There are a number of things which will discourage hackers from being
interested in your system. The best discouragement is paying close
attention.
It is critical that hacked accounts be quickly identified, passwords
changed, users scolded for having used bad passwords and caused you all
that grief, and the site/source of the hack be denied further service.
I am convinced that groups of hackers work together on a particular
system.
First and foremost, use tcp_wrappers to identify, discover and deny the
sites from which hackers base their assault. I use a script nightly to
look through the log, and identify any service request from a non-local
domain. This also allows me to check what sites are refused service.
Turn off any compiler that the hackers can use against you.
Turn off any service not necessary to your users, especially
rlogind/rshd/ftpd.
Limit knowledge about account names (turn off finger to the world.)
Go to C2 level security, but be advised, it has its own maintenance
issues.
Set IP filters in your router. Block access to all the dangerous ports,
which include telnet, ftp and even smtp if your system is not to act as
a public mail exchanger.
Restrict access to your local domain only, if possible.
Set the noadd-exec-access option in /etc/sysconfigtab (available in
4.0b, but not 3.2g):
vfs:
noadd-exec-access=1
This will prevent any non-root user from adding execute access to any
new or existing regular file.
One option is to set up a chrooted environment on a separate filesystem
/restrict (say)
and copy just enough of /sbin and /shlib and /usr/shlib /usr/bin etc
and create just the devices in /restrict/dev to support only the
facilities being offered.
There are a number of ways of chrooting a user at login into this
environment but once they are there they can basically see what you
permit them to see.
Use /bin/Rsh to restrict users from changing directories.
Develop a menu-based shell script which allows users to select specific
executables, and denies them access to the operating system.
Open a window on whatever system you sit at, change into the
/var/adm/syslog.dated/<current dir> to a 'tail -f <file.log>' This
lets you watch logins as they occur - I've killed several hackers while
they worked.
Use top and ps ax to monitor what processes are running: investigate
anything that looks odd or unusual
Use a script which looks for common hacker software .e.g,
find /usr/users/ -name eggdrop*
find /usr/users/ -name .rhosts
At the very least, its inconvenient for hackers to have to reload and
reconfigure their software everyday, too.
Check the world writable directories - /tmp and /var/spool/mail for
directories.
Create cron.allow and at.allow which are restricted to root only, or
specific trusted users.
Thanks to:
klarsen_at_enterprise.afit.af.mil (Kristin (Kris) Larsen)
Carlos A M dos Santos <casantos_at_urano.cpmet.ufpel.tche.br>
"lrs _" <lrs__at_hotmail.com>
Tom Webster <webster_at_ssdpdc.lgb.cal.boeing.com>
Leonardo Mosquera <lmosquer_at_col1.telecom.com.co>
James Sainsbury <sainsb_j_at_shrub.chem.su.oz.au>
Received on Fri Oct 03 1997 - 01:56:39 NZST