From owner-freebsd-questions Fri Jun 8 13:52:20 2001 Delivered-To: freebsd-questions@freebsd.org Received: from k0r3.reflektor.cz (k0r3.reflektor.cz [212.24.129.54]) by hub.freebsd.org (Postfix) with SMTP id C01FC37B407 for ; Fri, 8 Jun 2001 13:52:13 -0700 (PDT) (envelope-from cynic@mail.cz) Received: (qmail 23045 invoked by uid 202); 8 Jun 2001 20:52:11 -0000 Received: from unknown (HELO zvahlav.mail.cz) (212.24.143.100) by k0r3.reflektor.cz with SMTP; 8 Jun 2001 20:52:11 -0000 Message-Id: <5.1.0.14.2.20010608225129.033afd70@mail.cz> X-Sender: cynic@mail.cz X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 08 Jun 2001 23:00:02 +0200 To: Bill Moran From: Cynic Subject: Re: IPFW rules and outward connections Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <3B213407.D5A6E547@iowna.com> References: <3B200EEF.86F950D1@iowna.com> <5.1.0.14.0.20010608082306.024808d0@mail.enterit.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well, yes. Crackers seem to be mostly 15 years old kids. Skim this article: http://grc.com/dos/grcdos.htm (and get ready to skip some whining about MS including fullblown sockets implementation in NT 5 and up). Other than that, it's a pretty good probe into the 133t h4x0rz' pseudoculture -- teenage script kiddies who aren't even script kiddies, they're actually button kiddies, since they don't know any scripting, just push buttons. At 22:22 8.6. 2001, Bill Moran wrote the following: -------------------------------------------------------------- >Lots of good conversation on this topic yesterday and today. >My $.02: >I agree 100% with Ted on the point of the media pretending that all >crackers are super computer geniouses. It's bullshit. Every incident of >a breakin that I've seen over the last few years has been the result of >VERY sloppy security. I think most of the REAL super experts are >creating the secure systems, not cracking them. >To counter that, there are an unbelievable number of servers on the `net >in a terrible state of insecurity. This makes the risk of DoS attacks >VERY high. >Also to counter that ... if you secure your system tightly enough that >you can't conceive of any possible breakin, then nobody dumber than you >will get through ... and most crackers are dumber than you! That's my >(overall) approach to security. >So ... I've already been planning a sales pitch entitled "You are at >risk" where I'll be finding servers hosted locally with lousy security >and going in with a sales pitch where I scare them silly! Then I sell >them a firewall and monitoring services. >Wish me luck, >Bill > >Jim Conner wrote: >> >> I like your comments, I agree with your comments...I warn against some >> comments made... >> >> Beware the lamers...even a blind squirrel finds a nut now and then. Don't >> underestimate the power of the darkside. >> >> - Jim >> >> ph34r th3 ll4mA5 =P >> I can talk the talk...but I am nowhere near walking the walk. I always >> thought "hacker jargon" was strangely interesting anyway. >> >> At 10:18 PM 6/7/2001 -0700, Ted Mittelstaedt wrote: >> >I'll relate a recent story security and access lists that may >> >interest some folks. >> > >> >We have a customer who one day discovered some changes in some >> >logfiles in a Linux 2.2 webserver system they had. After investigating >> >they determined that their server had been cracked into. They >> >called us for help. We arrainged a site survey the following day >> >and a meeting to talk about how to secure their connection. >> > >> >The next morning before the meeting we noticed that their connection >> >to us (a full T1) had gone into saturation on the outbound channel >> >at 4:00am. This was atypical behavior of course. I called them and >> >told them what was going on but not to do anything as I wanted to >> >see the server myself. When I got there after about 15 minutes I >> >determined that someone had uploaded a IRC proxy (GNU source) to >> >their server, obviously their server was participating in a DoS attack >> >against some target. I also determined that the system was so old >> >and the probability of inserted trojans so high that it wasn't worth >> >attempting to secure, I just told them to get their data off it and >> >reformat it and reinstall a current version of Linux and this time >> >to install the appropriate security patches. Needless to say they >> >didn't have the time immediately to do this but they planned to do it >> >the following week. (this customer is a distributor and the info on >> >the webserver was basically public data anyway, and they didn't care >> >that someone had access to it) But they did ask if there was anything >> >I could do about the DoS hijack. >> > >> >Since it would have been pointless to delete the IRC proxy off their >> >webserver (since the cracker could just upload it again through the >> >same hole) I decided to insert a block of port 6667 in their border >> >router. This of course disabled the control channel for the IRC proxy >> >and stopped the hijack. >> > >> >Now, in my humble opinion, it would have been child's play for the >> >cracker to simply access the system again, and modify the IRC proxy to >> >use a different port for the IRC control channel. After all I didn't >> >block any other ports, all the holes were there. This WAS a DoS attack >> >and thus it didn't matter one whit what port was in use in the attack, >> >any would have worked. So I didn't expect my block to last any length of >> >time. >> > >> >But, guess what, it was completely effective for over a week before they >> >finally redid their server. >> > >> >This is the kind of mentality that your dealing with, with most crackers. >> >Sure, there's some really good (or warped) crackers out there who would >> >have reactivated their little toy in seconds. But these people aren't >> >going to waste their time on something like this site. The real mentality >> >that your dealing with, with 99% of these crackers out there are people >> >so dumb that they cannot even make a simple port number modification in >> >their code. They barely have any understanding of networking technology and >> >even crude and simple access lists are beyond their comprehension. All >> >they do is to follow some recipies that their betters have put together >> >for them, and if something goes wrong and the recipie doesen't work, they >> >have no idea how to go about fixing it (or breaking the system, depending >> >on your viewpoint) and so they just move on to the next easy-to-compromise >> >system. >> > >> >This is really the situation of the street where half the homes lock their >> >doors and the other half don't. There are so very many ancient Linux or >> >unsecured Windows systems out there that if you make even a modicum of >> >effort >> >to lock your door, since most crackers are basically morons, they are >> >unable to deal with the situation and just move on to the next house/system. >> > >> >Of course, if you do have something of real value there, like a database of >> >thousands of valid credit card numbers, then this doesen't apply. But, >> >the point is that Hollywood makes it out that all crackers are >> >super-sophisticated >> >technologists that know computer systems back, forth and upside down, and >> >that to block them you have to have super-sophisticated methods yourself. >> >But, the reality is that most crackers are morons and even simple >> >filters and blocks that aren't themselves that good, present enough of an >> >obstacle >> >to these people that they won't be able to figure out a way around them. >> > >> >Ted Mittelstaedt tedm@toybox.placo.com >> >Author of: The FreeBSD Corporate Networker's Guide >> >Book website: http://www.freebsd-corp-net-guide.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message ------end of quote------ cynic@mail.cz ------------- And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message