From owner-freebsd-questions Sun Jun 21 15:26:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA13287 for freebsd-questions-outgoing; Sun, 21 Jun 1998 15:26:27 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from lucy.bedford.net (lucy.bedford.net [206.99.145.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA12937 for ; Sun, 21 Jun 1998 15:24:49 -0700 (PDT) (envelope-from listread@lucy.bedford.net) Received: (from listread@localhost) by lucy.bedford.net (8.8.8/8.8.8) id SAA13782; Sun, 21 Jun 1998 18:13:27 -0400 (EDT) (envelope-from listread) Message-Id: <199806212213.SAA13782@lucy.bedford.net> Subject: Re: Looking for hackers with netstat In-Reply-To: <358D2C1E.45A12711@globalserve.net> from Geoffrey Robinson at "Jun 21, 98 11:51:58 am" To: geoffr@globalserve.net (Geoffrey Robinson) Date: Sun, 21 Jun 1998 18:13:27 -0400 (EDT) Cc: questions@FreeBSD.ORG X-no-archive: yes Reply-to: djv@bedford.net From: CyberPeasant X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Geoffrey Robinson wrote: > I've heard that hackers can hide their presence from the who and w > commands. Can they also hide their connections from netstat? Is netstat a > good way to look for intruders? it can help. The best way to look for intruders is with a shotgun :) Netstat could assuredly be corrupted to ignore certain things. He who has root and a compiler (or the cp command) "owns" the machine. > BTW: When I run netstat to list connections without the -n argument it > often stops before finishing when it can't (I assume) resolve an IP. Can I > specify a timeout to keep it going? AFAIK, this is a timeout within the resolver library and/or named. A sleazy workaround is to do it once, and note the names of the troublesome numbers (which seem to be multicast names and network names) and stick them in /etc/hosts and other places. Have /etc/hosts searched before going to BIND. (see /etc/host.conf) I hope somebody knows a better method. As far as your system tools being corrupted, there are two elementary things to do as preventatives: Build the relevant tools with static linking (ON A KNOWN SECURE MACHINE), to eliminate intruder manipulation of the shared libs and/or ld.so. Then install tripwire (ports, I believe), reading its documentation thoroughly. Mostly what tripwire does is to keep crypto-grade checksums of "stuff" (configurable), in a "secure" place (like on a floppy in your desk drawer, or an old disk that is jumperable to be "readonly"). As long as you have a secure place, copies of the static binaries can go there, too. And a kernel. This much will give you honest tools, and a method of detecting tampering. Beyond that, look into kernel security levels (weak, but better than nothing), and the judicious use of the immutable and other flags to files on ufs filesystems. (man chflags). Consider [duplicate] logging to another machine (or, during an active intrusion, to floppy or to a hardcopy terminal. [called a printer these days]). DISCLAIMER: I'm not a security expert. CLAIMER: Nothing I've said will /decrease/ security. Probably. Lots of script wankers get their stuff at www.rootshell.com. Go there and see what they're using. Lately the notorious C. Meinel has published "Happy Hacking" or some such title; steal a copy or buy one from the remainder-bin at the discount bookstore, or use the library. (Avoid paying royalties). It's no good for /real/ knowledge, but it will acquaint you with what the most pestilential kind of intruder thinks is k3w1 this week. Dave -- http://www.microsoft.com/security: `Microsoft Windows NT Server is the most secure network operating system available.' Don Quixote: `You are mistaken, Sancho.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message