.193) by mail.the-i-pa.com with SMTP; 8 Jun 2001 20:33:14 -0000 Message-ID: <3B213407.D5A6E547@iowna.com> Date: Fri, 08 Jun 2001 16:22:31 -0400 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Jim Conner Cc: Ted Mittelstaedt , patl@Phoenix.Volant.ORG, Josh Thomas , freebsd-questions@FreeBSD.ORG Subject: Re: IPFW rules and outward connections References: <3B200EEF.86F950D1@iowna.com> <5.1.0.14.0.20010608082306.024808d0@mail.enterit.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Lots of good conversation on this topic yesterday and today. My $.02: I agree 100% with Ted on the point of the media pretending that all crackers are super computer geniouses. It's bullshit. Every incident of a breakin that I've seen over the last few years has been the result of VERY sloppy security. I think most of the REAL super experts are creating the secure systems, not cracking them. To counter that, there are an unbelievable number of servers on the `net in a terrible state of insecurity. This makes the risk of DoS attacks VERY high. Also to counter that ... if you secure your system tightly enough that you can't conceive of any possible breakin, then nobody dumber than you will get through ... and most crackers are dumber than you! That's my (overall) approach to security. So ... I've already been planning a sales pitch entitled "You are at risk" where I'll be finding servers hosted locally with lousy security and going in with a sales pitch where I scare them silly! Then I sell them a firewall and monitoring services. Wish me luck, Bill Jim Conner wrote: > > I like your comments, I agree with your comments...I warn against some > comments made... > > Beware the lamers...even a blind squirrel finds a nut now and then. Don't > underestimate the power of the darkside. > > - Jim > > ph34r th3 ll4mA5 =P > I can talk the talk...but I am nowhere near walking the walk. I always > thought "hacker jargon" was strangely interesting anyway. > > At 10:18 PM 6/7/2001 -0700, Ted Mittelstaedt wrote: > >I'll relate a recent story security and access lists that may > >interest some folks. > > > >We have a customer who one day discovered some changes in some > >logfiles in a Linux 2.2 webserver system they had. After investigating > >they determined that their server had been cracked into. They > >called us for help. We arrainged a site survey the following day > >and a meeting to talk about how to secure their connection. > > > >The next morning before the meeting we noticed that their connection > >to us (a full T1) had gone into saturation on the outbound channel > >at 4:00am. This was atypical behavior of course. I called them and > >told them what was going on but not to do anything as I wanted to > >see the server myself. When I got there after about 15 minutes I > >determined that someone had uploaded a IRC proxy (GNU source) to > >their server, obviously their server was participating in a DoS attack > >against some target. I also determined that the system was so old > >and the probability of inserted trojans so high that it wasn't worth > >attempting to secure, I just told them to get their data off it and > >reformat it and reinstall a current version of Linux and this time > >to install the appropriate security patches. Needless to say they > >didn't have the time immediately to do this but they planned to do it > >the following week. (this customer is a distributor and the info on > >the webserver was basically public data anyway, and they didn't care > >that someone had access to it) But they did ask if there was anything > >I could do about the DoS hijack. > > > >Since it would have been pointless to delete the IRC proxy off their > >webserver (since the cracker could just upload it again through the > >same hole) I decided to insert a block of port 6667 in their border > >router. This of course disabled the control channel for the IRC proxy > >and stopped the hijack. > > > >Now, in my humble opinion, it would have been child's play for the > >cracker to simply access the system again, and modify the IRC proxy to > >use a different port for the IRC control channel. After all I didn't > >block any other ports, all the holes were there. This WAS a DoS attack > >and thus it didn't matter one whit what port was in use in the attack, > >any would have worked. So I didn't expect my block to last any length of > >time. > > > >But, guess what, it was completely effective for over a week before they > >finally redid their server. > > > >This is the kind of mentality that your dealing with, with most crackers. > >Sure, there's some really good (or warped) crackers out there who would > >have reactivated their little toy in seconds. But these people aren't > >going to waste their time on something like this site. The real mentality > >that your dealing with, with 99% of these crackers out there are people > >so dumb that they cannot even make a simple port number modification in > >their code. They barely have any understanding of networking technology and > >even crude and simple access lists are beyond their comprehension. All > >they do is to follow some recipies that their betters have put together > >for them, and if something goes wrong and the recipie doesen't work, they > >have no idea how to go about fixing it (or breaking the system, depending > >on your viewpoint) and so they just move on to the next easy-to-compromise > >system. > > > >This is really the situation of the street where half the homes lock their > >doors and the other half don't. There are so very many ancient Linux or > >unsecured Windows systems out there that if you make even a modicum of > >effort > >to lock your door, since most crackers are basically morons, they are > >unable to deal with the situation and just move on to the next house/system. > > > >Of course, if you do have something of real value there, like a database of > >thousands of valid credit card numbers, then this doesen't apply. But, > >the point is that Hollywood makes it out that all crackers are > >super-sophisticated > >technologists that know computer systems back, forth and upside down, and > >that to block them you have to have super-sophisticated methods yourself. > >But, the reality is that most crackers are morons and even simple > >filters and blocks that aren't themselves that good, present enough of an > >obstacle > >to these people that they won't be able to figure out a way around them. > > > >Ted Mittelstaedt tedm@toybox.placo.com > >Author of: The FreeBSD Corporate Networker's Guide > >Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message